From 2c6af7acb105f02ef70c13042b41744d2779b953 Mon Sep 17 00:00:00 2001
From: Sam Sneed <163201376+sam-sneed@users.noreply.github.com>
Date: Thu, 25 Jul 2024 13:12:20 -0500
Subject: [PATCH] more fixing, re-add thread count
---
main.py | 14 +-
yara-Neo23x0/configured_vulns_ext_vars.yar | 241 -
...tscaler_adc_exploitation_cve_2023_3519.yar | 102 -
...l_connectwise_screenconnect_vuln_feb24.yar | 328 -
yara-Neo23x0/gen_fake_amsi_dll.yar | 68 -
yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar | 428 -
.../gen_vcruntime140_dll_sideloading.yar | 30 -
yara-Neo23x0/gen_webshells_ext_vars.yar | 103 -
yara-Neo23x0/general_cloaking.yar | 153 -
yara-Neo23x0/generic_anomalies.yar | 518 -
yara-Neo23x0/thor_inverse_matches.yar | 581 -
...yara-rules_vuln_drivers_strict_renamed.yar | 6831 ---
yara-Neo23x0/yara_mixed_ext_vars.yar | 556 -
.../Lazarus_wipe_file_routine.yar | 28 -
.../Anomali Labs/PyInstaller_Binary.yar | 16 -
.../archives_w_chinapic.yar | 18 -
.../Brian Carter -carterb/demuzacert.yar | 20 -
.../injector_panel_sqlite.yar | 21 -
.../Brian Carter -carterb/mal_pdf.yar | 19 -
.../Brian Carter -carterb/panelzips.yar | 128 -
.../Brian Carter -carterb/pony_config.yar | 21 -
.../tables_inject_panel.yar | 21 -
.../vt_pony_post2gate.yar | 14 -
yara-mikesxrs/CISA/CADDYWIPER.yar | 27 -
.../CISA/HAFIUM_webshell_CVE_2021_27065.yar | 23 -
...IUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar | 21 -
yara-mikesxrs/CISA/HERMETICWIZARD.yar | 34 -
yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar | 24 -
.../CISA/HERMETICWIZARD_WORM_CODE.yar | 21 -
yara-mikesxrs/CISA/ISAACWIPER.yar | 29 -
yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar | 30 -
yara-mikesxrs/Checkpoint/ElMachete_doc.yar | 14 -
yara-mikesxrs/Checkpoint/ElMachete_msi.yar | 17 -
yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar | 11 -
.../Checkpoint/Russia_Detector_rules.yar | 7777 ----
.../Checkpoint/TeamViwer_backdoor.yar | 16 -
.../Checkpoint/ZZ_breakwin_config.yar | 14 -
.../ZZ_breakwin_meteor_batch_files.yar | 23 -
.../Checkpoint/ZZ_breakwin_stardust_vbs.yar | 20 -
.../Checkpoint/ZZ_breakwin_wiper.yar | 120 -
.../apt3_bemstour_implant_byte_patch.yar | 39 -
...emstour_implant_command_stack_variable.yar | 169 -
.../Checkpoint/apt3_bemstour_strings.yar | 68 -
.../apt_CN_TwistedPanda_64bit_Loader.yar | 34 -
.../apt_CN_TwistedPanda_SPINNER_1.yar | 33 -
.../apt_CN_TwistedPanda_SPINNER_2.yar | 35 -
.../apt_CN_TwistedPanda_droppers.yar | 36 -
.../Checkpoint/apt_CN_TwistedPanda_loader.yar | 42 -
.../apt_WebAssistant_TcahfUpdate.yar | 17 -
.../Checkpoint/apt_nazar_component_guids.yar | 32 -
.../Checkpoint/apt_nazar_svchost_commands.yar | 19 -
.../Checkpoint/checkpoint_index.yara | 206 -
yara-mikesxrs/Checkpoint/explosive_dll.yar | 15 -
yara-mikesxrs/Checkpoint/explosive_exe.yar | 15 -
yara-mikesxrs/Checkpoint/goziv3_trojan.yar | 11 -
.../Checkpoint/injector_ZZ_dotRunpeX.yar | 58 -
.../injector_ZZ_dotRunpeX_oldnew.yar | 45 -
.../Checkpoint/lyceum_dotnet_dns_backdoor.yar | 29 -
.../lyceum_dotnet_http_backdoor.yar | 52 -
.../Checkpoint/lyceum_golang_backdoor.yar | 37 -
.../Checkpoint/malware_bumblebee_packed.yar | 31 -
.../Checkpoint/nazar_component_guids.yar | 32 -
yara-mikesxrs/Checkpoint/qbot_vbs.yar | 16 -
.../Checkpoint/ransomware_ZZ_azov_wiper.yar | 18 -
yara-mikesxrs/CyberDefenses/installmonstr.yar | 22 -
yara-mikesxrs/CyberDefenses/u34.yar | 15 -
.../CyberDefenses/wirenet_dropper.yar | 16 -
yara-mikesxrs/Fidelis/AlienSpy.yar | 34 -
yara-mikesxrs/Fidelis/DarkComet.yar | 18 -
yara-mikesxrs/Fidelis/DarkCometDownloader.yar | 12 -
yara-mikesxrs/Fidelis/Scanbox.yar | 44 -
.../Fidelis/Ursnif_report_variant_memory.yar | 20 -
yara-mikesxrs/Fidelis/XenonCrypter.yar | 12 -
...ix_elf_Derusbi_Linux_SharedMemCreation.yar | 13 -
.../apt_nix_elf_Derusbi_Linux_Strings.yar | 28 -
yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar | 48 -
.../apt_nix_elf_derusbi_kernelModule.yar | 30 -
...apt_win32_dll_bergard_pgv_pvid_variant.yar | 40 -
.../Fidelis/apt_win32_dll_rat_hiZorRAT.yar | 30 -
.../Fidelis/apt_win_exe_trojan_derusbi.yar | 61 -
.../Fidelis/crime_win32_exe_rat_netwire.yar | 51 -
.../Fidelis/crime_win_PWS_Fareit.yar | 28 -
.../Fidelis/network_traffic_njRAT.yar | 47 -
yara-mikesxrs/Fidelis/win_exe_njRAT.yar | 45 -
yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara | 128 -
.../Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara | 113 -
.../Fireeye/APT32_ActiveMime_Lure.yar | 18 -
.../Fireeye/APT_DeputyDog_Strings.yar | 20 -
yara-mikesxrs/Fireeye/BadRabbit.yar | 120 -
yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar | 19 -
yara-mikesxrs/Fireeye/FE_petya_ransomware,yar | 75 -
.../Fireeye_red_team_tool_countermeasures.yar | 2947 --
yara-mikesxrs/Fireeye/Fireye_index.yara | 141 -
yara-mikesxrs/Fireeye/MACROCHECK.YAR | 20 -
yara-mikesxrs/Fireeye/Molerats_certs.yar | 25 -
yara-mikesxrs/Fireeye/TRITON_Framework.yar | 63 -
.../Fireeye/callTogether_certificate.yar | 26 -
yara-mikesxrs/Fireeye/hastati.yar | 25 -
yara-mikesxrs/Fireeye/qti_certificate.yar | 25 -
.../Florian Roth/Florian_Roth_index.yara | 34866 ----------------
yara-mikesxrs/Florian Roth/Havex_Trojan.yar | 24 -
.../Florian Roth/Havex_Trojan_PHP_Server.yar | 14 -
.../Florian Roth/POSCardStealer_SpyBot.yar | 23 -
.../Florian Roth/apt_alienspy_rat.yar | 49 -
.../Florian Roth/apt_apt17_malware.yar | 34 -
yara-mikesxrs/Florian Roth/apt_apt28.yar | 94 -
.../Florian Roth/apt_apt30_backspace.yar | 1142 -
.../Florian Roth/apt_apt6_malware.yar | 53 -
.../Florian Roth/apt_backdoor_ssh_python.yar | 18 -
yara-mikesxrs/Florian Roth/apt_backspace.yar | 18 -
.../Florian Roth/apt_beepservice.yar | 29 -
.../Florian Roth/apt_between-hk-and-burma.yar | 215 -
.../Florian Roth/apt_blackenergy.yar | 171 -
.../apt_blackenergy_installer.yar | 15 -
.../Florian Roth/apt_bluetermite_emdivi.yar | 136 -
yara-mikesxrs/Florian Roth/apt_buckeye.yar | 68 -
yara-mikesxrs/Florian Roth/apt_casper.yar | 97 -
.../Florian Roth/apt_cheshirecat.yar | 102 -
yara-mikesxrs/Florian Roth/apt_cloudduke.yar | 77 -
yara-mikesxrs/Florian Roth/apt_codoso.yar | 335 -
.../Florian Roth/apt_coreimpact_agent.yar | 44 -
.../Florian Roth/apt_cve2015_5119.yar | 19 -
.../Florian Roth/apt_danti_svcmondr.yar | 70 -
yara-mikesxrs/Florian Roth/apt_deeppanda.yar | 92 -
yara-mikesxrs/Florian Roth/apt_derusbi.yar | 115 -
yara-mikesxrs/Florian Roth/apt_dubnium.yar | 138 -
yara-mikesxrs/Florian Roth/apt_duqu2.yar | 94 -
yara-mikesxrs/Florian Roth/apt_emissary.yar | 41 -
yara-mikesxrs/Florian Roth/apt_eqgrp.yar | 1213 -
.../Florian Roth/apt_fakem_backdoor.yar | 46 -
.../Florian Roth/apt_fancybear_dnc.yar | 54 -
.../apt_fidelis_phishing_plain_sight.yar | 27 -
.../Florian Roth/apt_four_element_sword.yar | 161 -
yara-mikesxrs/Florian Roth/apt_furtim.yar | 53 -
.../apt_ghostdragon_gh0st_rat.yar | 87 -
yara-mikesxrs/Florian Roth/apt_glassRAT.yar | 69 -
.../Florian Roth/apt_hackingteam_rules.yar | 82 -
.../Florian Roth/apt_hellsing_kaspersky.yar | 137 -
yara-mikesxrs/Florian Roth/apt_hizor_rat.yar | 27 -
.../Florian Roth/apt_indetectables_rat.yar | 52 -
yara-mikesxrs/Florian Roth/apt_inocnation.yar | 29 -
yara-mikesxrs/Florian Roth/apt_irongate.yar | 96 -
yara-mikesxrs/Florian Roth/apt_irontiger.yar | 146 -
.../Florian Roth/apt_irontiger_trendmicro.yar | 289 -
.../Florian Roth/apt_kaspersky_duqu2.yar | 147 -
.../Florian Roth/apt_keylogger_cn.yar | 33 -
.../Florian Roth/apt_korplug_fast.yar | 25 -
.../Florian Roth/apt_laudanum_webshells.yar | 309 -
yara-mikesxrs/Florian Roth/apt_miniasp.yar | 36 -
yara-mikesxrs/Florian Roth/apt_minidionis.yar | 81 -
yara-mikesxrs/Florian Roth/apt_mofang.yar | 47 -
.../Florian Roth/apt_ms_platinum.yara | 398 -
yara-mikesxrs/Florian Roth/apt_naikon.yar | 36 -
.../Florian Roth/apt_nanocore_rat.yar | 72 -
.../Florian Roth/apt_onhat_proxy.yar | 29 -
yara-mikesxrs/Florian Roth/apt_op_cleaver.yar | 329 -
.../Florian Roth/apt_passthehashtoolkit.yar | 142 -
yara-mikesxrs/Florian Roth/apt_plugx.yar | 35 -
yara-mikesxrs/Florian Roth/apt_poisonivy.yar | 215 -
.../Florian Roth/apt_poisonivy_gen3.yar | 30 -
.../Florian Roth/apt_poseidon_group.yar | 82 -
yara-mikesxrs/Florian Roth/apt_prikormka.yar | 141 -
yara-mikesxrs/Florian Roth/apt_project_m.yar | 46 -
.../Florian Roth/apt_project_sauron.yara | 137 -
.../apt_project_sauron_extras.yar | 224 -
.../Florian Roth/apt_putterpanda.yar | 258 -
.../Florian Roth/apt_quarkspwdump.yar | 22 -
.../apt_rocketkitten_keylogger.yar | 33 -
yara-mikesxrs/Florian Roth/apt_ruag.yar | 85 -
.../apt_rwmc_powershell_creddump.yar | 39 -
yara-mikesxrs/Florian Roth/apt_sakula.yar | 78 -
.../Florian Roth/apt_scanbox_deeppanda.yar | 32 -
.../Florian Roth/apt_seaduke_unit42.yar | 26 -
yara-mikesxrs/Florian Roth/apt_shamoon.yar | 12 -
.../Florian Roth/apt_skeletonkey.yar | 44 -
.../Florian Roth/apt_snowglobe_babar.yar | 36 -
.../Florian Roth/apt_sofacy_dec15.yar | 129 -
.../Florian Roth/apt_sofacy_fysbis.yar | 50 -
.../Florian Roth/apt_sofacy_jun16.yar | 59 -
.../apt_sofacy_xtunnel_bundestag.yar | 98 -
.../Florian Roth/apt_sphinx_moth.yar | 114 -
yara-mikesxrs/Florian Roth/apt_strider.yara | 84 -
yara-mikesxrs/Florian Roth/apt_stuxnet.yar | 172 -
yara-mikesxrs/Florian Roth/apt_suckfly.yar | 73 -
yara-mikesxrs/Florian Roth/apt_sysscan.yar | 37 -
yara-mikesxrs/Florian Roth/apt_terracotta.yar | 98 -
.../Florian Roth/apt_terracotta_liudoor.yar | 24 -
.../Florian Roth/apt_threatgroup_3390.yar | 307 -
yara-mikesxrs/Florian Roth/apt_tidepool.yar | 30 -
.../Florian Roth/apt_turbo_campaign.yar | 192 -
yara-mikesxrs/Florian Roth/apt_turla.yar | 142 -
.../Florian Roth/apt_unit78020_malware.yar | 129 -
.../Florian Roth/apt_volatile_cedar.yar | 115 -
yara-mikesxrs/Florian Roth/apt_waterbug.yar | 123 -
.../apt_webshell_chinachopper.yar | 13 -
.../Florian Roth/apt_wildneutron.yar | 297 -
yara-mikesxrs/Florian Roth/apt_win_plugx.yar | 58 -
yara-mikesxrs/Florian Roth/apt_winnti.yar | 130 -
.../Florian Roth/apt_woolengoldfish.yar | 103 -
.../Florian Roth/cn_pentestset_scripts.yar | 336 -
.../Florian Roth/cn_pentestset_tools.yar | 2225 -
.../Florian Roth/cn_pentestset_webshells.yar | 1038 -
yara-mikesxrs/Florian Roth/cridex.yar | 14 -
.../Florian Roth/crime_antifw_installrex.yar | 17 -
.../Florian Roth/crime_bernhard_pos.yar | 17 -
.../Florian Roth/crime_buzus_softpulse.yar | 24 -
yara-mikesxrs/Florian Roth/crime_cmstar.yar | 19 -
.../Florian Roth/crime_cryptowall_svg.yar | 22 -
.../Florian Roth/crime_dexter_trojan.yar | 15 -
.../Florian Roth/crime_dridex_xml.yar | 22 -
yara-mikesxrs/Florian Roth/crime_enfal.yar | 53 -
yara-mikesxrs/Florian Roth/crime_fareit.yar | 28 -
.../Florian Roth/crime_kins_dropper.yar | 46 -
.../Florian Roth/crime_kraken_bot1.yar | 25 -
yara-mikesxrs/Florian Roth/crime_locky.yar | 20 -
yara-mikesxrs/Florian Roth/crime_malumpos.yar | 32 -
.../Florian Roth/crime_malware_generic.yar | 39 -
.../Florian Roth/crime_mikey_trojan.yar | 20 -
.../Florian Roth/crime_petya_ransom.yar | 31 -
.../Florian Roth/crime_phish_gina_dec15.yar | 67 -
.../crime_rombertik_carbongrabber.yar | 107 -
.../Florian Roth/crime_shifu_trojan.yar | 59 -
.../Florian Roth/crime_upatre_oct15.yar | 43 -
.../Florian Roth/exploit_cve_2015_1674.yar | 27 -
.../Florian Roth/exploit_cve_2015_1701.yar | 27 -
.../Florian Roth/exploit_cve_2015_2426.yar | 53 -
.../Florian Roth/exploit_uac_elevators.yar | 131 -
.../Florian Roth/gen_ace_with_exe.yar | 21 -
.../Florian Roth/gen_b374k_extra.yar | 22 -
.../Florian Roth/gen_cn_hacktool_scripts.yar | 129 -
.../Florian Roth/gen_cn_hacktools.yar | 2471 --
.../Florian Roth/gen_cn_webshells.yar | 701 -
.../Florian Roth/gen_deviceguard_evasion.yar | 13 -
.../Florian Roth/gen_faked_versions.yar | 29 -
.../Florian Roth/gen_gpp_cpassword.yar | 19 -
.../Florian Roth/gen_invoke_mimikatz.yar | 20 -
yara-mikesxrs/Florian Roth/gen_kerberoast.yar | 53 -
.../Florian Roth/gen_kirbi_mimkatz.yar | 22 -
.../Florian Roth/gen_malware_set_qa.yar | 189 -
.../gen_metasploit_loader_rsmudge.yar | 25 -
.../Florian Roth/gen_mimikittenz.yar | 27 -
.../Florian Roth/gen_nopowershell.yar | 21 -
yara-mikesxrs/Florian Roth/gen_pirpi.yar | 61 -
yara-mikesxrs/Florian Roth/gen_powerkatz.yar | 30 -
.../Florian Roth/gen_powershell_empire.yar | 168 -
.../Florian Roth/gen_powershell_toolkit.yar | 226 -
.../Florian Roth/gen_regsrv32_issue.yar | 23 -
yara-mikesxrs/Florian Roth/gen_sharpcat.yar | 21 -
yara-mikesxrs/Florian Roth/gen_tempracer.yar | 25 -
.../Florian Roth/gen_thumbs_cloaking.yar | 10 -
.../Florian Roth/gen_transformed_strings.yar | 54 -
.../Florian Roth/gen_win_privesc.yar | 56 -
yara-mikesxrs/Florian Roth/gen_winshells.yar | 112 -
.../Florian Roth/general_cloaking.yar | 84 -
.../Florian Roth/general_officemacros.yar | 46 -
.../Florian Roth/generic_anomalies.yar | 268 -
.../Florian Roth/generic_cryptors.yar | 22 -
yara-mikesxrs/Florian Roth/generic_dumps.yar | 27 -
.../Florian Roth/generic_exe2hex_payload.yar | 26 -
yara-mikesxrs/Florian Roth/pup_lightftp.yar | 37 -
.../Florian Roth/spy_equation_fiveeyes.yar | 575 -
.../Florian Roth/spy_querty_fiveeyes.yar | 233 -
.../Florian Roth/spy_regin_fiveeyes.yar | 353 -
yara-mikesxrs/Florian Roth/thor-hacktools.yar | 3324 --
yara-mikesxrs/Florian Roth/thor-webshells.yar | 8723 ----
.../Florian Roth/thor_inverse_matches.yar | 356 -
.../Florian Roth/threat_lenovo_superfish.yar | 23 -
.../Adobe_Flash_DRM_Use_After_Free.yar | 35 -
yara-mikesxrs/InQuest/AgentTesla.yar | 54 -
.../InQuest/CVE_2018_4878_0day_ITW.yar | 62 -
yara-mikesxrs/InQuest/Embedded_PE_File.yar | 14 -
yara-mikesxrs/InQuest/Excel_IQY_File.yar | 20 -
.../Excel_IQY_File_Suspicious_Request.yar | 69 -
.../Excel_IQY_File_With_file_extension.yar | 26 -
yara-mikesxrs/InQuest/Hiddenbee.yar | 58 -
yara-mikesxrs/InQuest/MC_Office_DDE.yar | 91 -
...fice_Document_with_Embedded_Flash_File.yar | 19 -
.../InQuest/NTLM_Credential_Theft_via_PDF.yar | 59 -
.../RTF_Byte_Nibble_Obfuscation_method.yar | 96 -
.../Kevin Falcoz/BlackShades_Trojan.yar | 17 -
.../Kevin Falcoz/Bublik_Downloader.yar | 14 -
.../Kevin Falcoz/Grozlex_Stealer.yar | 13 -
.../Kevin Falcoz/Kevin_Falcoz_index.yara | 437 -
yara-mikesxrs/Kevin Falcoz/Packers.yar | 216 -
yara-mikesxrs/Kevin Falcoz/Wabot_Worm.yar | 14 -
yara-mikesxrs/Kevin Falcoz/YahLover_Worm.yar | 13 -
yara-mikesxrs/Kevin Falcoz/Zegost_Trojan.yar | 14 -
yara-mikesxrs/Kevin Falcoz/compilers.yar | 88 -
.../Kevin Falcoz/lost_door_Trojan.yar | 13 -
.../universal_1337_stealer_serveur.yar | 16 -
yara-mikesxrs/Kevin Falcoz/xtreme_rat.yar | 13 -
yara-mikesxrs/Koodous/ASSDdeveloper.yar | 24 -
yara-mikesxrs/Koodous/Android.yar | 16 -
.../Koodous/Android_VirusPolicia.yar | 43 -
yara-mikesxrs/Koodous/Android_adware.yar | 22 -
yara-mikesxrs/Koodous/Android_mapin.yar | 44 -
.../Koodous/BatteryBot_ClickFraud.yar | 25 -
yara-mikesxrs/Koodous/ChinesePorn.yar | 75 -
yara-mikesxrs/Koodous/Drendoid_RAT.yar | 48 -
yara-mikesxrs/Koodous/FakeApps.yar | 103 -
yara-mikesxrs/Koodous/Fake_MosKow.yar | 27 -
yara-mikesxrs/Koodous/HackingTeam.yar | 51 -
yara-mikesxrs/Koodous/Koodous_index.yara | 99 -
yara-mikesxrs/Koodous/MalwareCertificates.yar | 27 -
yara-mikesxrs/Koodous/Ramsonware.yar | 111 -
yara-mikesxrs/Koodous/SMSsender.yar | 99 -
yara-mikesxrs/Koodous/Tinhvan.yar | 24 -
yara-mikesxrs/Koodous/generic_adware.yar | 20 -
yara-mikesxrs/Koodous/generic_smsfraud.yar | 38 -
yara-mikesxrs/Koodous/koler_ransomware.yar | 62 -
yara-mikesxrs/Koodous/malware_Advertising.yar | 22 -
yara-mikesxrs/Koodous/malware_Dropper.yar | 16 -
yara-mikesxrs/Koodous/mobidash.yar | 25 -
yara-mikesxrs/Koodous/realshell.yar | 10 -
yara-mikesxrs/Koodous/xbot007.yar | 16 -
yara-mikesxrs/McAfee/APT_KimSuky_dllbckdr.yar | 43 -
yara-mikesxrs/McAfee/BadRabbit_Ransomware.yar | 39 -
.../McAfee/CTB_Locker_Ransomware.yar | 16 -
yara-mikesxrs/McAfee/CredStealer.yar | 25 -
yara-mikesxrs/McAfee/CryptoLocker_rule2.yar | 27 -
yara-mikesxrs/McAfee/CryptoLocker_set1.yar | 29 -
yara-mikesxrs/McAfee/GPGQwerty_ransomware.yar | 27 -
yara-mikesxrs/McAfee/McAfee_index.yara | 57 -
yara-mikesxrs/McAfee/NionSpy.yar | 19 -
yara-mikesxrs/McAfee/OLE_JSRAT.yar | 18 -
yara-mikesxrs/McAfee/SAmSAmRansom2016,yar | 50 -
.../McAfee/SamSam_Ransomware_Latest.yar | 47 -
yara-mikesxrs/McAfee/Spygate_2.9_RAT.yar | 17 -
yara-mikesxrs/McAfee/W97M_Vawtrak_dropper.yar | 20 -
yara-mikesxrs/McAfee/WannaCry.yar | 59 -
yara-mikesxrs/McAfee/kraken_ransomware.yar | 78 -
yara-mikesxrs/McAfee/rovnix_downloader.yar | 29 -
yara-mikesxrs/McAfee/shifu.yar | 17 -
yara-mikesxrs/NCCGroup/APT15.yar | 214 -
yara-mikesxrs/NCCGroup/ISMRAT.yar | 15 -
yara-mikesxrs/NCCGroup/Sakula.yar | 121 -
.../NCCGroup/authenticode_anomalies.yara | 16 -
yara-mikesxrs/NCCGroup/badwinmail.yara | 33 -
yara-mikesxrs/NCCGroup/heartbleed.yar | 12 -
yara-mikesxrs/NCCGroup/metaStealer_memory.yar | 14 -
yara-mikesxrs/NCCGroup/package_manager.yara | 121 -
yara-mikesxrs/NCCGroup/redleaves.yar | 51 -
.../NCCGroup/turla_neuron_nautilus.yar | 176 -
yara-mikesxrs/NCSC/SparrowDoor_apipatch.yar | 17 -
yara-mikesxrs/NCSC/SparrowDoor_clipshot.yar | 20 -
yara-mikesxrs/NCSC/SparrowDoor_config.yar | 14 -
yara-mikesxrs/NCSC/SparrowDoor_loader.yar | 15 -
yara-mikesxrs/NCSC/SparrowDoor_shellcode.yar | 15 -
.../NCSC/SparrowDoor_sleep_routine.yar | 12 -
yara-mikesxrs/NCSC/SparrowDoor_strings.yar | 23 -
yara-mikesxrs/NCSC/SparrowDoor_xor.yar | 14 -
yara-mikesxrs/NCSC/turla_neuron_nautilus.yar | 176 -
yara-mikesxrs/PL CERT/Madprotect_packer.yar | 27 -
.../PL CERT/Polish_Bankbot_mobile.yar | 42 -
yara-mikesxrs/PL CERT/cryptomix_packer.yar | 17 -
yara-mikesxrs/PL CERT/cryptomix_payload.yar | 19 -
yara-mikesxrs/PL CERT/kbot.yar | 17 -
yara-mikesxrs/PL CERT/necurs.yar | 31 -
yara-mikesxrs/PL CERT/nymaim.yar | 26 -
yara-mikesxrs/PL CERT/ramnit.yar | 62 -
yara-mikesxrs/PL CERT/sage.yar | 26 -
yara-mikesxrs/PL CERT/tofsee.yar | 35 -
.../TEMP.Periscope_Spearphish.yar | 19 -
.../Recorded Future/ext4_linuxlistener.yar | 19 -
yara-mikesxrs/SenseCy/ORXLocker.yar | 23 -
yara-mikesxrs/SenseCy/njrat_08d.yar | 23 -
yara-mikesxrs/Seth Hardy/3102.yar | 40 -
yara-mikesxrs/Seth Hardy/9002.yar | 47 -
yara-mikesxrs/Seth Hardy/APT_NGO_wuaclt.yar | 26 -
yara-mikesxrs/Seth Hardy/Babar.yar | 33 -
yara-mikesxrs/Seth Hardy/GeorBot.yar | 17 -
yara-mikesxrs/Seth Hardy/Scieron.yar | 27 -
.../Seth Hardy/Seth_Hardy_index.yara | 2381 --
yara-mikesxrs/Seth Hardy/Swisyn.yar | 83 -
yara-mikesxrs/Seth Hardy/Waterbug.yar | 160 -
yara-mikesxrs/Seth Hardy/apt1.yar | 1182 -
yara-mikesxrs/Seth Hardy/bangat.yar | 45 -
yara-mikesxrs/Seth Hardy/boouset.yar | 42 -
yara-mikesxrs/Seth Hardy/comfoo.yar | 43 -
yara-mikesxrs/Seth Hardy/cookies.yar | 38 -
yara-mikesxrs/Seth Hardy/cxpid.yar | 43 -
yara-mikesxrs/Seth Hardy/enfal.yar | 69 -
yara-mikesxrs/Seth Hardy/ezcob.yar | 28 -
yara-mikesxrs/Seth Hardy/f0xy.yar | 14 -
yara-mikesxrs/Seth Hardy/fakem.yar | 42 -
yara-mikesxrs/Seth Hardy/favorite.yar | 42 -
yara-mikesxrs/Seth Hardy/glasses.yar | 43 -
yara-mikesxrs/Seth Hardy/hangover.yar | 307 -
yara-mikesxrs/Seth Hardy/iexpl0re.yar | 58 -
yara-mikesxrs/Seth Hardy/imuler.yar | 61 -
yara-mikesxrs/Seth Hardy/insta11.yar | 43 -
yara-mikesxrs/Seth Hardy/kins.yar | 44 -
yara-mikesxrs/Seth Hardy/leverage.yar | 18 -
yara-mikesxrs/Seth Hardy/luckycat.yar | 46 -
yara-mikesxrs/Seth Hardy/lurk0+cctv0.yar | 121 -
yara-mikesxrs/Seth Hardy/maccontrol.yar | 47 -
yara-mikesxrs/Seth Hardy/mask.yar | 85 -
yara-mikesxrs/Seth Hardy/mirage.yar | 25 -
yara-mikesxrs/Seth Hardy/mongal.yar | 41 -
yara-mikesxrs/Seth Hardy/naikon.yar | 45 -
yara-mikesxrs/Seth Hardy/naspyupdate.yar | 42 -
yara-mikesxrs/Seth Hardy/nettraveler.yar | 88 -
yara-mikesxrs/Seth Hardy/nsfree.yar | 44 -
yara-mikesxrs/Seth Hardy/olyx.yar | 38 -
yara-mikesxrs/Seth Hardy/plugx.yar | 52 -
yara-mikesxrs/Seth Hardy/pubsab.yar | 40 -
yara-mikesxrs/Seth Hardy/quarian.yar | 64 -
yara-mikesxrs/Seth Hardy/regsubdat.yar | 47 -
yara-mikesxrs/Seth Hardy/remote.yar | 81 -
yara-mikesxrs/Seth Hardy/rookie.yar | 43 -
yara-mikesxrs/Seth Hardy/rooter.yar | 44 -
yara-mikesxrs/Seth Hardy/safenet.yar | 42 -
yara-mikesxrs/Seth Hardy/scarhikn.yar | 41 -
yara-mikesxrs/Seth Hardy/shell_crew.yar | 32 -
yara-mikesxrs/Seth Hardy/surtr.yar | 51 -
yara-mikesxrs/Seth Hardy/t5000.yar | 37 -
yara-mikesxrs/Seth Hardy/urausy_skypedat.yar | 14 -
yara-mikesxrs/Seth Hardy/vidgrab.yar | 46 -
yara-mikesxrs/Seth Hardy/warp.yar | 42 -
yara-mikesxrs/Seth Hardy/wimmie.yar | 45 -
yara-mikesxrs/Seth Hardy/xtreme.yar | 42 -
yara-mikesxrs/Seth Hardy/yayih.yar | 42 -
.../ThreatStreamLabs/PyInstaller_Binary.yar | 17 -
yara-mikesxrs/Trend Micro/FighterPOS.yar | 92 -
.../Trend Micro/PoS_Malware_MalumPOS.yar | 17 -
.../PoS_Malware_NewPOSThings2015.yar | 23 -
.../PoS_Malware_RawPOS2015_dumper.yar | 22 -
.../PoS_Malware_RawPOS2015_dumper_old.yar | 24 -
.../PoS_Malware_RawPOS2015_service.yar | 24 -
yara-mikesxrs/Trend Micro/VBS.yar | 22 -
yara-mikesxrs/Trend Micro/cracked_loki.yar | 19 -
.../crime_linux_umbreon _ rootkit.yar | 60 -
yara-mikesxrs/US CERT/APT10 Dropper.yar | 12 -
.../US CERT/APT10 Redleaves Plugx.yar | 29 -
.../US CERT/APT10 Redleaves loader.yar | 13 -
yara-mikesxrs/US CERT/APT10 Redleaves.yar | 14 -
.../US CERT/APT10 redleaves handkerchief.yar | 12 -
yara-mikesxrs/US CERT/APT28_IMPLANT_1.yara | 93 -
yara-mikesxrs/US CERT/APT28_IMPLANT_2.yara | 311 -
yara-mikesxrs/US CERT/APT28_IMPLANT_3.yara | 49 -
yara-mikesxrs/US CERT/APT28_IMPLANT_5.yara | 192 -
yara-mikesxrs/US CERT/APT28_IMPLANT_6.yara | 125 -
yara-mikesxrs/US CERT/APT28_implant_4.yara | 420 -
yara-mikesxrs/US CERT/APT29_IMPLANT_10.yara | 31 -
yara-mikesxrs/US CERT/APT29_IMPLANT_11.yara | 20 -
yara-mikesxrs/US CERT/APT29_IMPLANT_12.yara | 13 -
yara-mikesxrs/US CERT/APT29_IMPLANT_7.yara | 15 -
yara-mikesxrs/US CERT/APT29_IMPLANT_8.yara | 40 -
yara-mikesxrs/US CERT/APT29_IMPLANT_9.yara | 15 -
yara-mikesxrs/US CERT/APT29_unidentified.yara | 23 -
.../US CERT/Destructive_Hard_Drive_Tool.yar | 21 -
.../Destructive_Target_Cleaning_Tool.yar | 15 -
.../Destructive_Target_Cleaning_Tool_2.yar | 15 -
.../Destructive_Target_Cleaning_Tool_3.yar | 17 -
.../Destructive_Target_Cleaning_Tool_5.yar | 14 -
.../Destructive_Target_Cleaning_Tool_6.yar | 19 -
.../Destructive_Target_Cleaning_Tool_7.yar | 15 -
.../Destructive_Target_Cleaning_Tool_8.yar | 14 -
yara-mikesxrs/US CERT/Dragonfly.yar | 118 -
yara-mikesxrs/US CERT/Dragonfly2.0.yar | 305 -
.../US CERT/HIDDENCOBRA_RSA_MODULUS.yar | 14 -
yara-mikesxrs/US CERT/HIDDEN_COBRA.yar | 69 -
yara-mikesxrs/US CERT/Hidden Cobra Enfal.yar | 29 -
.../US CERT/Hidden_Cobra_DPRK_DDoS_Tool.yara | 40 -
.../US CERT/Lightweight_Backdoor.yar | 14 -
.../US CERT/Lightweight_Backdoor_2.yar | 15 -
.../US CERT/Lightweight_Backdoor_3.yar | 15 -
.../US CERT/Lightweight_Backdoor_4.yar | 16 -
.../US CERT/Lightweight_Backdoor_5.yar | 15 -
.../US CERT/Lightweight_Backdoor_6.yar | 15 -
.../Malware_used_by_cyber_threat_actor_1.yar | 16 -
.../Malware_used_by_cyber_threat_actor_2.yar | 20 -
.../Malware_used_by_cyber_threat_actor_3.yar | 13 -
.../US CERT/PAS_TOOL_PHP_WEB_KIT.yar | 18 -
yara-mikesxrs/US CERT/Proxy Tool.yar | 14 -
yara-mikesxrs/US CERT/Proxy_Tool_2.yar | 14 -
yara-mikesxrs/US CERT/Proxy_Tool_3.yar | 12 -
yara-mikesxrs/US CERT/SMB_Worm_Tool.yar | 18 -
yara-mikesxrs/US CERT/US_CERT_index.yara | 369 -
yara-mikesxrs/US CERT/WannaCry.yara | 46 -
yara-mikesxrs/US CERT/fallchill.yar | 25 -
yara-mikesxrs/US CERT/hatman.yar | 111 -
yara-mikesxrs/WithSecure/SILKLOADER.yar | 21 -
.../WithSecure/ducktail_artifacts.yar | 21 -
.../ducktail_dotnet_core_infostealer.yar | 104 -
.../WithSecure/ducktail_exceldna_packed.yar | 28 -
.../WithSecure/ducktail_nativeaot.yar | 23 -
yara-mikesxrs/Xylitol/Malware.yar | 26 -
yara-mikesxrs/Xylitol/Zeus_1134.yar | 18 -
yara-mikesxrs/Xylitol/ibanking.yar | 19 -
yara-mikesxrs/Xylitol/malware_banker.yar | 42 -
yara-mikesxrs/alienvault/APT1_GDOCUPLOAD.yar | 14 -
yara-mikesxrs/alienvault/APT1_GETMAIL.yar | 17 -
yara-mikesxrs/alienvault/APT1_HACKSFASE1.yar | 12 -
yara-mikesxrs/alienvault/APT1_HACKSFASE2.yar | 13 -
yara-mikesxrs/alienvault/APT1_LIGHTBOLT.yar | 14 -
yara-mikesxrs/alienvault/APT1_MAPIGET.yar | 16 -
.../alienvault/APT1_RARSilent_EXE_PDF.yar | 16 -
yara-mikesxrs/alienvault/APT1_Revird_svc.yar | 19 -
.../alienvault/APT1_TARSIP_ECLIPSE.yar | 14 -
yara-mikesxrs/alienvault/APT1_TARSIP_MOON.yar | 19 -
yara-mikesxrs/alienvault/APT1_WARP.yar | 15 -
.../alienvault/APT1_WEBC2_ADSPACE.yar | 12 -
yara-mikesxrs/alienvault/APT1_WEBC2_AUSOV.yar | 15 -
yara-mikesxrs/alienvault/APT1_WEBC2_BOLID.yar | 12 -
.../alienvault/APT1_WEBC2_CLOVER.yar | 17 -
yara-mikesxrs/alienvault/APT1_WEBC2_CSON.yar | 16 -
yara-mikesxrs/alienvault/APT1_WEBC2_DIV.yar | 14 -
.../alienvault/APT1_WEBC2_GREENCAT.yar | 14 -
yara-mikesxrs/alienvault/APT1_WEBC2_HEAD.yar | 14 -
yara-mikesxrs/alienvault/APT1_WEBC2_KT3.yar | 13 -
yara-mikesxrs/alienvault/APT1_WEBC2_QBP.yar | 15 -
yara-mikesxrs/alienvault/APT1_WEBC2_RAVE.yar | 14 -
yara-mikesxrs/alienvault/APT1_WEBC2_TABLE.yar | 14 -
yara-mikesxrs/alienvault/APT1_WEBC2_TOCK.yar | 13 -
yara-mikesxrs/alienvault/APT1_WEBC2_UGX.yar | 16 -
yara-mikesxrs/alienvault/APT1_WEBC2_Y21K.yar | 15 -
yara-mikesxrs/alienvault/APT1_WEBC2_YAHOO.yar | 13 -
yara-mikesxrs/alienvault/APT1_dbg_mess.yar | 17 -
.../APT1_known_malicious_RARSilent.yar | 14 -
yara-mikesxrs/alienvault/APT1_letusgo.yar | 11 -
yara-mikesxrs/alienvault/AURIGA_APT1.yar | 16 -
.../alienvault/AURIGA_driver_APT1.yar | 16 -
yara-mikesxrs/alienvault/BANGAT_APT1.yar | 21 -
.../alienvault/BISCUIT_GREENCAT_APT1.yar | 16 -
yara-mikesxrs/alienvault/BOUNCER_APT1.yar | 16 -
yara-mikesxrs/alienvault/BOUNCER_DLL_APT1.yar | 12 -
yara-mikesxrs/alienvault/CALENDAR_APT1.yar | 21 -
yara-mikesxrs/alienvault/CCREWBACK1.yar | 22 -
yara-mikesxrs/alienvault/COMBOS_APT1.yar | 18 -
yara-mikesxrs/alienvault/CVE2012XXXX.yar | 19 -
yara-mikesxrs/alienvault/CaptainWord.yar | 17 -
.../Careto generic malware signature.yar | 32 -
yara-mikesxrs/alienvault/Careto_CnC.yar | 13 -
.../alienvault/Careto_CnC_domains.yar | 12 -
yara-mikesxrs/alienvault/Careto_OSX_SBD.yar | 11 -
yara-mikesxrs/alienvault/Careto_SGH.yar | 14 -
yara-mikesxrs/alienvault/DAIRY_APT1.yar | 16 -
.../alienvault/DownloaderPossibleCCrew.yar | 16 -
.../alienvault/EclipseSunCloudRAT.yar | 17 -
yara-mikesxrs/alienvault/Elise.yar | 12 -
yara-mikesxrs/alienvault/EzuriLoader.yar | 16 -
yara-mikesxrs/alienvault/EzuriLoaderOSX.yar | 22 -
.../alienvault/FatalRAT_unpacked.yar | 16 -
yara-mikesxrs/alienvault/GEN_CCREW1.yar | 13 -
yara-mikesxrs/alienvault/GLOOXMAIL_APT1.yar | 16 -
yara-mikesxrs/alienvault/GOGGLES_APT1.yar | 16 -
yara-mikesxrs/alienvault/GeorBotBinary.yar | 11 -
yara-mikesxrs/alienvault/GeorBotMemory.yar | 12 -
yara-mikesxrs/alienvault/HACKSFASE1_APT1.yar | 11 -
yara-mikesxrs/alienvault/HACKSFASE2_APT1.yar | 13 -
.../alienvault/Hangover2_Downloader.yar | 22 -
.../alienvault/Hangover2_Keylogger.yar | 20 -
.../alienvault/Hangover2_backdoor_shell.yar | 19 -
.../alienvault/Hangover2_stealer.yar | 18 -
.../alienvault/Hangover_Appinbot.yar | 17 -
yara-mikesxrs/alienvault/Hangover_Auspo.yar | 14 -
yara-mikesxrs/alienvault/Hangover_Deksila.yar | 14 -
yara-mikesxrs/alienvault/Hangover_Foler.yar | 14 -
yara-mikesxrs/alienvault/Hangover_Fuddol.yar | 12 -
yara-mikesxrs/alienvault/Hangover_Gimwlog.yar | 15 -
yara-mikesxrs/alienvault/Hangover_Gimwup.yar | 14 -
.../alienvault/Hangover_Iconfall.yar | 14 -
yara-mikesxrs/alienvault/Hangover_Linog.yar | 16 -
.../alienvault/Hangover_Slidewin.yar | 26 -
.../Hangover_Smackdown_Downloader.yar | 25 -
.../alienvault/Hangover_Smackdown_various.yar | 20 -
.../alienvault/Hangover_Tymtin_Degrab.yar | 14 -
.../alienvault/Hangover_UpdateEx.yar | 17 -
.../Hangover_Vacrhan_Downloader.yar | 17 -
.../alienvault/Hangover_ron_babylon.yar | 43 -
.../Java0daycve2012xxxx_generic.yar | 19 -
yara-mikesxrs/alienvault/KINS_DLL_zeus.yar | 19 -
yara-mikesxrs/alienvault/KINS_dropper.yar | 24 -
yara-mikesxrs/alienvault/KURTON_APT1.yar | 14 -
.../alienvault/Keyboy_document_ppsx_sct.yar | 29 -
.../alienvault/Keyboy_mobile_titan.yar | 29 -
yara-mikesxrs/alienvault/LIGHTDART_APT1.yar | 14 -
yara-mikesxrs/alienvault/LONGRUN_APT1.yar | 14 -
yara-mikesxrs/alienvault/MACROMAIL_APT1.yar | 14 -
yara-mikesxrs/alienvault/MANITSME_APT1.yar | 22 -
yara-mikesxrs/alienvault/MINIASP_APT1.yar | 16 -
yara-mikesxrs/alienvault/MiniASP.yar | 13 -
yara-mikesxrs/alienvault/MoonProject.yar | 15 -
yara-mikesxrs/alienvault/NEWSREELS_APT1.yar | 19 -
yara-mikesxrs/alienvault/NKRivts.yar | 12 -
yara-mikesxrs/alienvault/OSX_Dok.yar | 34 -
yara-mikesxrs/alienvault/OSX_MacSpy.yar | 15 -
yara-mikesxrs/alienvault/OSX_Proton.B.yar | 30 -
.../alienvault/OSX_Proton_B_systemd.1.yar | 35 -
yara-mikesxrs/alienvault/PRISM.yar | 69 -
.../alienvault/PrismaticSuccessor.yar | 105 -
yara-mikesxrs/alienvault/SEASALT_APT1.yar | 16 -
yara-mikesxrs/alienvault/STARSYPOUND_APT1.yar | 15 -
yara-mikesxrs/alienvault/SWORD_APT1.yar | 15 -
yara-mikesxrs/alienvault/TABMSGSQL_APT1.yar | 15 -
.../alienvault/TrojanCookies_CCREW.yar | 17 -
.../alienvault/alienvault_index.yara | 2168 -
yara-mikesxrs/alienvault/avdetect_procs.yar | 210 -
yara-mikesxrs/alienvault/ccrewDownloader1.yar | 12 -
yara-mikesxrs/alienvault/ccrewDownloader2.yar | 14 -
yara-mikesxrs/alienvault/ccrewDownloader3.yar | 17 -
yara-mikesxrs/alienvault/ccrewMiniasp.yar | 13 -
yara-mikesxrs/alienvault/ccrewQAZ.yar | 12 -
yara-mikesxrs/alienvault/ccrewSSLBack1.yar | 13 -
yara-mikesxrs/alienvault/ccrewSSLBack2.yar | 12 -
yara-mikesxrs/alienvault/ccrewSSLBack3.yar | 12 -
yara-mikesxrs/alienvault/dbgdetect_files.yar | 15 -
yara-mikesxrs/alienvault/dbgdetect_funcs.yar | 23 -
yara-mikesxrs/alienvault/dbgdetect_procs.yar | 23 -
yara-mikesxrs/alienvault/leverage_a.yar | 18 -
yara-mikesxrs/alienvault/metaxcd.yar | 12 -
yara-mikesxrs/alienvault/nkminer_monero.yar | 35 -
.../alienvault/oceanlotus_constants.yar | 14 -
.../alienvault/oceanlotus_xor_decode.yar | 12 -
.../alienvault/sandboxdetect_misc.yar | 21 -
.../alienvault/thequickbrow_APT1.yar | 12 -
yara-mikesxrs/alienvault/urasay skype.yar | 14 -
yara-mikesxrs/alienvault/vmdetect_misc.yar | 83 -
yara-mikesxrs/bluecoat/Bluecoat_index.yara | 123 -
yara-mikesxrs/bluecoat/InceptionAndroid.yar | 13 -
.../bluecoat/InceptionBlackberry.yar | 17 -
yara-mikesxrs/bluecoat/InceptionDLL.yar | 27 -
yara-mikesxrs/bluecoat/InceptionIOS.yar | 15 -
yara-mikesxrs/bluecoat/InceptionMips.yar | 14 -
yara-mikesxrs/bluecoat/InceptionRTF.yar | 14 -
yara-mikesxrs/bluecoat/InceptionVBS.yar | 15 -
yara-mikesxrs/blueliv/WannaCryptor.yar | 118 -
yara-mikesxrs/blueliv/banswift.yar | 45 -
yara-mikesxrs/blueliv/banswift_wiper.yar | 12 -
yara-mikesxrs/blueliv/petya_eternalblue.yar | 18 -
.../codewatchorg/angler_ek_checkpoint.yar | 10 -
.../codewatchorg/angler_ek_redirector.yar | 18 -
yara-mikesxrs/codewatchorg/angler_flash.yar | 28 -
yara-mikesxrs/codewatchorg/angler_flash2.yar | 28 -
yara-mikesxrs/codewatchorg/angler_flash4.yar | 30 -
yara-mikesxrs/codewatchorg/angler_flash5.yar | 26 -
.../angler_flash_uncompressed.yar | 31 -
yara-mikesxrs/codewatchorg/angler_html.yar | 32 -
yara-mikesxrs/codewatchorg/angler_html2.yar | 32 -
yara-mikesxrs/codewatchorg/angler_jar.yar | 23 -
yara-mikesxrs/codewatchorg/angler_js.yar | 31 -
yara-mikesxrs/codewatchorg/blackhole1_jar.yar | 26 -
yara-mikesxrs/codewatchorg/blackhole2_css.yar | 22 -
yara-mikesxrs/codewatchorg/blackhole2_htm.yar | 36 -
.../codewatchorg/blackhole2_htm10.yar | 37 -
.../codewatchorg/blackhole2_htm11.yar | 33 -
.../codewatchorg/blackhole2_htm12.yar | 36 -
.../codewatchorg/blackhole2_htm3.yar | 19 -
.../codewatchorg/blackhole2_htm5.yar | 34 -
.../codewatchorg/blackhole2_htm6.yar | 30 -
.../codewatchorg/blackhole2_htm8.yar | 28 -
yara-mikesxrs/codewatchorg/blackhole2_jar.yar | 27 -
.../codewatchorg/blackhole2_jar2.yar | 26 -
.../codewatchorg/blackhole2_jar3.yar | 26 -
yara-mikesxrs/codewatchorg/blackhole2_pdf.yar | 32 -
.../codewatchorg/blackhole_basic.yar | 7 -
.../bleedinglife2_adobe_2010_1297_exploit.yar | 31 -
.../bleedinglife2_adobe_2010_2884_exploit.yar | 31 -
.../codewatchorg/bleedinglife2_jar2.yar | 23 -
.../bleedinglife2_java_2010_0842_exploit.yar | 23 -
.../codewatchorg/codewatchorg_index.yar | 2883 --
yara-mikesxrs/codewatchorg/crimepack_jar.yar | 20 -
yara-mikesxrs/codewatchorg/crimepack_jar3.yar | 25 -
yara-mikesxrs/codewatchorg/cve_2013_0074.yar | 17 -
yara-mikesxrs/codewatchorg/cve_2013_0422.yar | 21 -
yara-mikesxrs/codewatchorg/eleonore_jar.yar | 26 -
yara-mikesxrs/codewatchorg/eleonore_jar2.yar | 28 -
yara-mikesxrs/codewatchorg/eleonore_jar3.yar | 26 -
yara-mikesxrs/codewatchorg/eleonore_js.yar | 25 -
yara-mikesxrs/codewatchorg/eleonore_js2.yar | 29 -
yara-mikesxrs/codewatchorg/eleonore_js3.yar | 31 -
yara-mikesxrs/codewatchorg/fragus_htm.yar | 30 -
yara-mikesxrs/codewatchorg/fragus_js.yar | 32 -
yara-mikesxrs/codewatchorg/fragus_js2.yar | 31 -
.../codewatchorg/fragus_js_flash.yar | 29 -
yara-mikesxrs/codewatchorg/fragus_js_java.yar | 31 -
.../codewatchorg/fragus_js_quicktime.yar | 29 -
yara-mikesxrs/codewatchorg/fragus_js_vml.yar | 28 -
.../codewatchorg/malicious_office.yar | 145 -
yara-mikesxrs/codewatchorg/malicious_pdf.yar | 456 -
yara-mikesxrs/codewatchorg/phoenix_html.yar | 23 -
yara-mikesxrs/codewatchorg/phoenix_html10.yar | 31 -
yara-mikesxrs/codewatchorg/phoenix_html11.yar | 32 -
yara-mikesxrs/codewatchorg/phoenix_html2.yar | 31 -
yara-mikesxrs/codewatchorg/phoenix_html3.yar | 32 -
yara-mikesxrs/codewatchorg/phoenix_html4.yar | 27 -
yara-mikesxrs/codewatchorg/phoenix_html5.yar | 30 -
yara-mikesxrs/codewatchorg/phoenix_html6.yar | 31 -
yara-mikesxrs/codewatchorg/phoenix_html7.yar | 31 -
yara-mikesxrs/codewatchorg/phoenix_html8.yar | 30 -
yara-mikesxrs/codewatchorg/phoenix_html9.yar | 32 -
yara-mikesxrs/codewatchorg/phoenix_jar.yar | 24 -
yara-mikesxrs/codewatchorg/phoenix_jar2.yar | 28 -
yara-mikesxrs/codewatchorg/phoenix_jar3.yar | 23 -
yara-mikesxrs/codewatchorg/phoenix_pdf.yar | 26 -
yara-mikesxrs/codewatchorg/phoenix_pdf2.yar | 27 -
yara-mikesxrs/codewatchorg/phoenix_pdf3.yar | 25 -
.../codewatchorg/redkit_bin_basic.yar | 7 -
yara-mikesxrs/codewatchorg/sakura_jar.yar | 31 -
yara-mikesxrs/codewatchorg/sakura_jar2.yar | 31 -
yara-mikesxrs/codewatchorg/zeroaccess_css.yar | 32 -
.../codewatchorg/zeroaccess_css2.yar | 25 -
yara-mikesxrs/codewatchorg/zeroaccess_htm.yar | 30 -
yara-mikesxrs/codewatchorg/zeroaccess_js.yar | 32 -
yara-mikesxrs/codewatchorg/zeroaccess_js2.yar | 32 -
yara-mikesxrs/codewatchorg/zeroaccess_js3.yar | 29 -
yara-mikesxrs/codewatchorg/zeroaccess_js4.yar | 31 -
yara-mikesxrs/codewatchorg/zerox88_js2.yar | 25 -
yara-mikesxrs/codewatchorg/zerox88_js3.yar | 30 -
yara-mikesxrs/codewatchorg/zeus_js.yar | 28 -
yara-mikesxrs/crowdstrike/CVE_2014_4113.yar | 15 -
...terPanda _02 - rc4_dropper putterpanda.yar | 32 -
...3 - threepara_para_implant putterpanda.yar | 20 -
...tterPanda _05 _ httpclient putterpanda.yar | 16 -
...terPanda _06 _ xor_dropper putterpanda.yar | 16 -
.../crowdstrike/CrowdStrike_CSIT_14003_03.yar | 31 -
.../crowdstrike/CrowdStrike_CSIT_14004_02.yar | 19 -
.../crowdstrike/CrowdStrike_FlyingKitten.yar | 37 -
...a_01 - fourh_stack_strings putterpanda.yar | 59 -
.../crowdstrike/Crowdstrike_index.yara | 293 -
.../crowdstrike/Crowdstrike_target_breach.yar | 88 -
yara-mikesxrs/crowdstrike/gameover zeus.yar | 39 -
..._PutterPanda_04_ pngdowner putterpanda.yar | 19 -
yara-mikesxrs/cylance/BackDoorLogger.yar | 12 -
yara-mikesxrs/cylance/Hkdoor_DLL.yar | 22 -
yara-mikesxrs/cylance/Hkdoor_backdoor.yar | 24 -
yara-mikesxrs/cylance/Hkdoor_driver.yar | 19 -
yara-mikesxrs/cylance/Hkdoor_dropper.yar | 28 -
yara-mikesxrs/cylance/Jasus.yar | 13 -
yara-mikesxrs/cylance/LoggerModule.yar | 12 -
.../cylance/MiSType_Backdoor_Packed.yar | 14 -
yara-mikesxrs/cylance/Misdat_Backdoor.yar | 28 -
.../cylance/Misdat_Backdoor_Packed.yar | 15 -
yara-mikesxrs/cylance/NetC.yar | 12 -
yara-mikesxrs/cylance/SType_Backdoor.yar | 33 -
yara-mikesxrs/cylance/ShellCreator2.yar | 12 -
yara-mikesxrs/cylance/SmartCopy2.yar | 12 -
yara-mikesxrs/cylance/StreamEX.yar | 18 -
yara-mikesxrs/cylance/SynFlooder.yar | 13 -
yara-mikesxrs/cylance/TinyZBot.yar | 20 -
yara-mikesxrs/cylance/WannaCryptor.yar | 41 -
yara-mikesxrs/cylance/ZhoupinExploitCrew.yar | 11 -
yara-mikesxrs/cylance/Zlib_Backdoor.yar | 43 -
yara-mikesxrs/cylance/antivirusdetector.yar | 13 -
yara-mikesxrs/cylance/baijiu.yar | 57 -
yara-mikesxrs/cylance/csext.yar | 12 -
yara-mikesxrs/cylance/cylance_index.yara | 392 -
yara-mikesxrs/cylance/kagent.yar | 12 -
yara-mikesxrs/cylance/mimikatzWrapper.yar | 12 -
yara-mikesxrs/cylance/pvz_in.yar | 12 -
yara-mikesxrs/cylance/pvz_out.yar | 12 -
yara-mikesxrs/cylance/snakewine.yar | 24 -
yara-mikesxrs/cylance/wndTest.yar | 12 -
yara-mikesxrs/cylance/zhCat.yar | 11 -
yara-mikesxrs/cylance/zhLookUp.yar | 11 -
yara-mikesxrs/cylance/zhmimikatz.yar | 11 -
yara-mikesxrs/eset/Animal_Farm.yar | 96 -
yara-mikesxrs/eset/ESET_index.yara | 3788 --
yara-mikesxrs/eset/Gazer.yar | 41 -
yara-mikesxrs/eset/InvisiMole.yar | 297 -
yara-mikesxrs/eset/Linux_Moose.yar | 76 -
yara-mikesxrs/eset/Mumblehard_packer.yar | 47 -
yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar | 50 -
yara-mikesxrs/eset/OSX_Keydnap_packer.yar | 51 -
yara-mikesxrs/eset/OSX_keydnap_downloader.yar | 49 -
yara-mikesxrs/eset/Operation Potao.yar | 108 -
yara-mikesxrs/eset/Operation Windigo.yar | 59 -
yara-mikesxrs/eset/PotaoNew.yara | 108 -
yara-mikesxrs/eset/Prikormka.yar | 165 -
yara-mikesxrs/eset/SparklingGoblin.yar | 489 -
yara-mikesxrs/eset/Turla_Carbon.yar | 28 -
yara-mikesxrs/eset/badiis.yar | 552 -
yara-mikesxrs/eset/kobalos.yar | 57 -
.../eset/kobalos_ssh_credential_stealer.yar | 50 -
yara-mikesxrs/eset/linux_rakos.yar | 53 -
yara-mikesxrs/eset/skip20_sqllang_hook.yar | 69 -
yara-mikesxrs/eset/sshdoor.yar | 572 -
yara-mikesxrs/eset/stantinko.yar | 255 -
yara-mikesxrs/eset/ta410.yar | 741 -
yara-mikesxrs/eset/turla-outlook.yar | 169 -
yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar | 20 -
yara-mikesxrs/g00dv1n/Adware.Adpeak.yar | 14 -
yara-mikesxrs/g00dv1n/Adware.Agent.yar | 24 -
yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar | 16 -
yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar | 31 -
yara-mikesxrs/g00dv1n/Adware.Conduit.yar | 37 -
yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar | 15 -
yara-mikesxrs/g00dv1n/Adware.Crossrider.yar | 54 -
yara-mikesxrs/g00dv1n/Adware.DealPly.yar | 13 -
yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar | 27 -
yara-mikesxrs/g00dv1n/Adware.Downloader.yar | 18 -
yara-mikesxrs/g00dv1n/Adware.ELEX.yar | 65 -
yara-mikesxrs/g00dv1n/Adware.Gen.yar | 16 -
yara-mikesxrs/g00dv1n/Adware.Genieo.yar | 27 -
yara-mikesxrs/g00dv1n/Adware.Imali.yar | 13 -
yara-mikesxrs/g00dv1n/Adware.InstallCore.yar | 18 -
yara-mikesxrs/g00dv1n/Adware.Linkury.yar | 41 -
yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar | 17 -
yara-mikesxrs/g00dv1n/Adware.NextLive.yar | 15 -
yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar | 35 -
yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar | 13 -
yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar | 17 -
yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar | 73 -
yara-mikesxrs/g00dv1n/Adware.SProtect.yar | 38 -
yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar | 26 -
yara-mikesxrs/g00dv1n/Adware.Sendori.yar | 34 -
yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar | 16 -
yara-mikesxrs/g00dv1n/Adware.SmartApps.yar | 23 -
yara-mikesxrs/g00dv1n/Adware.Solimbda.yar | 13 -
yara-mikesxrs/g00dv1n/Adware.Trioris.yar | 17 -
yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar | 18 -
yara-mikesxrs/g00dv1n/Adware.Wajam.yar | 27 -
yara-mikesxrs/g00dv1n/Adware.WebTools.yar | 40 -
yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar | 16 -
yara-mikesxrs/g00dv1n/Adware.iBryte.yar | 14 -
yara-mikesxrs/g00dv1n/Adware.uKor.yar | 25 -
yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar | 26 -
yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar | 16 -
yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar | 33 -
yara-mikesxrs/g00dv1n/Backdoor.Gen.yar | 16 -
yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar | 27 -
yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar | 14 -
yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar | 49 -
yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar | 17 -
.../g00dv1n/Malware.BitCoinMiner.yar | 16 -
yara-mikesxrs/g00dv1n/Malware.Downloader.yar | 13 -
yara-mikesxrs/g00dv1n/Malware.PWS.yar | 15 -
yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar | 14 -
yara-mikesxrs/g00dv1n/PUP.Systweak.yar | 14 -
yara-mikesxrs/g00dv1n/Ransom.Crypters.yar | 230 -
yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar | 343 -
yara-mikesxrs/g00dv1n/Risk.NetFilter.yar | 26 -
yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar | 40 -
yara-mikesxrs/g00dv1n/Rogue.Braviax.yar | 39 -
yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar | 31 -
yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar | 128 -
yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar | 38 -
yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar | 59 -
yara-mikesxrs/g00dv1n/Rogue.SDef.yar | 20 -
yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar | 49 -
yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar | 25 -
yara-mikesxrs/g00dv1n/Trojan.Antivar.yar | 11 -
yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar | 58 -
yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar | 24 -
yara-mikesxrs/g00dv1n/Trojan.Citadel.yar | 15 -
yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar | 38 -
yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar | 18 -
yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar | 15 -
yara-mikesxrs/g00dv1n/Trojan.Downloader.yar | 49 -
yara-mikesxrs/g00dv1n/Trojan.Dropper.yar | 12 -
yara-mikesxrs/g00dv1n/Trojan.Frethog.yar | 30 -
yara-mikesxrs/g00dv1n/Trojan.GBot.yar | 15 -
.../g00dv1n/Trojan.Gamarue.Andromeda.yar | 21 -
yara-mikesxrs/g00dv1n/Trojan.Injector.yar | 14 -
yara-mikesxrs/g00dv1n/Trojan.Kovter.yar | 29 -
yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar | 16 -
yara-mikesxrs/g00dv1n/Trojan.Lethic.yar | 13 -
yara-mikesxrs/g00dv1n/Trojan.Necurs.yar | 61 -
yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar | 15 -
yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar | 117 -
yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar | 22 -
yara-mikesxrs/g00dv1n/Trojan.Ransom.yar | 56 -
yara-mikesxrs/g00dv1n/Trojan.Regin.yar | 101 -
yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar | 36 -
yara-mikesxrs/g00dv1n/Trojan.Simda.yar | 19 -
yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar | 180 -
yara-mikesxrs/g00dv1n/Trojan.Upatre.yar | 12 -
.../g00dv1n/Trojan.Virtool.Obfuscator.yar | 12 -
yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar | 68 -
yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar | 21 -
yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar | 33 -
yara-mikesxrs/g00dv1n/Virus.Chir.yar | 14 -
yara-mikesxrs/g00dv1n/Virus.Madang.yar | 12 -
yara-mikesxrs/g00dv1n/Worm.Cridex.yar | 21 -
yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar | 97 -
yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar | 99 -
yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar | 19 -
yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar | 13 -
yara-mikesxrs/g00dv1n/g00dvin_index.yara | 3548 --
yara-mikesxrs/iSightPartners/SDBFile.yar | 20 -
yara-mikesxrs/kaspersky/Adwind.yar | 27 -
yara-mikesxrs/kaspersky/Crime_eyepyramid.yar | 58 -
yara-mikesxrs/kaspersky/LazarusWannaCry.yar | 39 -
.../apt_ProjectSauron_encrypted_LSA.yar | 33 -
.../apt_ProjectSauron_encrypted_SSPI.yar | 19 -
.../apt_ProjectSauron_encrypted_container.yar | 22 -
.../apt_ProjectSauron_encryption.yar | 22 -
...pt_ProjectSauron_generic_pipe_backdoor.yar | 23 -
.../apt_ProjectSauron_pipe_backdoor.yar | 24 -
yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar | 26 -
yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar | 36 -
.../kaspersky/apt_equation_cryptotable.yar | 12 -
...equation_doublefantasy_genericresource.yar | 15 -
..._equation_equationlaser_runtimeclasses.yar | 17 -
.../apt_equation_exploitlib_mutexes.yar | 28 -
.../kaspersky/apt_hellsing_implantstrings.yar | 31 -
.../kaspersky/apt_hellsing_installer.yar | 28 -
.../kaspersky/apt_hellsing_irene.yar | 22 -
.../kaspersky/apt_hellsing_msgertype2.yar | 22 -
.../kaspersky/apt_hellsing_proxytool.yar | 22 -
yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar | 28 -
.../kaspersky/apt_regin_2013_64bit_stage1.yar | 24 -
.../apt_regin_dispatcher_disp_dll.yar | 22 -
yara-mikesxrs/kaspersky/apt_regin_vfs.yar | 21 -
yara-mikesxrs/kaspersky/backdoored_ssh.yar | 12 -
...xploit_Silverlight_Toropov_Generic_XAP.yar | 21 -
yara-mikesxrs/kaspersky/kaspersky_index.yara | 578 -
.../kaspersky/ransomware_PetrWrap.yar | 19 -
yara-mikesxrs/kaspersky/stonedrill.yar | 45 -
.../kaspersky/xDedic_SysScan_unpacked.yar | 26 -
.../kaspersky/xdedic_packed_syscan.yar | 13 -
yara-mikesxrs/one offs/9002Rat.yar | 16 -
yara-mikesxrs/one offs/AdwindRat.yar | 14 -
yara-mikesxrs/one offs/CVE-2013-3660.yar | 22 -
yara-mikesxrs/one offs/ComputraceAgent.yar | 21 -
yara-mikesxrs/one offs/CoreFlood_ldr.yar | 31 -
yara-mikesxrs/one offs/Cridex.yar | 13 -
yara-mikesxrs/one offs/Hancidoc_Dropper.yar | 14 -
yara-mikesxrs/one offs/Mebroot_Torpig.yar | 17 -
yara-mikesxrs/one offs/OSX_Malware.yar | 112 -
yara-mikesxrs/one offs/Pegasus.yar | 24 -
yara-mikesxrs/one offs/Qadars_DGA.yar | 10 -
yara-mikesxrs/one offs/Shellphish.yar | 12 -
yara-mikesxrs/one offs/W32ChirB.yar | 90 -
yara-mikesxrs/one offs/XorDDoS.yar | 17 -
yara-mikesxrs/one offs/ammyy_cerber3.yar | 21 -
.../crime_ole_loadswf_cve_2018_4878.yar | 35 -
.../crime_win32_gratefulpos_trojan.yar | 30 -
yara-mikesxrs/one offs/dridex.yar | 17 -
yara-mikesxrs/one offs/fastposloader.yar | 33 -
yara-mikesxrs/one offs/marcher.yar | 18 -
yara-mikesxrs/one offs/mwi_document.yar | 14 -
yara-mikesxrs/one offs/nettraveler.yar | 26 -
.../one offs/packager_cve2017_11882.yar | 16 -
yara-mikesxrs/one offs/snake_uroburos.yar | 30 -
yara-mikesxrs/paloalto/Palo_Alto_index.yara | 207 -
.../paloalto/ce_enfal_cmstar_debug_msg.yar | 37 -
.../paloalto/cobalt_gang_builder.yar | 41 -
yara-mikesxrs/paloalto/findpos.yar | 28 -
.../paloalto/general_win_dll_golang_socks.yar | 15 -
.../general_win_faked_dlls_export_popo.yar | 22 -
.../paloalto/general_win_golang_socks.yar | 30 -
yara-mikesxrs/paloalto/hancitor_dropper.yar | 80 -
yara-mikesxrs/paloalto/hancitor_payload.yar | 70 -
yara-mikesxrs/paloalto/hancitor_stage1.yar | 16 -
yara-mikesxrs/paloalto/powerstager.yar | 40 -
.../paloalto/webshell_chinachopper_oab.yar | 70 -
.../pombredanne/Android_AVITOMMS_Variant.yar | 33 -
.../pombredanne/Android_AndroRat.yar | 15 -
.../pombredanne/Android_BadMirror.yar | 14 -
.../pombredanne/Android_Banker_Sberbank.yar | 15 -
.../pombredanne/Android_Clicker_G.yar | 14 -
yara-mikesxrs/pombredanne/Android_Copy9.yar | 14 -
.../pombredanne/Android_DeathRing.yar | 14 -
.../pombredanne/Android_Dendroid.yar | 15 -
.../pombredanne/Android_Dogspectus.yar | 16 -
.../pombredanne/Android_FakeBank_Fanta.yar | 17 -
yara-mikesxrs/pombredanne/Android_Godless.yar | 37 -
yara-mikesxrs/pombredanne/Android_Marcher.yar | 14 -
.../pombredanne/Android_MazarBot.yar | 16 -
yara-mikesxrs/pombredanne/Android_OmniRat.yar | 17 -
yara-mikesxrs/pombredanne/Android_RuMMS.yar | 19 -
.../pombredanne/PDF_Embedded_Exe.yar | 8 -
yara-mikesxrs/pombredanne/SandroRat.yar | 13 -
yara-mikesxrs/pombredanne/Spartan_SWF.yar | 14 -
.../securityartwork/Erebus_Ransomware.yar | 17 -
.../securityartwork/HardcodeHunter.yar | 13 -
yara-mikesxrs/securityartwork/IoT_Reaper.yar | 17 -
yara-mikesxrs/securityartwork/Linux_Bew.yar | 17 -
.../securityartwork/Linux_Helios.yar | 17 -
.../securityartwork/Meterpreter_rev_tcp.yar | 16 -
.../OfficeMacrosWinintelDLL.yar | 18 -
yara-mikesxrs/securityartwork/linux_Okiru.yar | 17 -
yara-mikesxrs/securityartwork/multibanker.yar | 81 -
.../shellcode_cve_2013_2729.yar | 23 -
yara-mikesxrs/securityartwork/trickbot.yar | 66 -
yara-mikesxrs/symantec/Bannerjack.yar | 17 -
yara-mikesxrs/symantec/Cadelle_1.yar | 13 -
yara-mikesxrs/symantec/Cadelle_2.yar | 30 -
yara-mikesxrs/symantec/Cadelle_3.yar | 22 -
yara-mikesxrs/symantec/Cadelle_4.yar | 13 -
yara-mikesxrs/symantec/Eventlog.yar | 17 -
yara-mikesxrs/symantec/Hacktool.yar | 18 -
yara-mikesxrs/symantec/Kwampirs.yar | 74 -
yara-mikesxrs/symantec/Multipurpose.yar | 15 -
yara-mikesxrs/symantec/Proxy.yar | 17 -
yara-mikesxrs/symantec/Securetunnel.yar | 17 -
yara-mikesxrs/symantec/comrat.yar | 18 -
yara-mikesxrs/symantec/fa.yar | 19 -
yara-mikesxrs/symantec/isPE.yar | 9 -
.../jiripbot _ ascii _ str _ decrypt.yar | 12 -
.../jiripbot _ unicode _ str _ decrypt.yar | 13 -
.../symantec/remsec_encrypted_api.yar | 15 -
.../symantec/remsec_executable_blob_32.yar | 26 -
.../symantec/remsec_executable_blob_64.yar | 27 -
.../remsec_executable_blob_parser.yar | 30 -
yara-mikesxrs/symantec/remsec_packer_A.yar | 26 -
yara-mikesxrs/symantec/remsec_packer_B.yar | 63 -
yara-mikesxrs/symantec/sav _ dropper.yar | 14 -
yara-mikesxrs/symantec/sav.yar | 137 -
yara-mikesxrs/symantec/symantec_index.yara | 746 -
yara-mikesxrs/symantec/turla _ dll.yar | 14 -
yara-mikesxrs/symantec/turla _ dropper.yar | 14 -
.../symantec/wipbot _ 2013 _ core _ PDF.yar | 14 -
.../symantec/wipbot _ 2013 _ core.yar | 45 -
.../symantec/wipbot _ 2013 _ dll.yar | 18 -
yara-mikesxrs/vitorafonso/banker.yar | 68 -
yara-mikesxrs/vitorafonso/crisis.yar | 19 -
yara-mikesxrs/vitorafonso/dropper.yar | 19 -
yara-mikesxrs/vitorafonso/exploit.yar | 17 -
yara-mikesxrs/vitorafonso/shedun.yar | 16 -
yara-mikesxrs/vitorafonso/zitmo.yar | 23 -
1013 files changed, 13 insertions(+), 140759 deletions(-)
delete mode 100644 yara-Neo23x0/configured_vulns_ext_vars.yar
delete mode 100644 yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
delete mode 100644 yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar
delete mode 100644 yara-Neo23x0/gen_fake_amsi_dll.yar
delete mode 100644 yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar
delete mode 100644 yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar
delete mode 100644 yara-Neo23x0/gen_webshells_ext_vars.yar
delete mode 100644 yara-Neo23x0/general_cloaking.yar
delete mode 100644 yara-Neo23x0/generic_anomalies.yar
delete mode 100644 yara-Neo23x0/thor_inverse_matches.yar
delete mode 100644 yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar
delete mode 100644 yara-Neo23x0/yara_mixed_ext_vars.yar
delete mode 100644 yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar
delete mode 100644 yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/demuzacert.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/panelzips.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/pony_config.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/tables_inject_panel.yar
delete mode 100644 yara-mikesxrs/Brian Carter -carterb/vt_pony_post2gate.yar
delete mode 100644 yara-mikesxrs/CISA/CADDYWIPER.yar
delete mode 100644 yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar
delete mode 100644 yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar
delete mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD.yar
delete mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar
delete mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar
delete mode 100644 yara-mikesxrs/CISA/ISAACWIPER.yar
delete mode 100644 yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar
delete mode 100644 yara-mikesxrs/Checkpoint/ElMachete_doc.yar
delete mode 100644 yara-mikesxrs/Checkpoint/ElMachete_msi.yar
delete mode 100644 yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar
delete mode 100644 yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar
delete mode 100644 yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar
delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar
delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar
delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar
delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar
delete mode 100644 yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar
delete mode 100644 yara-mikesxrs/Checkpoint/checkpoint_index.yara
delete mode 100644 yara-mikesxrs/Checkpoint/explosive_dll.yar
delete mode 100644 yara-mikesxrs/Checkpoint/explosive_exe.yar
delete mode 100644 yara-mikesxrs/Checkpoint/goziv3_trojan.yar
delete mode 100644 yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar
delete mode 100644 yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar
delete mode 100644 yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar
delete mode 100644 yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar
delete mode 100644 yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar
delete mode 100644 yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar
delete mode 100644 yara-mikesxrs/Checkpoint/nazar_component_guids.yar
delete mode 100644 yara-mikesxrs/Checkpoint/qbot_vbs.yar
delete mode 100644 yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar
delete mode 100644 yara-mikesxrs/CyberDefenses/installmonstr.yar
delete mode 100644 yara-mikesxrs/CyberDefenses/u34.yar
delete mode 100644 yara-mikesxrs/CyberDefenses/wirenet_dropper.yar
delete mode 100644 yara-mikesxrs/Fidelis/AlienSpy.yar
delete mode 100644 yara-mikesxrs/Fidelis/DarkComet.yar
delete mode 100644 yara-mikesxrs/Fidelis/DarkCometDownloader.yar
delete mode 100644 yara-mikesxrs/Fidelis/Scanbox.yar
delete mode 100644 yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar
delete mode 100644 yara-mikesxrs/Fidelis/XenonCrypter.yar
delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar
delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar
delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar
delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar
delete mode 100644 yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar
delete mode 100644 yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar
delete mode 100644 yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar
delete mode 100644 yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar
delete mode 100644 yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar
delete mode 100644 yara-mikesxrs/Fidelis/network_traffic_njRAT.yar
delete mode 100644 yara-mikesxrs/Fidelis/win_exe_njRAT.yar
delete mode 100644 yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara
delete mode 100644 yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara
delete mode 100644 yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar
delete mode 100644 yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar
delete mode 100644 yara-mikesxrs/Fireeye/BadRabbit.yar
delete mode 100644 yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar
delete mode 100644 yara-mikesxrs/Fireeye/FE_petya_ransomware,yar
delete mode 100644 yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar
delete mode 100644 yara-mikesxrs/Fireeye/Fireye_index.yara
delete mode 100644 yara-mikesxrs/Fireeye/MACROCHECK.YAR
delete mode 100644 yara-mikesxrs/Fireeye/Molerats_certs.yar
delete mode 100644 yara-mikesxrs/Fireeye/TRITON_Framework.yar
delete mode 100644 yara-mikesxrs/Fireeye/callTogether_certificate.yar
delete mode 100644 yara-mikesxrs/Fireeye/hastati.yar
delete mode 100644 yara-mikesxrs/Fireeye/qti_certificate.yar
delete mode 100644 yara-mikesxrs/Florian Roth/Florian_Roth_index.yara
delete mode 100644 yara-mikesxrs/Florian Roth/Havex_Trojan.yar
delete mode 100644 yara-mikesxrs/Florian Roth/Havex_Trojan_PHP_Server.yar
delete mode 100644 yara-mikesxrs/Florian Roth/POSCardStealer_SpyBot.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_alienspy_rat.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt17_malware.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt28.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt30_backspace.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt6_malware.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_backdoor_ssh_python.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_backspace.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_beepservice.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_between-hk-and-burma.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_blackenergy.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_blackenergy_installer.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_bluetermite_emdivi.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_buckeye.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_casper.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_cheshirecat.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_cloudduke.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_codoso.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_coreimpact_agent.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_cve2015_5119.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_danti_svcmondr.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_deeppanda.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_derusbi.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_dubnium.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_duqu2.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_emissary.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_eqgrp.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_fakem_backdoor.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_fancybear_dnc.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_fidelis_phishing_plain_sight.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_four_element_sword.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_furtim.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_ghostdragon_gh0st_rat.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_glassRAT.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_hackingteam_rules.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_hellsing_kaspersky.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_hizor_rat.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_indetectables_rat.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_inocnation.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_irongate.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_irontiger.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_irontiger_trendmicro.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_kaspersky_duqu2.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_keylogger_cn.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_korplug_fast.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_laudanum_webshells.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_miniasp.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_minidionis.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_mofang.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_ms_platinum.yara
delete mode 100644 yara-mikesxrs/Florian Roth/apt_naikon.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_nanocore_rat.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_onhat_proxy.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_op_cleaver.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_passthehashtoolkit.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_plugx.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_poisonivy.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_poisonivy_gen3.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_poseidon_group.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_prikormka.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_project_m.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_project_sauron.yara
delete mode 100644 yara-mikesxrs/Florian Roth/apt_project_sauron_extras.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_putterpanda.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_quarkspwdump.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_rocketkitten_keylogger.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_ruag.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_rwmc_powershell_creddump.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_sakula.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_scanbox_deeppanda.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_seaduke_unit42.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_shamoon.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_skeletonkey.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_snowglobe_babar.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_dec15.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_fysbis.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_jun16.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_xtunnel_bundestag.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_sphinx_moth.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_strider.yara
delete mode 100644 yara-mikesxrs/Florian Roth/apt_stuxnet.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_suckfly.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_sysscan.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_terracotta.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_terracotta_liudoor.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_threatgroup_3390.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_tidepool.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_turbo_campaign.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_turla.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_unit78020_malware.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_volatile_cedar.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_waterbug.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_webshell_chinachopper.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_wildneutron.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_win_plugx.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_winnti.yar
delete mode 100644 yara-mikesxrs/Florian Roth/apt_woolengoldfish.yar
delete mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_scripts.yar
delete mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_tools.yar
delete mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_webshells.yar
delete mode 100644 yara-mikesxrs/Florian Roth/cridex.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_antifw_installrex.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_bernhard_pos.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_buzus_softpulse.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_cmstar.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_cryptowall_svg.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_dexter_trojan.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_dridex_xml.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_enfal.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_fareit.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_kins_dropper.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_kraken_bot1.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_locky.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_malumpos.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_malware_generic.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_mikey_trojan.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_petya_ransom.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_phish_gina_dec15.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_rombertik_carbongrabber.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_shifu_trojan.yar
delete mode 100644 yara-mikesxrs/Florian Roth/crime_upatre_oct15.yar
delete mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_1674.yar
delete mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_1701.yar
delete mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_2426.yar
delete mode 100644 yara-mikesxrs/Florian Roth/exploit_uac_elevators.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_ace_with_exe.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_b374k_extra.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_cn_hacktool_scripts.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_cn_hacktools.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_cn_webshells.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_deviceguard_evasion.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_faked_versions.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_gpp_cpassword.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_invoke_mimikatz.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_kerberoast.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_kirbi_mimkatz.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_malware_set_qa.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_metasploit_loader_rsmudge.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_mimikittenz.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_nopowershell.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_pirpi.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_powerkatz.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_powershell_empire.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_powershell_toolkit.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_regsrv32_issue.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_sharpcat.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_tempracer.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_thumbs_cloaking.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_transformed_strings.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_win_privesc.yar
delete mode 100644 yara-mikesxrs/Florian Roth/gen_winshells.yar
delete mode 100644 yara-mikesxrs/Florian Roth/general_cloaking.yar
delete mode 100644 yara-mikesxrs/Florian Roth/general_officemacros.yar
delete mode 100644 yara-mikesxrs/Florian Roth/generic_anomalies.yar
delete mode 100644 yara-mikesxrs/Florian Roth/generic_cryptors.yar
delete mode 100644 yara-mikesxrs/Florian Roth/generic_dumps.yar
delete mode 100644 yara-mikesxrs/Florian Roth/generic_exe2hex_payload.yar
delete mode 100644 yara-mikesxrs/Florian Roth/pup_lightftp.yar
delete mode 100644 yara-mikesxrs/Florian Roth/spy_equation_fiveeyes.yar
delete mode 100644 yara-mikesxrs/Florian Roth/spy_querty_fiveeyes.yar
delete mode 100644 yara-mikesxrs/Florian Roth/spy_regin_fiveeyes.yar
delete mode 100644 yara-mikesxrs/Florian Roth/thor-hacktools.yar
delete mode 100644 yara-mikesxrs/Florian Roth/thor-webshells.yar
delete mode 100644 yara-mikesxrs/Florian Roth/thor_inverse_matches.yar
delete mode 100644 yara-mikesxrs/Florian Roth/threat_lenovo_superfish.yar
delete mode 100644 yara-mikesxrs/InQuest/Adobe_Flash_DRM_Use_After_Free.yar
delete mode 100644 yara-mikesxrs/InQuest/AgentTesla.yar
delete mode 100644 yara-mikesxrs/InQuest/CVE_2018_4878_0day_ITW.yar
delete mode 100644 yara-mikesxrs/InQuest/Embedded_PE_File.yar
delete mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File.yar
delete mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File_Suspicious_Request.yar
delete mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File_With_file_extension.yar
delete mode 100644 yara-mikesxrs/InQuest/Hiddenbee.yar
delete mode 100644 yara-mikesxrs/InQuest/MC_Office_DDE.yar
delete mode 100644 yara-mikesxrs/InQuest/Microsoft_Office_Document_with_Embedded_Flash_File.yar
delete mode 100644 yara-mikesxrs/InQuest/NTLM_Credential_Theft_via_PDF.yar
delete mode 100644 yara-mikesxrs/InQuest/RTF_Byte_Nibble_Obfuscation_method.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/BlackShades_Trojan.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/Bublik_Downloader.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/Grozlex_Stealer.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/Kevin_Falcoz_index.yara
delete mode 100644 yara-mikesxrs/Kevin Falcoz/Packers.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/Wabot_Worm.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/YahLover_Worm.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/Zegost_Trojan.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/compilers.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/lost_door_Trojan.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/universal_1337_stealer_serveur.yar
delete mode 100644 yara-mikesxrs/Kevin Falcoz/xtreme_rat.yar
delete mode 100644 yara-mikesxrs/Koodous/ASSDdeveloper.yar
delete mode 100644 yara-mikesxrs/Koodous/Android.yar
delete mode 100644 yara-mikesxrs/Koodous/Android_VirusPolicia.yar
delete mode 100644 yara-mikesxrs/Koodous/Android_adware.yar
delete mode 100644 yara-mikesxrs/Koodous/Android_mapin.yar
delete mode 100644 yara-mikesxrs/Koodous/BatteryBot_ClickFraud.yar
delete mode 100644 yara-mikesxrs/Koodous/ChinesePorn.yar
delete mode 100644 yara-mikesxrs/Koodous/Drendoid_RAT.yar
delete mode 100644 yara-mikesxrs/Koodous/FakeApps.yar
delete mode 100644 yara-mikesxrs/Koodous/Fake_MosKow.yar
delete mode 100644 yara-mikesxrs/Koodous/HackingTeam.yar
delete mode 100644 yara-mikesxrs/Koodous/Koodous_index.yara
delete mode 100644 yara-mikesxrs/Koodous/MalwareCertificates.yar
delete mode 100644 yara-mikesxrs/Koodous/Ramsonware.yar
delete mode 100644 yara-mikesxrs/Koodous/SMSsender.yar
delete mode 100644 yara-mikesxrs/Koodous/Tinhvan.yar
delete mode 100644 yara-mikesxrs/Koodous/generic_adware.yar
delete mode 100644 yara-mikesxrs/Koodous/generic_smsfraud.yar
delete mode 100644 yara-mikesxrs/Koodous/koler_ransomware.yar
delete mode 100644 yara-mikesxrs/Koodous/malware_Advertising.yar
delete mode 100644 yara-mikesxrs/Koodous/malware_Dropper.yar
delete mode 100644 yara-mikesxrs/Koodous/mobidash.yar
delete mode 100644 yara-mikesxrs/Koodous/realshell.yar
delete mode 100644 yara-mikesxrs/Koodous/xbot007.yar
delete mode 100644 yara-mikesxrs/McAfee/APT_KimSuky_dllbckdr.yar
delete mode 100644 yara-mikesxrs/McAfee/BadRabbit_Ransomware.yar
delete mode 100644 yara-mikesxrs/McAfee/CTB_Locker_Ransomware.yar
delete mode 100644 yara-mikesxrs/McAfee/CredStealer.yar
delete mode 100644 yara-mikesxrs/McAfee/CryptoLocker_rule2.yar
delete mode 100644 yara-mikesxrs/McAfee/CryptoLocker_set1.yar
delete mode 100644 yara-mikesxrs/McAfee/GPGQwerty_ransomware.yar
delete mode 100644 yara-mikesxrs/McAfee/McAfee_index.yara
delete mode 100644 yara-mikesxrs/McAfee/NionSpy.yar
delete mode 100644 yara-mikesxrs/McAfee/OLE_JSRAT.yar
delete mode 100644 yara-mikesxrs/McAfee/SAmSAmRansom2016,yar
delete mode 100644 yara-mikesxrs/McAfee/SamSam_Ransomware_Latest.yar
delete mode 100644 yara-mikesxrs/McAfee/Spygate_2.9_RAT.yar
delete mode 100644 yara-mikesxrs/McAfee/W97M_Vawtrak_dropper.yar
delete mode 100644 yara-mikesxrs/McAfee/WannaCry.yar
delete mode 100644 yara-mikesxrs/McAfee/kraken_ransomware.yar
delete mode 100644 yara-mikesxrs/McAfee/rovnix_downloader.yar
delete mode 100644 yara-mikesxrs/McAfee/shifu.yar
delete mode 100644 yara-mikesxrs/NCCGroup/APT15.yar
delete mode 100644 yara-mikesxrs/NCCGroup/ISMRAT.yar
delete mode 100644 yara-mikesxrs/NCCGroup/Sakula.yar
delete mode 100644 yara-mikesxrs/NCCGroup/authenticode_anomalies.yara
delete mode 100644 yara-mikesxrs/NCCGroup/badwinmail.yara
delete mode 100644 yara-mikesxrs/NCCGroup/heartbleed.yar
delete mode 100644 yara-mikesxrs/NCCGroup/metaStealer_memory.yar
delete mode 100644 yara-mikesxrs/NCCGroup/package_manager.yara
delete mode 100644 yara-mikesxrs/NCCGroup/redleaves.yar
delete mode 100644 yara-mikesxrs/NCCGroup/turla_neuron_nautilus.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_apipatch.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_clipshot.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_config.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_loader.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_shellcode.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_sleep_routine.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_strings.yar
delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_xor.yar
delete mode 100644 yara-mikesxrs/NCSC/turla_neuron_nautilus.yar
delete mode 100644 yara-mikesxrs/PL CERT/Madprotect_packer.yar
delete mode 100644 yara-mikesxrs/PL CERT/Polish_Bankbot_mobile.yar
delete mode 100644 yara-mikesxrs/PL CERT/cryptomix_packer.yar
delete mode 100644 yara-mikesxrs/PL CERT/cryptomix_payload.yar
delete mode 100644 yara-mikesxrs/PL CERT/kbot.yar
delete mode 100644 yara-mikesxrs/PL CERT/necurs.yar
delete mode 100644 yara-mikesxrs/PL CERT/nymaim.yar
delete mode 100644 yara-mikesxrs/PL CERT/ramnit.yar
delete mode 100644 yara-mikesxrs/PL CERT/sage.yar
delete mode 100644 yara-mikesxrs/PL CERT/tofsee.yar
delete mode 100644 yara-mikesxrs/Recorded Future/TEMP.Periscope_Spearphish.yar
delete mode 100644 yara-mikesxrs/Recorded Future/ext4_linuxlistener.yar
delete mode 100644 yara-mikesxrs/SenseCy/ORXLocker.yar
delete mode 100644 yara-mikesxrs/SenseCy/njrat_08d.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/3102.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/9002.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/APT_NGO_wuaclt.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/Babar.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/GeorBot.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/Scieron.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/Seth_Hardy_index.yara
delete mode 100644 yara-mikesxrs/Seth Hardy/Swisyn.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/Waterbug.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/apt1.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/bangat.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/boouset.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/comfoo.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/cookies.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/cxpid.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/enfal.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/ezcob.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/f0xy.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/fakem.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/favorite.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/glasses.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/hangover.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/iexpl0re.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/imuler.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/insta11.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/kins.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/leverage.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/luckycat.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/lurk0+cctv0.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/maccontrol.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/mask.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/mirage.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/mongal.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/naikon.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/naspyupdate.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/nettraveler.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/nsfree.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/olyx.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/plugx.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/pubsab.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/quarian.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/regsubdat.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/remote.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/rookie.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/rooter.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/safenet.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/scarhikn.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/shell_crew.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/surtr.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/t5000.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/urausy_skypedat.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/vidgrab.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/warp.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/wimmie.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/xtreme.yar
delete mode 100644 yara-mikesxrs/Seth Hardy/yayih.yar
delete mode 100644 yara-mikesxrs/ThreatStreamLabs/PyInstaller_Binary.yar
delete mode 100644 yara-mikesxrs/Trend Micro/FighterPOS.yar
delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_MalumPOS.yar
delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_NewPOSThings2015.yar
delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_dumper.yar
delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_dumper_old.yar
delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_service.yar
delete mode 100644 yara-mikesxrs/Trend Micro/VBS.yar
delete mode 100644 yara-mikesxrs/Trend Micro/cracked_loki.yar
delete mode 100644 yara-mikesxrs/Trend Micro/crime_linux_umbreon _ rootkit.yar
delete mode 100644 yara-mikesxrs/US CERT/APT10 Dropper.yar
delete mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves Plugx.yar
delete mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves loader.yar
delete mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves.yar
delete mode 100644 yara-mikesxrs/US CERT/APT10 redleaves handkerchief.yar
delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_1.yara
delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_2.yara
delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_3.yara
delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_5.yara
delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_6.yara
delete mode 100644 yara-mikesxrs/US CERT/APT28_implant_4.yara
delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_10.yara
delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_11.yara
delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_12.yara
delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_7.yara
delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_8.yara
delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_9.yara
delete mode 100644 yara-mikesxrs/US CERT/APT29_unidentified.yara
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Hard_Drive_Tool.yar
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool.yar
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_2.yar
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_3.yar
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_5.yar
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_6.yar
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_7.yar
delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_8.yar
delete mode 100644 yara-mikesxrs/US CERT/Dragonfly.yar
delete mode 100644 yara-mikesxrs/US CERT/Dragonfly2.0.yar
delete mode 100644 yara-mikesxrs/US CERT/HIDDENCOBRA_RSA_MODULUS.yar
delete mode 100644 yara-mikesxrs/US CERT/HIDDEN_COBRA.yar
delete mode 100644 yara-mikesxrs/US CERT/Hidden Cobra Enfal.yar
delete mode 100644 yara-mikesxrs/US CERT/Hidden_Cobra_DPRK_DDoS_Tool.yara
delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor.yar
delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_2.yar
delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_3.yar
delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_4.yar
delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_5.yar
delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_6.yar
delete mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_1.yar
delete mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_2.yar
delete mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_3.yar
delete mode 100644 yara-mikesxrs/US CERT/PAS_TOOL_PHP_WEB_KIT.yar
delete mode 100644 yara-mikesxrs/US CERT/Proxy Tool.yar
delete mode 100644 yara-mikesxrs/US CERT/Proxy_Tool_2.yar
delete mode 100644 yara-mikesxrs/US CERT/Proxy_Tool_3.yar
delete mode 100644 yara-mikesxrs/US CERT/SMB_Worm_Tool.yar
delete mode 100644 yara-mikesxrs/US CERT/US_CERT_index.yara
delete mode 100644 yara-mikesxrs/US CERT/WannaCry.yara
delete mode 100644 yara-mikesxrs/US CERT/fallchill.yar
delete mode 100644 yara-mikesxrs/US CERT/hatman.yar
delete mode 100644 yara-mikesxrs/WithSecure/SILKLOADER.yar
delete mode 100644 yara-mikesxrs/WithSecure/ducktail_artifacts.yar
delete mode 100644 yara-mikesxrs/WithSecure/ducktail_dotnet_core_infostealer.yar
delete mode 100644 yara-mikesxrs/WithSecure/ducktail_exceldna_packed.yar
delete mode 100644 yara-mikesxrs/WithSecure/ducktail_nativeaot.yar
delete mode 100644 yara-mikesxrs/Xylitol/Malware.yar
delete mode 100644 yara-mikesxrs/Xylitol/Zeus_1134.yar
delete mode 100644 yara-mikesxrs/Xylitol/ibanking.yar
delete mode 100644 yara-mikesxrs/Xylitol/malware_banker.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_GDOCUPLOAD.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_GETMAIL.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_HACKSFASE1.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_HACKSFASE2.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_LIGHTBOLT.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_MAPIGET.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_RARSilent_EXE_PDF.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_Revird_svc.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_TARSIP_ECLIPSE.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_TARSIP_MOON.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WARP.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_ADSPACE.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_AUSOV.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_BOLID.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_CLOVER.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_CSON.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_DIV.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_GREENCAT.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_HEAD.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_KT3.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_QBP.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_RAVE.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_TABLE.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_TOCK.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_UGX.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_Y21K.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_YAHOO.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_dbg_mess.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_known_malicious_RARSilent.yar
delete mode 100644 yara-mikesxrs/alienvault/APT1_letusgo.yar
delete mode 100644 yara-mikesxrs/alienvault/AURIGA_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/AURIGA_driver_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/BANGAT_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/BISCUIT_GREENCAT_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/BOUNCER_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/BOUNCER_DLL_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/CALENDAR_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/CCREWBACK1.yar
delete mode 100644 yara-mikesxrs/alienvault/COMBOS_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/CVE2012XXXX.yar
delete mode 100644 yara-mikesxrs/alienvault/CaptainWord.yar
delete mode 100644 yara-mikesxrs/alienvault/Careto generic malware signature.yar
delete mode 100644 yara-mikesxrs/alienvault/Careto_CnC.yar
delete mode 100644 yara-mikesxrs/alienvault/Careto_CnC_domains.yar
delete mode 100644 yara-mikesxrs/alienvault/Careto_OSX_SBD.yar
delete mode 100644 yara-mikesxrs/alienvault/Careto_SGH.yar
delete mode 100644 yara-mikesxrs/alienvault/DAIRY_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/DownloaderPossibleCCrew.yar
delete mode 100644 yara-mikesxrs/alienvault/EclipseSunCloudRAT.yar
delete mode 100644 yara-mikesxrs/alienvault/Elise.yar
delete mode 100644 yara-mikesxrs/alienvault/EzuriLoader.yar
delete mode 100644 yara-mikesxrs/alienvault/EzuriLoaderOSX.yar
delete mode 100644 yara-mikesxrs/alienvault/FatalRAT_unpacked.yar
delete mode 100644 yara-mikesxrs/alienvault/GEN_CCREW1.yar
delete mode 100644 yara-mikesxrs/alienvault/GLOOXMAIL_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/GOGGLES_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/GeorBotBinary.yar
delete mode 100644 yara-mikesxrs/alienvault/GeorBotMemory.yar
delete mode 100644 yara-mikesxrs/alienvault/HACKSFASE1_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/HACKSFASE2_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover2_Downloader.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover2_Keylogger.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover2_backdoor_shell.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover2_stealer.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Appinbot.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Auspo.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Deksila.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Foler.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Fuddol.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Gimwlog.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Gimwup.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Iconfall.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Linog.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Slidewin.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Smackdown_Downloader.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Smackdown_various.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Tymtin_Degrab.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_UpdateEx.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_Vacrhan_Downloader.yar
delete mode 100644 yara-mikesxrs/alienvault/Hangover_ron_babylon.yar
delete mode 100644 yara-mikesxrs/alienvault/Java0daycve2012xxxx_generic.yar
delete mode 100644 yara-mikesxrs/alienvault/KINS_DLL_zeus.yar
delete mode 100644 yara-mikesxrs/alienvault/KINS_dropper.yar
delete mode 100644 yara-mikesxrs/alienvault/KURTON_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/Keyboy_document_ppsx_sct.yar
delete mode 100644 yara-mikesxrs/alienvault/Keyboy_mobile_titan.yar
delete mode 100644 yara-mikesxrs/alienvault/LIGHTDART_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/LONGRUN_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/MACROMAIL_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/MANITSME_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/MINIASP_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/MiniASP.yar
delete mode 100644 yara-mikesxrs/alienvault/MoonProject.yar
delete mode 100644 yara-mikesxrs/alienvault/NEWSREELS_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/NKRivts.yar
delete mode 100644 yara-mikesxrs/alienvault/OSX_Dok.yar
delete mode 100644 yara-mikesxrs/alienvault/OSX_MacSpy.yar
delete mode 100644 yara-mikesxrs/alienvault/OSX_Proton.B.yar
delete mode 100644 yara-mikesxrs/alienvault/OSX_Proton_B_systemd.1.yar
delete mode 100644 yara-mikesxrs/alienvault/PRISM.yar
delete mode 100644 yara-mikesxrs/alienvault/PrismaticSuccessor.yar
delete mode 100644 yara-mikesxrs/alienvault/SEASALT_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/STARSYPOUND_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/SWORD_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/TABMSGSQL_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/TrojanCookies_CCREW.yar
delete mode 100644 yara-mikesxrs/alienvault/alienvault_index.yara
delete mode 100644 yara-mikesxrs/alienvault/avdetect_procs.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewDownloader1.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewDownloader2.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewDownloader3.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewMiniasp.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewQAZ.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack1.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack2.yar
delete mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack3.yar
delete mode 100644 yara-mikesxrs/alienvault/dbgdetect_files.yar
delete mode 100644 yara-mikesxrs/alienvault/dbgdetect_funcs.yar
delete mode 100644 yara-mikesxrs/alienvault/dbgdetect_procs.yar
delete mode 100644 yara-mikesxrs/alienvault/leverage_a.yar
delete mode 100644 yara-mikesxrs/alienvault/metaxcd.yar
delete mode 100644 yara-mikesxrs/alienvault/nkminer_monero.yar
delete mode 100644 yara-mikesxrs/alienvault/oceanlotus_constants.yar
delete mode 100644 yara-mikesxrs/alienvault/oceanlotus_xor_decode.yar
delete mode 100644 yara-mikesxrs/alienvault/sandboxdetect_misc.yar
delete mode 100644 yara-mikesxrs/alienvault/thequickbrow_APT1.yar
delete mode 100644 yara-mikesxrs/alienvault/urasay skype.yar
delete mode 100644 yara-mikesxrs/alienvault/vmdetect_misc.yar
delete mode 100644 yara-mikesxrs/bluecoat/Bluecoat_index.yara
delete mode 100644 yara-mikesxrs/bluecoat/InceptionAndroid.yar
delete mode 100644 yara-mikesxrs/bluecoat/InceptionBlackberry.yar
delete mode 100644 yara-mikesxrs/bluecoat/InceptionDLL.yar
delete mode 100644 yara-mikesxrs/bluecoat/InceptionIOS.yar
delete mode 100644 yara-mikesxrs/bluecoat/InceptionMips.yar
delete mode 100644 yara-mikesxrs/bluecoat/InceptionRTF.yar
delete mode 100644 yara-mikesxrs/bluecoat/InceptionVBS.yar
delete mode 100644 yara-mikesxrs/blueliv/WannaCryptor.yar
delete mode 100644 yara-mikesxrs/blueliv/banswift.yar
delete mode 100644 yara-mikesxrs/blueliv/banswift_wiper.yar
delete mode 100644 yara-mikesxrs/blueliv/petya_eternalblue.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_ek_checkpoint.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_ek_redirector.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash4.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash5.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash_uncompressed.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_html.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_html2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_jar.yar
delete mode 100644 yara-mikesxrs/codewatchorg/angler_js.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole1_jar.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_css.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm10.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm11.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm12.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm5.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm6.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm8.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_pdf.yar
delete mode 100644 yara-mikesxrs/codewatchorg/blackhole_basic.yar
delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_adobe_2010_1297_exploit.yar
delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_adobe_2010_2884_exploit.yar
delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_jar2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_java_2010_0842_exploit.yar
delete mode 100644 yara-mikesxrs/codewatchorg/codewatchorg_index.yar
delete mode 100644 yara-mikesxrs/codewatchorg/crimepack_jar.yar
delete mode 100644 yara-mikesxrs/codewatchorg/crimepack_jar3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/cve_2013_0074.yar
delete mode 100644 yara-mikesxrs/codewatchorg/cve_2013_0422.yar
delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar.yar
delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_js.yar
delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_js2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_js3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/fragus_htm.yar
delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js.yar
delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_flash.yar
delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_java.yar
delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_quicktime.yar
delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_vml.yar
delete mode 100644 yara-mikesxrs/codewatchorg/malicious_office.yar
delete mode 100644 yara-mikesxrs/codewatchorg/malicious_pdf.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html10.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html11.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html4.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html5.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html6.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html7.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html8.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html9.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/redkit_bin_basic.yar
delete mode 100644 yara-mikesxrs/codewatchorg/sakura_jar.yar
delete mode 100644 yara-mikesxrs/codewatchorg/sakura_jar2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_css.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_css2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_htm.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js4.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zerox88_js2.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zerox88_js3.yar
delete mode 100644 yara-mikesxrs/codewatchorg/zeus_js.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CVE_2014_4113.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _02 - rc4_dropper putterpanda.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _03 - threepara_para_implant putterpanda.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _05 _ httpclient putterpanda.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _06 _ xor_dropper putterpanda.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_CSIT_14003_03.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_CSIT_14004_02.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_FlyingKitten.yar
delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_PutterPanda_01 - fourh_stack_strings putterpanda.yar
delete mode 100644 yara-mikesxrs/crowdstrike/Crowdstrike_index.yara
delete mode 100644 yara-mikesxrs/crowdstrike/Crowdstrike_target_breach.yar
delete mode 100644 yara-mikesxrs/crowdstrike/gameover zeus.yar
delete mode 100644 yara-mikesxrs/crowdstrike/rule CrowdStrike_PutterPanda_04_ pngdowner putterpanda.yar
delete mode 100644 yara-mikesxrs/cylance/BackDoorLogger.yar
delete mode 100644 yara-mikesxrs/cylance/Hkdoor_DLL.yar
delete mode 100644 yara-mikesxrs/cylance/Hkdoor_backdoor.yar
delete mode 100644 yara-mikesxrs/cylance/Hkdoor_driver.yar
delete mode 100644 yara-mikesxrs/cylance/Hkdoor_dropper.yar
delete mode 100644 yara-mikesxrs/cylance/Jasus.yar
delete mode 100644 yara-mikesxrs/cylance/LoggerModule.yar
delete mode 100644 yara-mikesxrs/cylance/MiSType_Backdoor_Packed.yar
delete mode 100644 yara-mikesxrs/cylance/Misdat_Backdoor.yar
delete mode 100644 yara-mikesxrs/cylance/Misdat_Backdoor_Packed.yar
delete mode 100644 yara-mikesxrs/cylance/NetC.yar
delete mode 100644 yara-mikesxrs/cylance/SType_Backdoor.yar
delete mode 100644 yara-mikesxrs/cylance/ShellCreator2.yar
delete mode 100644 yara-mikesxrs/cylance/SmartCopy2.yar
delete mode 100644 yara-mikesxrs/cylance/StreamEX.yar
delete mode 100644 yara-mikesxrs/cylance/SynFlooder.yar
delete mode 100644 yara-mikesxrs/cylance/TinyZBot.yar
delete mode 100644 yara-mikesxrs/cylance/WannaCryptor.yar
delete mode 100644 yara-mikesxrs/cylance/ZhoupinExploitCrew.yar
delete mode 100644 yara-mikesxrs/cylance/Zlib_Backdoor.yar
delete mode 100644 yara-mikesxrs/cylance/antivirusdetector.yar
delete mode 100644 yara-mikesxrs/cylance/baijiu.yar
delete mode 100644 yara-mikesxrs/cylance/csext.yar
delete mode 100644 yara-mikesxrs/cylance/cylance_index.yara
delete mode 100644 yara-mikesxrs/cylance/kagent.yar
delete mode 100644 yara-mikesxrs/cylance/mimikatzWrapper.yar
delete mode 100644 yara-mikesxrs/cylance/pvz_in.yar
delete mode 100644 yara-mikesxrs/cylance/pvz_out.yar
delete mode 100644 yara-mikesxrs/cylance/snakewine.yar
delete mode 100644 yara-mikesxrs/cylance/wndTest.yar
delete mode 100644 yara-mikesxrs/cylance/zhCat.yar
delete mode 100644 yara-mikesxrs/cylance/zhLookUp.yar
delete mode 100644 yara-mikesxrs/cylance/zhmimikatz.yar
delete mode 100644 yara-mikesxrs/eset/Animal_Farm.yar
delete mode 100644 yara-mikesxrs/eset/ESET_index.yara
delete mode 100644 yara-mikesxrs/eset/Gazer.yar
delete mode 100644 yara-mikesxrs/eset/InvisiMole.yar
delete mode 100644 yara-mikesxrs/eset/Linux_Moose.yar
delete mode 100644 yara-mikesxrs/eset/Mumblehard_packer.yar
delete mode 100644 yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar
delete mode 100644 yara-mikesxrs/eset/OSX_Keydnap_packer.yar
delete mode 100644 yara-mikesxrs/eset/OSX_keydnap_downloader.yar
delete mode 100644 yara-mikesxrs/eset/Operation Potao.yar
delete mode 100644 yara-mikesxrs/eset/Operation Windigo.yar
delete mode 100644 yara-mikesxrs/eset/PotaoNew.yara
delete mode 100644 yara-mikesxrs/eset/Prikormka.yar
delete mode 100644 yara-mikesxrs/eset/SparklingGoblin.yar
delete mode 100644 yara-mikesxrs/eset/Turla_Carbon.yar
delete mode 100644 yara-mikesxrs/eset/badiis.yar
delete mode 100644 yara-mikesxrs/eset/kobalos.yar
delete mode 100644 yara-mikesxrs/eset/kobalos_ssh_credential_stealer.yar
delete mode 100644 yara-mikesxrs/eset/linux_rakos.yar
delete mode 100644 yara-mikesxrs/eset/skip20_sqllang_hook.yar
delete mode 100644 yara-mikesxrs/eset/sshdoor.yar
delete mode 100644 yara-mikesxrs/eset/stantinko.yar
delete mode 100644 yara-mikesxrs/eset/ta410.yar
delete mode 100644 yara-mikesxrs/eset/turla-outlook.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Adpeak.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Agent.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Conduit.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Crossrider.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.DealPly.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Downloader.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.ELEX.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Gen.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Genieo.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Imali.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.InstallCore.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Linkury.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.NextLive.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SProtect.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Sendori.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SmartApps.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Solimbda.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Trioris.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Wajam.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.WebTools.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.iBryte.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Adware.uKor.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Gen.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Malware.BitCoinMiner.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Malware.Downloader.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Malware.PWS.yar
delete mode 100644 yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar
delete mode 100644 yara-mikesxrs/g00dv1n/PUP.Systweak.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Ransom.Crypters.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Risk.NetFilter.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.Braviax.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.SDef.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Antivar.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Citadel.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Downloader.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Dropper.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Frethog.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.GBot.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Gamarue.Andromeda.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Injector.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Kovter.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Lethic.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Necurs.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Ransom.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Regin.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Simda.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Upatre.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Virtool.Obfuscator.yar
delete mode 100644 yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar
delete mode 100644 yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar
delete mode 100644 yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Virus.Chir.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Virus.Madang.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Worm.Cridex.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar
delete mode 100644 yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar
delete mode 100644 yara-mikesxrs/g00dv1n/g00dvin_index.yara
delete mode 100644 yara-mikesxrs/iSightPartners/SDBFile.yar
delete mode 100644 yara-mikesxrs/kaspersky/Adwind.yar
delete mode 100644 yara-mikesxrs/kaspersky/Crime_eyepyramid.yar
delete mode 100644 yara-mikesxrs/kaspersky/LazarusWannaCry.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_LSA.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_SSPI.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_container.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encryption.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_generic_pipe_backdoor.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_pipe_backdoor.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_cryptotable.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_doublefantasy_genericresource.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_equationlaser_runtimeclasses.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_exploitlib_mutexes.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_implantstrings.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_installer.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_irene.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_msgertype2.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_proxytool.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_regin_2013_64bit_stage1.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_regin_dispatcher_disp_dll.yar
delete mode 100644 yara-mikesxrs/kaspersky/apt_regin_vfs.yar
delete mode 100644 yara-mikesxrs/kaspersky/backdoored_ssh.yar
delete mode 100644 yara-mikesxrs/kaspersky/exploit_Silverlight_Toropov_Generic_XAP.yar
delete mode 100644 yara-mikesxrs/kaspersky/kaspersky_index.yara
delete mode 100644 yara-mikesxrs/kaspersky/ransomware_PetrWrap.yar
delete mode 100644 yara-mikesxrs/kaspersky/stonedrill.yar
delete mode 100644 yara-mikesxrs/kaspersky/xDedic_SysScan_unpacked.yar
delete mode 100644 yara-mikesxrs/kaspersky/xdedic_packed_syscan.yar
delete mode 100644 yara-mikesxrs/one offs/9002Rat.yar
delete mode 100644 yara-mikesxrs/one offs/AdwindRat.yar
delete mode 100644 yara-mikesxrs/one offs/CVE-2013-3660.yar
delete mode 100644 yara-mikesxrs/one offs/ComputraceAgent.yar
delete mode 100644 yara-mikesxrs/one offs/CoreFlood_ldr.yar
delete mode 100644 yara-mikesxrs/one offs/Cridex.yar
delete mode 100644 yara-mikesxrs/one offs/Hancidoc_Dropper.yar
delete mode 100644 yara-mikesxrs/one offs/Mebroot_Torpig.yar
delete mode 100644 yara-mikesxrs/one offs/OSX_Malware.yar
delete mode 100644 yara-mikesxrs/one offs/Pegasus.yar
delete mode 100644 yara-mikesxrs/one offs/Qadars_DGA.yar
delete mode 100644 yara-mikesxrs/one offs/Shellphish.yar
delete mode 100644 yara-mikesxrs/one offs/W32ChirB.yar
delete mode 100644 yara-mikesxrs/one offs/XorDDoS.yar
delete mode 100644 yara-mikesxrs/one offs/ammyy_cerber3.yar
delete mode 100644 yara-mikesxrs/one offs/crime_ole_loadswf_cve_2018_4878.yar
delete mode 100644 yara-mikesxrs/one offs/crime_win32_gratefulpos_trojan.yar
delete mode 100644 yara-mikesxrs/one offs/dridex.yar
delete mode 100644 yara-mikesxrs/one offs/fastposloader.yar
delete mode 100644 yara-mikesxrs/one offs/marcher.yar
delete mode 100644 yara-mikesxrs/one offs/mwi_document.yar
delete mode 100644 yara-mikesxrs/one offs/nettraveler.yar
delete mode 100644 yara-mikesxrs/one offs/packager_cve2017_11882.yar
delete mode 100644 yara-mikesxrs/one offs/snake_uroburos.yar
delete mode 100644 yara-mikesxrs/paloalto/Palo_Alto_index.yara
delete mode 100644 yara-mikesxrs/paloalto/ce_enfal_cmstar_debug_msg.yar
delete mode 100644 yara-mikesxrs/paloalto/cobalt_gang_builder.yar
delete mode 100644 yara-mikesxrs/paloalto/findpos.yar
delete mode 100644 yara-mikesxrs/paloalto/general_win_dll_golang_socks.yar
delete mode 100644 yara-mikesxrs/paloalto/general_win_faked_dlls_export_popo.yar
delete mode 100644 yara-mikesxrs/paloalto/general_win_golang_socks.yar
delete mode 100644 yara-mikesxrs/paloalto/hancitor_dropper.yar
delete mode 100644 yara-mikesxrs/paloalto/hancitor_payload.yar
delete mode 100644 yara-mikesxrs/paloalto/hancitor_stage1.yar
delete mode 100644 yara-mikesxrs/paloalto/powerstager.yar
delete mode 100644 yara-mikesxrs/paloalto/webshell_chinachopper_oab.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_AVITOMMS_Variant.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_AndroRat.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_BadMirror.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_Banker_Sberbank.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_Clicker_G.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_Copy9.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_DeathRing.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_Dendroid.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_Dogspectus.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_FakeBank_Fanta.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_Godless.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_Marcher.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_MazarBot.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_OmniRat.yar
delete mode 100644 yara-mikesxrs/pombredanne/Android_RuMMS.yar
delete mode 100644 yara-mikesxrs/pombredanne/PDF_Embedded_Exe.yar
delete mode 100644 yara-mikesxrs/pombredanne/SandroRat.yar
delete mode 100644 yara-mikesxrs/pombredanne/Spartan_SWF.yar
delete mode 100644 yara-mikesxrs/securityartwork/Erebus_Ransomware.yar
delete mode 100644 yara-mikesxrs/securityartwork/HardcodeHunter.yar
delete mode 100644 yara-mikesxrs/securityartwork/IoT_Reaper.yar
delete mode 100644 yara-mikesxrs/securityartwork/Linux_Bew.yar
delete mode 100644 yara-mikesxrs/securityartwork/Linux_Helios.yar
delete mode 100644 yara-mikesxrs/securityartwork/Meterpreter_rev_tcp.yar
delete mode 100644 yara-mikesxrs/securityartwork/OfficeMacrosWinintelDLL.yar
delete mode 100644 yara-mikesxrs/securityartwork/linux_Okiru.yar
delete mode 100644 yara-mikesxrs/securityartwork/multibanker.yar
delete mode 100644 yara-mikesxrs/securityartwork/shellcode_cve_2013_2729.yar
delete mode 100644 yara-mikesxrs/securityartwork/trickbot.yar
delete mode 100644 yara-mikesxrs/symantec/Bannerjack.yar
delete mode 100644 yara-mikesxrs/symantec/Cadelle_1.yar
delete mode 100644 yara-mikesxrs/symantec/Cadelle_2.yar
delete mode 100644 yara-mikesxrs/symantec/Cadelle_3.yar
delete mode 100644 yara-mikesxrs/symantec/Cadelle_4.yar
delete mode 100644 yara-mikesxrs/symantec/Eventlog.yar
delete mode 100644 yara-mikesxrs/symantec/Hacktool.yar
delete mode 100644 yara-mikesxrs/symantec/Kwampirs.yar
delete mode 100644 yara-mikesxrs/symantec/Multipurpose.yar
delete mode 100644 yara-mikesxrs/symantec/Proxy.yar
delete mode 100644 yara-mikesxrs/symantec/Securetunnel.yar
delete mode 100644 yara-mikesxrs/symantec/comrat.yar
delete mode 100644 yara-mikesxrs/symantec/fa.yar
delete mode 100644 yara-mikesxrs/symantec/isPE.yar
delete mode 100644 yara-mikesxrs/symantec/jiripbot _ ascii _ str _ decrypt.yar
delete mode 100644 yara-mikesxrs/symantec/jiripbot _ unicode _ str _ decrypt.yar
delete mode 100644 yara-mikesxrs/symantec/remsec_encrypted_api.yar
delete mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_32.yar
delete mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_64.yar
delete mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_parser.yar
delete mode 100644 yara-mikesxrs/symantec/remsec_packer_A.yar
delete mode 100644 yara-mikesxrs/symantec/remsec_packer_B.yar
delete mode 100644 yara-mikesxrs/symantec/sav _ dropper.yar
delete mode 100644 yara-mikesxrs/symantec/sav.yar
delete mode 100644 yara-mikesxrs/symantec/symantec_index.yara
delete mode 100644 yara-mikesxrs/symantec/turla _ dll.yar
delete mode 100644 yara-mikesxrs/symantec/turla _ dropper.yar
delete mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ core _ PDF.yar
delete mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ core.yar
delete mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ dll.yar
delete mode 100644 yara-mikesxrs/vitorafonso/banker.yar
delete mode 100644 yara-mikesxrs/vitorafonso/crisis.yar
delete mode 100644 yara-mikesxrs/vitorafonso/dropper.yar
delete mode 100644 yara-mikesxrs/vitorafonso/exploit.yar
delete mode 100644 yara-mikesxrs/vitorafonso/shedun.yar
delete mode 100644 yara-mikesxrs/vitorafonso/zitmo.yar
diff --git a/main.py b/main.py
index 19cdb22..d02e24d 100644
--- a/main.py
+++ b/main.py
@@ -246,7 +246,7 @@ def kill_suspicious_processes():
# Scan files for malware as they launch and kill if potentially malicious.
for file_path in cmdline:
if os.path.isfile(file_path):
- if scan_for_malware(file_path) and os.path.basename(bypassed_processes):
+ if scan_for_malware(file_path):
print(f"Terminating potentially malicious process {proc.info['name']} (PID: {proc.info['pid']} NOW...")
proc.terminate()
proc.wait()
@@ -332,12 +332,24 @@ def realtimeAV():
kill_suspicious_processes()
time.sleep(1) # check for malware every second
+def threadCounter():
+ previous_count = 0
+ current_count = 0
+ while True:
+ previous_count = threading.active_count()
+ print(f"Active AntiMalware Threads: {current_count}")
+ if current_count < previous_count and previous_count - current_count > -1:
+ print("WARNING: THREAD KILL DETECTED!")
+ time.sleep(3) # check for malware every second
+ current_count = threading.active_count()
+
# Start Monitoring in Threads
threads = [
threading.Thread(target=start_file_system_monitor),
threading.Thread(target=monitor_cpu_gpu_usage),
threading.Thread(target=monitor_registry_changes),
threading.Thread(target=realtimeAV),
+ threading.Thread(target=threadCounter),
threading.Thread(target=monitor_tls_certificates),
threading.Thread(target=monitor_browser, args=('chrome',)),
threading.Thread(target=monitor_browser, args=('firefox',))
diff --git a/yara-Neo23x0/configured_vulns_ext_vars.yar b/yara-Neo23x0/configured_vulns_ext_vars.yar
deleted file mode 100644
index d770c6c..0000000
--- a/yara-Neo23x0/configured_vulns_ext_vars.yar
+++ /dev/null
@@ -1,241 +0,0 @@
-
-/*
- Rules which detect vulnerabilities in configuration files.
- External variables are used so they only work with YARA scanners, that pass them on (e.g. Thor, Loki and Spyre)
-*/
-
-
-rule VULN_Linux_Sudoers_Commands {
- meta:
- description = "Detects sudoers config with commands which might allow privilege escalation to root"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Arnim Rupp"
- reference = "https://gtfobins.github.io/"
- date = "2022-11-22"
- modified = "2024-04-15"
- score = 50
- id = "221d90c8-e70e-5214-a03b-57ecabcdd480"
- strings:
- $command1 = "/sh " ascii
- $command2 = "/bash " ascii
- $command3 = "/ksh " ascii
- $command4 = "/csh " ascii
- $command5 = "/tcpdump " ascii
- //$command6 = "/cat " ascii
- //$command7 = "/head " ascii
- $command8 = "/nano " ascii
- $command9 = "/pico " ascii
- $command10 = "/rview " ascii
- $command11 = "/vi " ascii
- $command12 = "/vim " ascii
- $command13 = "/rvi " ascii
- $command14 = "/rvim " ascii
- //$command15 = "/more " ascii
- $command16 = "/less " ascii
- $command17 = "/dd " ascii
- /* $command18 = "/mount " ascii prone to FPs */
-
- condition:
- ( filename == "sudoers" or filepath contains "/etc/sudoers.d" ) and
- any of ($command*)
-}
-
-rule VULN_Linux_NFS_Exports {
- meta:
- description = "Detects insecure /etc/exports NFS config which might allow privilege escalation to root or other users. The parameter insecure allows any non-root user to mount NFS shares via e.g. an SSH-tunnel. With no_root_squash SUID root binaries are allowed."
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- reference = "https://www.errno.fr/nfs_privesc.html"
- author = "Arnim Rupp"
- date = "2022-11-22"
- score = 50
- id = "4b7d81d8-1ae1-5fcf-a91c-271477a839db"
- strings:
- // line has to start with / to avoid triggering on #-comment lines
- $conf1 = /\n\/.{2,200}?\binsecure\b/ ascii
- $conf2 = /\n\/.{2,200}?\bno_root_squash\b/ ascii
-
- condition:
- filename == "exports" and
- filepath contains "/etc" and
- any of ($conf*)
-}
-
-rule SUSP_AES_Key_in_MySql_History {
- meta:
- description = "Detects AES key outside of key management in .mysql_history"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Arnim Rupp"
- date = "2022-11-22"
- score = 50
- id = "28acef39-8606-5d3d-b395-0d8db13f6c9c"
- strings:
- $c1 = /\bAES_(DE|EN)CRYPT\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
- $c2 = /\baes_(de|en)crypt\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
-
- condition:
- filename == ".mysql_history" and
- any of ($c*)
-}
-
-rule VULN_Slapd_Conf_with_Default_Password {
- meta:
- description = "Detects an openldap slapd.conf with the default password test123"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Arnim Rupp"
- date = "2022-11-22"
- reference = "https://www.openldap.org/doc/admin21/slapdconfig.html"
- score = 70
- id = "1d1319da-125b-5373-88f1-27a23c85729e"
- strings:
- /* \nrootpw \{SSHA\}fsAEyxlFOtvZBwPLAF68zpUhth8lERoR */
- $c1 = { 0A 72 6f 6f 74 70 77 20 7b 53 53 48 41 7d 66 73 41 45 79 78 6c 46 4f 74 76 5a 42 77 50 4c 41 46 36 38 7a 70 55 68 74 68 38 6c 45 52 6f 52 }
-
- condition:
- filename == "slapd.conf" and
- any of ($c*)
-}
-
-rule VULN_Unencrypted_SSH_Private_Key : T1552_004 {
- meta:
- description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Arnim Rupp"
- date = "2023-01-06"
- reference = "https://attack.mitre.org/techniques/T1552/004/"
- score = 50
- id = "84b279fc-99c8-5101-b2d8-5c7adbaf753f"
- strings:
- /*
- -----BEGIN RSA PRIVATE KEY-----
- MII
- */
- $openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
-
- /*
- -----BEGIN DSA PRIVATE KEY-----
- MIIBvAIBAAKBgQ
- */
- $openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
-
- /*
- -----BEGIN EC PRIVATE KEY-----
- M
- */
- $openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
-
- /*
- -----BEGIN OPENSSH PRIVATE KEY-----
- b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
-
- base64 contains: openssh-key-v1.....none
- */
- $openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
-
- $putty_start = "PuTTY-User-Key-File" ascii
- $putty_noenc = "Encryption: none" ascii
-
- condition:
- /*
- limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
- private keys for SSL, signing, ... which might be important but aren't usually used for lateral
- movement => bad signal noise ratio
- */
- (
- filepath contains "ssh" or
- filepath contains "SSH" or
- filepath contains "utty" or
- filename contains "ssh" or
- filename contains "SSH" or
- filename contains "id_" or
- filename contains "id2_" or
- filename contains ".ppk" or
- filename contains ".PPK" or
- filename contains "utty"
- )
- and
- (
- $openssh_dsa at 0 or
- $openssh_rsa at 0 or
- $openssh_ecdsa at 0 or
- $openssh_ed25519 at 0 or
- (
- $putty_start at 0 and
- $putty_noenc
- )
- )
- and not filepath contains "/root/"
- and not filename contains "ssh_host_"
-}
-
-
-rule VULN_Unencrypted_SSH_Private_Key_Root_Folder : T1552_004 {
- meta:
- description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Arnim Rupp"
- date = "2023-01-06"
- reference = "https://attack.mitre.org/techniques/T1552/004/"
- score = 65
- id = "9e6a03a1-d95f-5de7-a6c0-a2e77486007c"
- strings:
- /*
- -----BEGIN RSA PRIVATE KEY-----
- MII
- */
- $openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
-
- /*
- -----BEGIN DSA PRIVATE KEY-----
- MIIBvAIBAAKBgQ
- */
- $openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
-
- /*
- -----BEGIN EC PRIVATE KEY-----
- M
- */
- $openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
-
- /*
- -----BEGIN OPENSSH PRIVATE KEY-----
- b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
-
- base64 contains: openssh-key-v1.....none
- */
- $openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
-
- $putty_start = "PuTTY-User-Key-File" ascii
- $putty_noenc = "Encryption: none" ascii
-
- condition:
- /*
- limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
- private keys for SSL, signing, ... which might be important but aren't usually used for lateral
- movement => bad signal noise ratio
- */
- (
- filepath contains "ssh" or
- filepath contains "SSH" or
- filepath contains "utty" or
- filename contains "ssh" or
- filename contains "SSH" or
- filename contains "id_" or
- filename contains "id2_" or
- filename contains ".ppk" or
- filename contains ".PPK" or
- filename contains "utty"
- )
- and
- (
- $openssh_dsa at 0 or
- $openssh_rsa at 0 or
- $openssh_ecdsa at 0 or
- $openssh_ed25519 at 0 or
- (
- $putty_start at 0 and
- $putty_noenc
- )
- )
- and filepath contains "/root/"
- and not filename contains "ssh_host_"
-}
diff --git a/yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar b/yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
deleted file mode 100644
index 1154331..0000000
--- a/yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
+++ /dev/null
@@ -1,102 +0,0 @@
-
-rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 {
- meta:
- description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
- author = "Florian Roth"
- reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
- date = "2023-07-18"
- modified = "2023-07-21"
- score = 70
- id = "07d725cc-2cf2-55e5-8609-486500547f13"
- strings:
- $sa1 = "216.41.162.172" ascii fullword
-
- $sb1 = "/flash/nsconfig/keys" ascii
- $sb2 = "ldapsearch" ascii fullword
- $sb3 = "ns_gui/vpn" ascii
- $sb4 = "LDAPTLS_REQCERT" ascii fullword
- condition:
- filesize < 10MB and $sa1
- or (
- filepath == "/var/log"
- and filename matches /^(bash|sh)\.log/
- and 1 of ($sb*)
- )
-}
-
-rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 {
- meta:
- description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
- author = "Florian Roth"
- reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
- date = "2023-07-21"
- score = 70
- id = "471ce547-0133-5836-b9d1-02c932ecfd1e"
- strings:
- $s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword
- $s2 = "-out /var/tmp/test.tar.gz" ascii
- $s3 = "/test.tar.gz /netscaler/"
- condition:
- filesize < 10MB and 1 of them
-}
-
-rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 {
- meta:
- description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
- author = "Florian Roth"
- reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
- date = "2023-07-24"
- score = 70
- id = "2f40b423-f1da-5711-ac4f-18de77cd52d0"
- strings:
- $x1 = "cat /flash/nsconfig/ns.conf >>" ascii
- $x2 = "cat /nsconfig/.F1.key >>" ascii
- $x3 = "openssl base64 -d < /tmp/" ascii
- $x4 = "cp /usr/bin/bash /var/tmp/bash" ascii
- $x5 = "chmod 4775 /var/tmp/bash"
- $x6 = "pwd;pwd;pwd;pwd;pwd;"
- $x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))"
- condition:
- filesize < 10MB and 1 of them
-}
-
-rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 {
- meta:
- description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful."
- author = "Florian Roth"
- reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/"
- date = "2023-07-27"
- score = 65
- id = "7dfe4130-d976-5d6d-a05d-ccadefe45406"
- strings:
- /* overly long URL - all URLLEN values >= 200 */
- $sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
- $s1 = ", type=1; Target: start=0x"
- condition:
- all of them
-}
-
-rule WEBSHELL_SECRETSAUCE_Jul23_1 {
- meta:
- description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)"
- author = "Florian Roth"
- reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
- date = "2023-07-24"
- score = 85
- id = "db0542e7-648e-5f60-9838-e07498f58b51"
- strings:
- $sa1 = "for ($x=0; $x<=1; $x++) {" ascii
- $sa2 = "$_REQUEST[" ascii
- $sa3 = "@eval" ascii
-
- $sb1 = "public $cmd;" ascii
- $sb2 = "return @eval($a);" ascii
- $sb3 = "$z->run($z->get('openssl_public_decrypt'));"
- condition:
- filesize < 100KB and (
- all of ($sa*) or
- 2 of ($sb*)
- )
-}
-
-
diff --git a/yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar b/yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar
deleted file mode 100644
index 3b69fe4..0000000
--- a/yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar
+++ /dev/null
@@ -1,328 +0,0 @@
-import "pe"
-
-rule ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs {
- meta:
- description = "Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
- author = "Huntress DE&TH Team (modified by Florian Roth)"
- reference = "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
- date = "2024-02-20"
- modified = "2024-02-21"
- id = "2886530b-e164-4c4b-b01e-950e3c40acb4"
- strings:
- $s1 = " GET /SetupWizard.aspx/" ascii
- $s2 = " POST /SetupWizard.aspx/" ascii
- $s3 = " PUT /SetupWizard.aspx/" ascii
- $s4 = " HEAD /SetupWizard.aspx/" ascii
- condition:
- 1 of them
-}
-
-rule SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24 {
- meta:
- description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login"
- author = "Florian Roth"
- reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
- date = "2024-02-23"
- score = 65
- id = "c57e6c6a-298f-5ff3-b76a-03127ff88699"
- strings:
- $a1 = ""
-
- $s1 = "@poc.com"
- $s2 = "0001"
- condition:
- filesize < 200KB
- and all of ($a*)
- and all of ($s*)
-}
-
-rule SUSP_ScreenConnect_User_PoC_Com_Used_Feb24 {
- meta:
- description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login"
- author = "Florian Roth"
- reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
- date = "2024-02-23"
- score = 75
- id = "91990558-f145-5968-9722-b6815f6ad8d5"
- strings:
- $a1 = ""
-
- $s1 = "@poc.com"
-
- $f1 = "0001"
- condition:
- filesize < 200KB
- and all of ($a*)
- and $s1
- and not 1 of ($f*)
-}
-
-rule SUSP_ScreenConnect_Exploitation_Artefacts_Feb24 : SCRIPT {
- meta:
- description = "Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- id = "079f4153-8bc7-574f-b6fa-af5536b842ab"
- strings:
- $x01 = "-c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}"
- $x02 = ".msi c:\\mpyutd.msi"
- $x03 = "/MyUserName_$env:UserName"
- $x04 = " -OutFile C:\\Windows\\Help\\"
- $x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_"
- $x06 = "$e = $r + \"ssh.exe\""
- $x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id"
- $x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no "
- $x09 = "chromeremotedesktophost.msi', $env:ProgramData+"
- $x10 = "9595; iwr -UseBasicParsing "
- $x11 = "curl https://cmctt.]com/pub/media/wysiwyg/"
- $x12 = ":8080/servicetest2.dll"
- $x13 = "/msappdata.msi c:\\mpyutd.msi"
- $x14 = "/svchost.exe -OutFile "
- $x15 = "curl http://minish.wiki.gd"
- $x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile "
- $x17 = "rundll32.exe' -Headers @"
- $x18 = "/nssm.exe' -Headers @"
- $x19 = "c:\\programdata\\update.dat UpdateSystem"
- $x20 = "::size -eq 4){\\\"TVqQAA" ascii wide
- $x21 = "::size -eq 4){\"TVqQAA" ascii wide
- $x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_"
-
- /* Persistence */
- $xp0 = "/add default test@2021! /domain"
- $xp1 = "/add default1 test@2021! /domain"
- $xp2 = "oldadmin Pass8080!!"
- $xp3 = "temp 123123qwE /add "
- $xp4 = "oldadmin \"Pass8080!!\""
- $xp5 = "nssm set xmrig AppDirectory "
- condition:
- 1 of ($x*)
-}
-
-rule SUSP_Command_Line_Combos_Feb24_2 : SCRIPT {
- meta:
- description = "Detects suspicious command line combinations often found in post exploitation activities"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- id = "d9bc6083-c3ca-5639-a9df-483fea6d0187"
- strings:
- $sa1 = " | iex"
- $sa2 = "iwr -UseBasicParsing "
- condition:
- filesize < 2MB and all of them
-}
-
-rule SUSP_PS1_Combo_TransferSH_Feb24 : SCRIPT {
- meta:
- description = "Detects suspicious PowerShell command that downloads content from transfer.sh as often found in loaders"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 70
- id = "fd14cca5-9cf8-540b-9d6e-39ca2c267272"
- strings:
- $x1 = ".DownloadString('https://transfer.sh"
- $x2 = ".DownloadString(\"https://transfer.sh"
- $x3 = "Invoke-WebRequest -Uri 'https://transfer.sh"
- $x4 = "Invoke-WebRequest -Uri \"https://transfer.sh"
- condition:
- 1 of them
-}
-
-rule MAL_SUSP_RANSOM_LockBit_RansomNote_Feb24 {
- meta:
- description = "Detects the LockBit ransom note file 'LockBit-DECRYPT.txt' which is a sign of a LockBit ransomware infection"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- id = "b2fcb2a7-49e8-520c-944f-6acd5ded579b"
- strings:
- $x1 = ">>>> Your personal DECRYPTION ID:"
- condition:
- 1 of them
-}
-
-rule MAL_SUSP_RANSOM_Lazy_RansomNote_Feb24 {
- meta:
- description = "Detects the Lazy ransom note file 'HowToRestoreYourFiles.txt' which is a sign of a Lazy ransomware infection"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- id = "287dfd67-8d0d-5906-b593-3af42a5a3aa4"
- strings:
- $x1 = "All Encrypted files can be reversed to original form and become usable"
- condition:
- 1 of them
-}
-
-
-rule SUSP_MAL_SigningCert_Feb24_1 {
- meta:
- description = "Detects PE files signed with a certificate used to sign malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- hash1 = "37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b"
- hash2 = "e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793"
- id = "f25ea77a-1b4e-5c13-9117-eedf0c20335a"
- strings:
- $s1 = "Wisdom Promise Security Technology Co." ascii
- $s2 = "Globalsign TSA for CodeSign1" ascii
- $s3 = { 5D AC 0B 6C 02 5A 4B 21 89 4B A3 C2 }
- condition:
- uint16(0) == 0x5a4d
- and filesize < 70000KB
- and all of them
-}
-
-rule MAL_CS_Loader_Feb24_1 {
- meta:
- description = "Detects Cobalt Strike malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- hash1 = "0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe"
- id = "6c9914a4-b079-5a39-9d3b-7b9a2b54dc2b"
- strings:
- $s1 = "Dll_x86.dll" ascii fullword
- condition:
- uint16(0) == 0x5a4d
- and filesize < 1000KB
- and (
- pe.exports("UpdateSystem") and (
- pe.imphash() == "0dc05c4c21a86d29f1c3bf9cc5b712e0"
- or $s1
- )
- )
-}
-
-rule MAL_RANSOM_LockBit_Indicators_Feb24 {
- meta:
- description = "Detects Lockbit ransomware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- hash1 = "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0"
- id = "108430c8-4fe5-58a1-b709-539b257c120c"
- strings:
- $op1 = { 76 c1 95 8b 18 00 93 56 bf 2b 88 71 4c 34 af b1 a5 e9 77 46 c3 13 }
- $op2 = { e0 02 10 f7 ac 75 0e 18 1b c2 c1 98 ac 46 }
- $op3 = { 8b c6 ab 53 ff 15 e4 57 42 00 ff 45 fc eb 92 ff 75 f8 ff 15 f4 57 42 00 }
- condition:
- uint16(0) == 0x5a4d
- and filesize < 500KB
- and (
- pe.imphash() == "914685b69f2ac2ff61b6b0f1883a054d"
- or 2 of them
- ) or all of them
-}
-
-rule MAL_MSI_Mpyutils_Feb24_1 {
- meta:
- description = "Detects malicious MSI package mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 70
- hash1 = "8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600"
- id = "e7794336-a325-5b92-8c25-81ed9cb28044"
- strings:
- $s1 = "crypt64ult.exe" ascii fullword
- $s2 = "EXPAND.EXE" wide fullword
- $s6 = "ICACLS.EXE" wide fullword
- condition:
- uint16(0) == 0xcfd0
- and filesize < 20000KB
- and all of them
-}
-
-rule MAL_Beacon_Unknown_Feb24_1 {
- meta:
- description = "Detects malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709 "
- author = "Florian Roth"
- reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
- date = "2024-02-23"
- score = 75
- hash1 = "6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090"
- hash2 = "b0adf3d58fa354dbaac6a2047b6e30bc07a5460f71db5f5975ba7b96de986243"
- hash3 = "c0f7970bed203a5f8b2eca8929b4e80ba5c3276206da38c4e0a4445f648f3cec"
- id = "9299fd44-5327-5a73-8299-108b710cb16e"
- strings:
- $s1 = "Driver.dll" wide fullword
- $s2 = "X l.dlT" ascii fullword
- $s3 = "$928c7481-dd27-8e23-f829-4819aefc728c" ascii fullword
- condition:
- uint16(0) == 0x5a4d
- and filesize < 2000KB
- and 3 of ($s*)
-}
-
-/* --------------------------------------------------------------------------------- */
-/* only usable with THOR or THOR Lite, e.g. in THOR Cloud */
-
-rule SUSP_ScreenConnect_User_Gmail_2024_Feb24 {
- meta:
- description = "Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
- author = "Florian Roth"
- reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
- date = "2024-02-22"
- score = 65
- id = "3c86f4ee-4e8c-566b-b54e-e94418e4ec7e"
- strings:
- $a1 = ""
- $s2 = "2024-"
- condition:
- filesize < 200KB
- and all of them
- and filepath contains "\\ScreenConnect\\App_Data\\"
-}
-
-rule SUSP_ScreenConnect_New_User_2024_Feb24 {
- meta:
- description = "Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
- author = "Florian Roth"
- reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
- date = "2024-02-22"
- score = 50
- id = "f6675ded-39a4-590a-a201-fcfe3c056e60"
- strings:
- $a1 = "2024-"
- condition:
- filesize < 200KB
- and all of them
- and filepath contains "\\ScreenConnect\\App_Data\\"
-}
-
-rule SUSP_ScreenConnect_User_2024_No_Logon_Feb24 {
- meta:
- description = "Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
- author = "Florian Roth"
- reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
- date = "2024-02-23"
- score = 60
- id = "c0861f1c-08e2-565d-a468-2075c51b4004"
- strings:
- $a1 = ""
-
- $s1 = "2024-"
- $s2 = "0001-01-01T00:00:00 "
- condition:
- filesize < 200KB
- and all of them
- and filepath contains "\\ScreenConnect\\App_Data\\"
-}
diff --git a/yara-Neo23x0/gen_fake_amsi_dll.yar b/yara-Neo23x0/gen_fake_amsi_dll.yar
deleted file mode 100644
index 32f86b2..0000000
--- a/yara-Neo23x0/gen_fake_amsi_dll.yar
+++ /dev/null
@@ -1,68 +0,0 @@
-import "pe"
-
-rule SUSP_Fake_AMSI_DLL_Jun23_1 {
- meta:
- description = "Detects an amsi.dll that has the same exports as the legitimate one but very different contents or file sizes"
- author = "Florian Roth"
- reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20"
- date = "2023-06-07"
- modified = "2023-06-12"
- score = 65
- id = "b12df9de-ecfb-562b-b599-87fa786a33bc"
- strings:
- $a1 = "Microsoft.Antimalware.Scan.Interface" ascii
- $a2 = "Amsi.pdb" ascii fullword
- $a3 = "api-ms-win-core-sysinfo-" ascii
- $a4 = "Software\\Microsoft\\AMSI\\Providers" wide
- $a5 = "AmsiAntimalware@" ascii
- $a6 = "AMSI UAC Scan" ascii
-
- $fp1 = "Wine builtin DLL"
- condition:
- uint16(0) == 0x5a4d
- // AMSI.DLL exports
- and (
- pe.exports("AmsiInitialize")
- and pe.exports("AmsiScanString")
- )
- // and now the anomalies
- and (
- filesize > 200KB // files bigger than 100kB
- or filesize < 35KB // files smaller than 35kB
- or not 4 of ($a*) // files that don't contain the expected strings
- )
- and not 1 of ($fp*)
-}
-
-/* Uses the external variable "filename" and can thus only be used in LOKI or THOR */
-
-rule SUSP_Fake_AMSI_DLL_Jun23_2 {
- meta:
- description = "Detects an amsi.dll that has very different contents or file sizes than the legitimate"
- author = "Florian Roth"
- reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20"
- date = "2023-06-07"
- modified = "2023-06-14"
- score = 65
- id = "adec9525-6299-52d5-8f4e-a83366d3dcfd"
- strings:
- $a1 = "Microsoft.Antimalware.Scan.Interface" ascii
- $a2 = "Amsi.pdb" ascii fullword
- $a3 = "api-ms-win-core-sysinfo-" ascii
- $a4 = "Software\\Microsoft\\AMSI\\Providers" wide
- $a5 = "AmsiAntimalware@" ascii
- $a6 = "AMSI UAC Scan" ascii
-
- $fp1 = "Wine builtin DLL"
- condition:
- uint16(0) == 0x5a4d
- // AMSI.DLL
- and filename == "amsi.dll"
- // and now the anomalies
- and (
- filesize > 200KB // files bigger than 100kB
- or filesize < 35KB // files smaller than 35kB
- or not 4 of ($a*) // files that don't contain the expected strings
- )
- and not 1 of ($fp*)
-}
diff --git a/yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar b/yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar
deleted file mode 100644
index f5f318f..0000000
--- a/yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar
+++ /dev/null
@@ -1,428 +0,0 @@
-import "pe"
-
-rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {
- meta:
- description = "Detects malicious DLLs related to 3CX compromise"
- author = "X__Junior, Florian Roth (Nextron Systems)"
- reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
- date = "2023-03-29"
- modified = "2023-04-20"
- score = 85
- hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
- hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
- hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
- id = "a6ea3299-fde5-5206-b5db-eb3a3f5944d9"
- strings:
- $opa1 = { 4C 89 F1 4C 89 EA 41 B8 40 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 F0 FF 15 ?? ?? ?? ?? 4C 8D 4C 24 ?? 45 8B 01 4C 89 F1 4C 89 EA FF 15 } /* VirtualProtect and execute payload*/
- $opa2 = { 48 C7 44 24 ?? 00 00 00 00 4C 8D 7C 24 ?? 48 89 F9 48 89 C2 41 89 E8 4D 89 F9 FF 15 ?? ?? ?? ?? 41 83 3F 00 0F 84 ?? ?? ?? ?? 0F B7 03 3D 4D 5A 00 00} /* ReadFile and MZ compare*/
- $opa3 = { 41 80 7C 00 ?? FE 75 ?? 41 80 7C 00 ?? ED 75 ?? 41 80 7C 00 ?? FA 75 ?? 41 80 3C 00 CE} /* marker */
- $opa4 = { 44 0F B6 CD 46 8A 8C 0C ?? ?? ?? ?? 45 30 0C 0E 48 FF C1} /* xor part in RC4 decryption*/
-
- $opb1 = { 41 B8 40 00 00 00 49 8B D5 49 8B CC FF 15 ?? ?? ?? ?? 85 C0 74 ?? 41 FF D4 44 8B 45 ?? 4C 8D 4D ?? 49 8B D5 49 8B CC FF 15 } /* VirtualProtect and execute payload */
- $opb2 = { 44 8B C3 48 89 44 24 ?? 48 8B 5C 24 ?? 4C 8D 4D ?? 48 8B CB 48 89 74 24 ?? 48 8B D0 4C 8B F8 FF 15 } /* ReadFile and MZ compare*/
- $opb3 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */
- $opb4 = { 49 63 C1 44 0F B6 44 05 ?? 44 88 5C 05 ?? 44 88 02 0F B6 54 05 ?? 49 03 D0 0F B6 C2 0F B6 54 05 ?? 41 30 12} /* xor part in RC4 decryption*/
- condition:
- uint16(0) == 0x5a4d
- and filesize < 5MB
- and pe.characteristics & pe.DLL
- and ( 2 of ($opa*) or 2 of ($opb*) )
-}
-
-rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_2 {
- meta:
- description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://twitter.com/dan__mayer/status/1641170769194672128?s=20"
- date = "2023-03-29"
- score = 80
- hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
- id = "bf3597ff-d62b-5d21-9c9b-e46e685284cf"
- strings:
- $s1 = "raw.githubusercontent.com/IconStorages/images/main/icon%d.ico" wide fullword
- $s2 = "https://raw.githubusercontent.com/IconStorages" wide fullword
- $s3 = "icon%d.ico" wide fullword
- $s4 = "__tutmc" ascii fullword
-
- $op1 = { 2d ee a1 00 00 c5 fa e6 f5 e9 40 fe ff ff 0f 1f 44 00 00 75 2e c5 fb 10 0d 46 a0 00 00 44 8b 05 7f a2 00 00 e8 0a 0e 00 00 }
- $op4 = { 4c 8d 5c 24 71 0f 57 c0 48 89 44 24 60 89 44 24 68 41 b9 15 cd 5b 07 0f 11 44 24 70 b8 b1 68 de 3a 41 ba a4 7b 93 02 }
- $op5 = { f7 f3 03 d5 69 ca e8 03 00 00 ff 15 c9 0a 02 00 48 8d 44 24 30 45 33 c0 4c 8d 4c 24 38 48 89 44 24 20 }
- condition:
- uint16(0) == 0x5a4d and
- filesize < 900KB and 3 of them
- or 5 of them
-}
-
-rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_3 {
- meta:
- description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
- author = "Florian Roth , X__Junior (Nextron Systems)"
- reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
- date = "2023-03-29"
- score = 80
- hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
- id = "d2d361b6-8485-57eb-b6eb-88785f42e93e"
- strings:
- $opa1 = { 41 81 C0 ?? ?? ?? ?? 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1 41 69 D0 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 ?? ?? ?? ?? 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 } /*lcg chunk */
- $opa2 = { 8B C8 41 69 D1 ?? ?? ?? ?? C1 E1 ?? 33 C1 45 8B CA 8B C8 C1 E9 ?? 33 C1 81 C2 ?? ?? ?? ?? 8B C8 C1 E1 ?? 33 C1 41 8B C8 4C 0F AF CF 44 69 C2 ?? ?? ?? ?? 4C 03 C9 45 8B D1 4C 0F AF D7} /*lcg chunk */
-
- $opb1 = { 45 33 C9 48 89 6C 24 ?? 48 8D 44 24 ?? 48 89 6C 24 ?? 8B D3 48 89 B4 24 ?? ?? ?? ?? 48 89 44 24 ?? 45 8D 41 ?? FF 15 } /* base64 decode */
- $opb2 = { 44 8B 0F 45 8B C6 48 8B 4D ?? 49 8B D7 44 89 64 24 ?? 48 89 7C 24 ?? 44 89 4C 24 ?? 4C 8D 4D ?? 48 89 44 24 ?? 44 89 64 24 ?? 4C 89 64 24 ?? FF 15} /* AES decryption */
- $opb3 = { 48 FF C2 66 44 39 2C 56 75 ?? 4C 8D 4C 24 ?? 45 33 C0 48 8B CE FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 44 0F B7 44 24 ?? 33 F6 48 8B 54 24 ?? 45 33 C9 48 8B 0B 48 89 74 24 ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 74 24 ?? FF 15 } /* internet connection */
- $opb4 = { 33 C0 48 8D 6B ?? 4C 8D 4C 24 ?? 89 44 24 ?? BA ?? ?? ?? ?? 48 89 44 24 ?? 48 8B CD 89 44 24 ?? 44 8D 40 ?? 8B F8 FF 15} /* VirtualProtect */
- condition:
- ( all of ($opa*) )
- or
- ( 1 of ($opa*) and 1 of ($opb*) )
- or
- ( 3 of ($opb*) )
-}
-
-rule SUSP_APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {
- meta:
- description = "Detects marker found in malicious DLLs related to 3CX compromise"
- author = "X__Junior, Florian Roth (Nextron Systems)"
- reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
- date = "2023-03-29"
- modified = "2023-04-20"
- score = 75
- hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
- hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
- hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
- id = "9fc6eb94-d02f-5bcd-9f55-b6c6a8301b4f"
- strings:
- $opx1 = { 41 80 7C 00 FD FE 75 ?? 41 80 7C 00 FE ED 75 ?? 41 80 7C 00 FF FA 75 ?? 41 80 3C 00 CE } /* marker */
- $opx2 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */
- condition:
- 1 of them
-}
-
-rule APT_SUSP_NK_3CX_RC4_Key_Mar23_1 {
- meta:
- description = "Detects RC4 key used in 3CX binaries known to be malicious"
- author = "Florian Roth (Nextron Systems)"
- date = "2023-03-29"
- reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
- score = 70
- hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
- hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
- hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
- hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
- id = "18ea2185-11a1-51ad-a51a-df9e6357bb58"
- strings:
- $x1 = "3jB(2bsG#@c7"
- condition:
- ( uint16(0) == 0xcfd0 or uint16(0) == 0x5a4d )
- and $x1
-}
-
-rule SUSP_3CX_App_Signed_Binary_Mar23_1 {
- meta:
- description = "Detects 3CX application binaries signed with a certificate and created in a time frame in which other known malicious binaries have been created"
- author = "Florian Roth (Nextron Systems)"
- date = "2023-03-29"
- reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
- score = 65
- hash1 = "fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405"
- hash2 = "dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc"
- id = "b6ce4c1d-1b7b-5e0c-af4c-05cb3ad0a4e0"
- strings:
- $sa1 = "3CX Ltd1"
- $sa2 = "3CX Desktop App" wide
- $sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert
- condition:
- uint16(0) == 0x5a4d
- and pe.timestamp > 1669680000 // 29.11.2022 earliest known malicious sample
- and pe.timestamp < 1680108505 // 29.03.2023 date of the report
- and all of ($sa*)
- and $sc1 // serial number of known compromised certificate
-}
-
-rule SUSP_3CX_MSI_Signed_Binary_Mar23_1 {
- meta:
- description = "Detects 3CX MSI installers signed with a known compromised certificate and signed in a time frame in which other known malicious binaries have been signed"
- author = "Florian Roth (Nextron Systems)"
- date = "2023-03-29"
- reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
- score = 60
- hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
- hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
- id = "15d6d8ca-6982-5095-9879-ce97269a71c6"
- strings:
- $a1 = { 84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46 } // MSI marker
-
- $sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert
-
- $s1 = "3CX Ltd1"
- $s2 = "202303" // in
- condition:
- uint16(0) == 0xcfd0
- and $a1
- and $sc1
- and (
- $s1 in (filesize-20000..filesize)
- and $s2 in (filesize-20000..filesize)
- )
-}
-
-rule APT_MAL_macOS_NK_3CX_Malicious_Samples_Mar23_1 {
- meta:
- description = "Detects malicious macOS application related to 3CX compromise (decrypted payload)"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
- date = "2023-03-30"
- score = 80
- hash1 = "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb"
- hash2 = "ac99602999bf9823f221372378f95baa4fc68929bac3a10e8d9a107ec8074eca"
- hash3 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72"
- id = "ff39e577-7063-5025-bead-68394a86c87c"
- strings:
- $s1 = "20230313064152Z0"
- $s2 = "Developer ID Application: 3CX (33CF4654HL)"
- condition:
- ( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and all of them
-}
-
-/* 30.03.2023 */
-
-rule APT_MAL_MacOS_NK_3CX_DYLIB_Mar23_1 {
- meta:
- description = "Detects malicious DYLIB files related to 3CX compromise"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
- date = "2023-03-30"
- score = 80
- hash1 = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67"
- hash2 = "fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7"
- id = "a19904d3-9b2d-561f-b734-20bf09584fa7"
- strings:
- /* XORed UA 0x7a */
- $xc1 = { 37 15 00 13 16 16 1B 55 4F 54 4A 5A 52 2D 13 14
- 1E 15 0D 09 5A 34 2E 5A 4B 4A 54 4A 41 5A 2D 13
- 14 4C 4E 41 5A 02 4C 4E 53 5A 3B 0A 0A 16 1F 2D
- 1F 18 31 13 0E 55 4F 49 4D 54 49 4C 5A 52 31 32
- 2E 37 36 56 5A 16 13 11 1F 5A 3D 1F 19 11 15 53
- 5A 39 12 08 15 17 1F 55 4B 4A 42 54 4A 54 4F 49
- 4F 43 54 4B 48 42 5A 29 1B 1C 1B 08 13 55 4F 49
- 4D 54 49 4C 7A }
- /* /;3cx_auth_token_content=%s;__tutma= */
- $xc2 = { 41 49 19 02 25 1b 0f 0e 12 25 0e 15 11 1f 14 25 19 15 14 0e 1f 14 0e 47 5f 09 41 25 25 0e 0f 0e 17 1b 47 }
- /* /System/Library/CoreServices/SystemVersion.plist */
- $xc3 = { 55 29 03 09 0e 1f 17 55 36 13 18 08 1b 08 03 55 39 15 08 1f 29 1f 08 0c 13 19 1f 09 55 29 03 09 0e 1f 17 2c 1f 08 09 13 15 14 54 0a 16 13 09 0e }
- condition:
- 1 of them
-}
-
-rule APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1 {
- meta:
- description = "Detects indicator (event name) found in samples related to 3CX compromise"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
- date = "2023-03-30"
- score = 70
- hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
- hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
- hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
- hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
- id = "b233846a-19df-579b-a674-233d66824008"
- strings:
- $a1 = "AVMonitorRefreshEvent" wide fullword
- condition:
- 1 of them
-}
-
-rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_4 {
- meta:
- author = "MalGamy (Nextron Systems)"
- reference = "https://twitter.com/WhichbufferArda/status/1641404343323688964?s=20"
- description = "Detects decrypted payload loaded inside 3CXDesktopApp.exe which downloads info stealer"
- date = "2023-03-29"
- hash = "851c2c99ebafd4e5e9e140cfe3f2d03533846ca16f8151ae8ee0e83c692884b7"
- score = 80
- id = "d11170df-570c-510c-80ec-39048acd0fbd"
- strings:
- $op1 = {41 69 D0 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 [4] 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 [4] 33 C1 4C 0F AF CF 4D 03 CA 45 8B D1 4C 0F AF D7 41 8D 0C 11 49 C1 E9 ?? 02 C8} // // xor with mul operation
- $op2 = {4D 0F AF CC 44 69 C2 [4] 4C 03 C9 45 8B D1 4D 0F AF D4 41 8D 0C 11 41 81 C0 [4] 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1} // xor with mul operation
- $op3 = {33 C1 4C 0F AF C7 8B C8 C1 E1 ?? 4D 03 C2 33 C1} // shift operation
- condition:
- 2 of them
-}
-
-rule MAL_3CXDesktopApp_MacOS_Backdoor_Mar23 {
- meta:
- author = "X__Junior (Nextron Systems)"
- reference = "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"
- description = "Detects 3CXDesktopApp MacOS Backdoor component"
- date = "2023-03-30"
- hash = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67"
- score = 80
- id = "80046c8e-0c2a-5885-b140-a6084f48160d"
- strings:
- $sa1 = "%s/.main_storage" ascii fullword
- $sa2 = "%s/UpdateAgent" ascii fullword
-
- $op1 = { 31 C0 41 80 34 06 ?? 48 FF C0 48 83 F8 ?? 75 ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 F7 48 89 D9 E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 F7 5B 41 5E 41 5F E9 ?? ?? ?? ?? 5B 41 5E 41 5F C3} /* string decryption */
- $op2 = { 0F 11 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 31 C0 80 B4 04 ?? ?? ?? ?? ?? 48 FF C0} /* string decryption */
- condition:
- ( ( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and filesize < 6MB
- and
- (
- ( 1 of ($sa*) and 1 of ($op* ) )
- or all of ($sa*)
- )
- )
- or ( all of ($op*) )
-}
-
-/* 31.03.2023 */
-
-rule APT_MAL_NK_3CX_ICONIC_Stealer_Mar23_1 {
- meta:
- description = "Detects ICONIC stealer payload used in the 3CX incident"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/attachments/iconicstealer.7z"
- date = "2023-03-31"
- score = 80
- hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423"
- id = "e92b5b90-1146-5235-9711-a4d42689c49b"
- strings:
-
- $s1 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\": \"%d.%d.%d\"}" wide fullword
- $s2 = "******************************** %s ******************************" wide fullword
- $s3 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" wide fullword
- $s4 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" wide fullword
- $s5 = "SELECT url, title FROM urls ORDER BY id DESC LIMIT 500" wide fullword
- $s6 = "TEXT value in %s.%s" ascii fullword
-
- $op1 = { 48 63 d1 48 63 ce 49 03 d1 49 03 cd 4c 63 c7 e8 87 1f 09 00 8b 45 d0 44 8d 04 37 }
- $op2 = { 48 8b c8 8b 56 f0 48 89 46 d8 e8 78 8f f8 ff e9 ec 13 00 00 c7 46 20 ff ff ff ff e9 e0 13 00 00 33 ff }
- condition:
- uint16(0) == 0x5a4d
- and filesize < 4000KB
- and 4 of them
- or 6 of them
-}
-
-rule APT_MAL_NK_3CX_macOS_Elextron_App_Mar23_1 {
- meta:
- description = "Detects macOS malware used in the 3CX incident"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research"
- date = "2023-03-31"
- score = 80
- hash1 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72"
- hash2 = "f7ba7f9bf608128894196cf7314f68b78d2a6df10718c8e0cd64dbe3b86bc730"
- id = "7a3755d4-37e5-5d3b-93aa-34edb557f2d5"
- strings:
- $a1 = "com.apple.security.cs.allow-unsigned-executable-memory" ascii
- $a2 = "com.electron.3cx-desktop-app" ascii fullword
-
- $s1 = "s8T/RXMlALbXfowom9qk15FgtdI=" ascii
- $s2 = "o8NQKPJE6voVZUIGtXihq7lp0cY=" ascii
- condition:
- uint16(0) == 0xfacf and
- filesize < 400KB and (
- all of ($a*)
- and 1 of ($s*)
- )
-}
-
-rule MAL_3CXDesktopApp_MacOS_UpdateAgent_Mar23 {
- meta:
- description = "Detects 3CXDesktopApp MacOS UpdateAgent backdoor component"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://twitter.com/patrickwardle/status/1641692164303515653?s=20"
- date = "2023-03-30"
- hash = "9e9a5f8d86356796162cee881c843cde9eaedfb3"
- score = 80
- id = "596eb6d0-f96f-5106-ae67-9372d238e4cf"
- strings:
- $a1 = "/3CX Desktop App/.main_storage" ascii
-
- $x1 = ";3cx_auth_token_content=%s;__tutma=true"
-
- $s1 = "\"url\": \"https://"
- $s3 = "/dev/null"
- $s4 = "\"AccountName\": \""
- condition:
- uint16(0) == 0xfeca
- and filesize < 6MB
- and (
- 1 of ($x*)
- or ( $a1 and all of ($s*) )
- ) or all of them
-}
-
-rule SUSP_APT_3CX_Regtrans_Anomaly_Apr23 : METARULE {
- meta:
- description = "Detects suspicious .regtrans-ms files with suspicious size or contents"
- author = "Florian Roth"
- reference = "https://www.3cx.com/blog/news/mandiant-initial-results/"
- date = "2023-04-12"
- score = 60
- id = "97406b8d-68fe-5f68-a26a-205dd4694e50"
- strings:
- $fp1 = "REGISTRY" wide
- condition:
- extension == ".regtrans-ms" and (
- filesize < 100KB
- and not 1 of ($fp*)
- )
-}
-
-rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_2 {
- meta:
- description = "Detects malicious VEILEDSIGNAL backdoor"
- author = "X__Junior"
- reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
- date = "2023-04-29"
- hash = "c4887a5cd6d98e273ba6e9ea3c1d8f770ef26239819ea24a1bfebd81d6870505"
- score = 80
- id = "ff1fa0bd-19b7-553a-9506-bc5aa5d29056"
- strings:
- $sa1 = "\\.\\pipe\\gecko.nativeMessaging" ascii
- $sa2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40" ascii
- $sa3 = "application/json, text/javascript, */*; q=0.01" ascii
-
- $op1 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */
- $op2 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/
- $op3 = { 48 89 74 24 ?? 45 33 C0 89 74 24 ?? 41 B9 ?? ?? ?? ?? 89 74 24 ?? 48 8B D8 48 C7 00 ?? ?? ?? ?? 48 8B 0F 41 8D 50 ?? 48 89 44 24 ?? 89 74 24 ?? FF 15} /* CreateNamedPipeW */
- condition:
- all of ($op*) or all of ($sa*)
-}
-
-rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_3 {
- meta:
- description = "Detects malicious VEILEDSIGNAL backdoor"
- author = "X__Junior"
- reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
- date = "2023-04-29"
- hash = "595392959b609caf088d027a23443cf2fefd043607ccdec3de19ad3bb43a74b1"
- score = 80
- id = "6b6f984e-242a-5b84-baa9-6311992cde9b"
- strings:
- $op1 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/
- $op2 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */
- $op3 = { 8B 54 24 ?? 4C 8D 4C 24 ?? 45 8D 46 ?? 44 89 74 24 ?? 48 8B CB FF 15} /* virtualprotect */
- $op4 = { 48 8D 44 24 ?? 45 33 C9 41 B8 01 00 00 40 48 89 44 24 ?? 41 8B D5 48 8B CF FF 15} /* CryptBinaryToStringA */
- condition:
- all of them
-}
-
-rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_4 {
- meta:
- description = "Detects malicious VEILEDSIGNAL backdoor"
- author = "X__Junior"
- reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
- date = "2023-04-29"
- hash = "9b0761f81afb102bb784b398b16faa965594e469a7fcfdfd553ced19cc17e70b"
- score = 80
- id = "77340ec0-36bb-5c47-995f-4e6f76b68fe1"
- strings:
- $op1 = { 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 } /* check for certian process */
- $op2 = { 48 8B C8 48 8D 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 45 33 C0 4C 8D 4D ?? B2 01 41 8D 48 ?? FF D0} /* RtlAdjustPrivilege */
- $op3 = { 33 FF C7 44 24 ?? 38 02 00 00 33 D2 8D 4F ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 FF 74 ?? 48 8D 54 24 ?? 48 8B C8 FF 15 } /* Process32FirstW */
- $op4 = { 4C 8D 05 ?? ?? ?? ?? 48 89 4C 24 ?? 4C 8B C8 33 D2 89 4C 24 ?? FF 15 } /* create thread*/
- condition:
- all of them
-}
diff --git a/yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar b/yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar
deleted file mode 100644
index 2f28d6f..0000000
--- a/yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-import "pe"
-
-rule SUSP_VCRuntime_Sideloading_Indicators_Aug23 {
- meta:
- description = "Detects indicators of .NET based malware sideloading as VCRUNTIME140 with .NET DLL imports"
- author = "Jonathan Peters"
- date = "2023-08-30"
- hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
- score = 75
- id = "00400122-1343-5051-af31-880a3ef1745d"
- condition:
- (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
- and pe.imports("mscoree.dll", "_CorDllMain")
-}
-
-// rule SUSP_VCRuntime_Sideloading_Indicators_1_Aug23 {
-// meta:
-// description = "Detects indicators of .NET based malware sideloading as an unsigned VCRUNTIME140"
-// author = "Jonathan Peters"
-// date = "2023-08-30"
-// hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
-// score = 75
-// strings:
-// $fp1 = "Wine builtin DLL" ascii
-// condition:
-// (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
-// and not pe.number_of_signatures == 0
-// and not pe.signatures[0].issuer contains "Microsoft Corporation"
-// and not $fp1
-// }
diff --git a/yara-Neo23x0/gen_webshells_ext_vars.yar b/yara-Neo23x0/gen_webshells_ext_vars.yar
deleted file mode 100644
index dc18c72..0000000
--- a/yara-Neo23x0/gen_webshells_ext_vars.yar
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- Webshell rules that use external variables for false positive filtering
-*/
-
-rule webshell_php_by_string_obfuscation : FILE {
- meta:
- description = "PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Arnim Rupp"
- date = "2021/01/09"
- modified = "2022-10-25"
- hash = "e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc"
- id = "be890bf6-de7e-588e-b5cd-72e8081d0b9c"
- strings:
- $opbs13 = "{\"_P\"./*-/*-*/\"OS\"./*-/*-*/\"T\"}" wide ascii
- $opbs14 = "/*-/*-*/\"" wide ascii
- $opbs16 = "'ev'.'al'" wide ascii
- $opbs17 = "'e'.'val'" wide ascii
- $opbs18 = "e'.'v'.'a'.'l" wide ascii
- $opbs19 = "bas'.'e6'." wide ascii
- $opbs20 = "ba'.'se6'." wide ascii
- $opbs21 = "as'.'e'.'6'" wide ascii
- $opbs22 = "gz'.'inf'." wide ascii
- $opbs23 = "gz'.'un'.'c" wide ascii
- $opbs24 = "e'.'co'.'d" wide ascii
- $opbs25 = "cr\".\"eat" wide ascii
- $opbs26 = "un\".\"ct" wide ascii
- $opbs27 = "'c'.'h'.'r'" wide ascii
- $opbs28 = "\"ht\".\"tp\".\":/\"" wide ascii
- $opbs29 = "\"ht\".\"tp\".\"s:" wide ascii
- $opbs31 = "'ev'.'al'" nocase wide ascii
- $opbs32 = "eval/*" nocase wide ascii
- $opbs33 = "eval(/*" nocase wide ascii
- $opbs34 = "eval(\"/*" nocase wide ascii
- $opbs36 = "assert/*" nocase wide ascii
- $opbs37 = "assert(/*" nocase wide ascii
- $opbs38 = "assert(\"/*" nocase wide ascii
- $opbs40 = "'ass'.'ert'" nocase wide ascii
- $opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii
- $opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii
- $opbs45 = "'P'.'O'.'S'.'T'" wide ascii
- $opbs46 = "'G'.'E'.'T'" wide ascii
- $opbs47 = "'R'.'E'.'Q'.'U'" wide ascii
- $opbs48 = "se'.(32*2)" nocase
- $opbs49 = "'s'.'t'.'r_'" nocase
- $opbs50 = "'ro'.'t13'" nocase
- $opbs51 = "c'.'od'.'e" nocase
- $opbs53 = "e'. 128/2 .'_' .'d"
- // move malicious code out of sight if line wrapping not enabled
- $opbs54 = "" ascii
- $s1 = "echo -----END CERTIFICATE----- >>" ascii
- $s2 = "certutil -decode " ascii
- condition:
- filesize < 10KB and all of them
-}
-
-rule StegoKatz {
- meta:
- description = "Encoded Mimikatz in other file types"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://goo.gl/jWPBBY"
- date = "2015-09-11"
- score = 70
- id = "78868bb0-af69-573d-afd2-350a46f69137"
- strings:
- $s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
- $s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
- condition:
- filesize < 1000KB and 1 of them
-}
-
-rule Obfuscated_VBS_April17 {
- meta:
- description = "Detects cloaked Mimikatz in VBS obfuscation"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research"
- date = "2017-04-21"
- id = "ca60b885-bb56-55ee-a2b3-dea6958883c2"
- strings:
- $s1 = "::::::ExecuteGlobal unescape(unescape(" ascii
- condition:
- filesize < 500KB and all of them
-}
-
-rule Obfuscated_JS_April17 {
- meta:
- description = "Detects cloaked Mimikatz in JS obfuscation"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research"
- date = "2017-04-21"
- id = "44abd2c0-5f8d-5a8c-b282-a09853e12054"
- strings:
- $s1 = "\";function Main(){for(var " ascii
- $s2 = "=String.fromCharCode(parseInt(" ascii
- $s3 = "));(new Function(" ascii
- condition:
- filesize < 500KB and all of them
-}
diff --git a/yara-Neo23x0/generic_anomalies.yar b/yara-Neo23x0/generic_anomalies.yar
deleted file mode 100644
index c6ef1ab..0000000
--- a/yara-Neo23x0/generic_anomalies.yar
+++ /dev/null
@@ -1,518 +0,0 @@
-/*
-
- Generic Anomalies
-
- Florian Roth
- Nextron Systems GmbH
-
- License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
-
-*/
-
-/* Performance killer - value isn't big enough
-rule Embedded_EXE_Cloaking {
- meta:
- description = "Detects an embedded executable in a non-executable file"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- date = "2015/02/27"
- score = 65
- strings:
- $noex_png = { 89 50 4E 47 }
- $noex_pdf = { 25 50 44 46 }
- $noex_rtf = { 7B 5C 72 74 66 31 }
- $noex_jpg = { FF D8 FF E0 }
- $noex_gif = { 47 49 46 38 }
- $mz = { 4D 5A }
- $a1 = "This program cannot be run in DOS mode"
- $a2 = "This program must be run under Win32"
- condition:
- (
- ( $noex_png at 0 ) or
- ( $noex_pdf at 0 ) or
- ( $noex_rtf at 0 ) or
- ( $noex_jpg at 0 ) or
- ( $noex_gif at 0 )
- )
- and
- for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
-}
-*/
-
-// whitelist-approach failed : reworked in SUSP_Known_Type_Cloaked_as_JPG
-
-// rule Cloaked_as_JPG {
-// meta:
-// description = "Detects a non-JPEG file cloaked as JPG"
-// author = "Florian Roth (Nextron Systems)"
-// date = "2015/03/02"
-// modified = "2022-09-16"
-// score = 40
-// strings:
-// $fp1 = " 6500KB )
- and not $fp
-}
-
-rule Suspicious_Size_chrome_exe {
- meta:
- description = "Detects uncommon file size of chrome.exe"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- nodeepdive = 1
- date = "2015-12-21"
- modified = "2022-09-15"
- noarchivescan = 1
- id = "f164394a-5c02-5056-aceb-044ee118578d"
- strings:
- $fp1 = "HP Sure Click Chromium Launcher" wide
- $fp2 = "BrChromiumLauncher.exe" wide fullword
- condition:
- uint16(0) == 0x5a4d
- and filename == "chrome.exe"
- and ( filesize < 500KB or filesize > 5000KB )
- and not 1 of ($fp*)
-}
-
-rule Suspicious_Size_csrss_exe {
- meta:
- description = "Detects uncommon file size of csrss.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- modified = "2022-01-28"
- noarchivescan = 1
- id = "5a247b51-6c91-5753-95b3-4a4c2b2286eb"
- condition:
- uint16(0) == 0x5a4d
- and filename == "csrss.exe"
- and ( filesize > 50KB )
-}
-
-rule Suspicious_Size_iexplore_exe {
- meta:
- description = "Detects uncommon file size of iexplore.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- noarchivescan = 1
- id = "d097a599-0fad-574f-8281-46c910e8e54d"
- condition:
- uint16(0) == 0x5a4d
- and filename == "iexplore.exe"
- and not filepath contains "teamviewer"
- and ( filesize < 75KB or filesize > 910KB )
-}
-
-rule Suspicious_Size_firefox_exe {
- meta:
- description = "Detects uncommon file size of firefox.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- noarchivescan = 1
- id = "73c4b838-9277-5756-a35d-4a644be5ad5d"
- condition:
- uint16(0) == 0x5a4d
- and filename == "firefox.exe"
- and ( filesize < 265KB or filesize > 910KB )
-}
-
-rule Suspicious_Size_java_exe {
- meta:
- description = "Detects uncommon file size of java.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- noarchivescan = 1
- id = "b6dc297b-8388-5e39-ba77-c027cdea7afa"
- condition:
- uint16(0) == 0x5a4d
- and filename == "java.exe"
- and ( filesize < 30KB or filesize > 900KB )
-}
-
-rule Suspicious_Size_lsass_exe {
- meta:
- description = "Detects uncommon file size of lsass.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- noarchivescan = 1
- id = "005661c7-7576-5c13-9534-b49c12b2faad"
- condition:
- uint16(0) == 0x5a4d
- and filename == "lsass.exe"
- and ( filesize < 10KB or filesize > 100KB )
-}
-
-rule Suspicious_Size_svchost_exe {
- meta:
- description = "Detects uncommon file size of svchost.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- noarchivescan = 1
- id = "31a8d00e-ebfc-5001-9c58-d3a2580f16b3"
- condition:
- uint16(0) == 0x5a4d
- and filename == "svchost.exe"
- and ( filesize < 14KB or filesize > 100KB )
-}
-
-rule Suspicious_Size_winlogon_exe {
- meta:
- description = "Detects uncommon file size of winlogon.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- noarchivescan = 1
- id = "8665e8d0-3b5f-5227-8879-cdd614123439"
- condition:
- uint16(0) == 0x5a4d
- and filename == "winlogon.exe"
- and ( filesize < 279KB or filesize > 970KB )
-}
-
-rule Suspicious_Size_igfxhk_exe {
- meta:
- description = "Detects uncommon file size of igfxhk.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-21"
- modified = "2022-03-08"
- noarchivescan = 1
- id = "18cc167a-3e65-567f-adcf-d2d311520c1d"
- condition:
- uint16(0) == 0x5a4d
- and filename == "igfxhk.exe"
- and ( filesize < 200KB or filesize > 300KB )
-}
-
-rule Suspicious_Size_servicehost_dll {
- meta:
- description = "Detects uncommon file size of servicehost.dll"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-23"
- noarchivescan = 1
- id = "ac71393c-a475-59e0-b22a-d5ee3d25084b"
- condition:
- uint16(0) == 0x5a4d
- and filename == "servicehost.dll"
- and filesize > 150KB
-}
-
-rule Suspicious_Size_rundll32_exe {
- meta:
- description = "Detects uncommon file size of rundll32.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-23"
- noarchivescan = 1
- id = "5b9feae7-17d8-56e4-870a-ef865f2d09bf"
- condition:
- uint16(0) == 0x5a4d
- and filename == "rundll32.exe"
- and ( filesize < 30KB or filesize > 120KB )
-}
-
-rule Suspicious_Size_taskhost_exe {
- meta:
- description = "Detects uncommon file size of taskhost.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-23"
- noarchivescan = 1
- id = "71b6c853-f490-5d5a-b481-909f6f3a8798"
- condition:
- uint16(0) == 0x5a4d
- and filename == "taskhost.exe"
- and ( filesize < 45KB or filesize > 120KB )
-}
-
-rule Suspicious_Size_spoolsv_exe {
- meta:
- description = "Detects uncommon file size of spoolsv.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-23"
- noarchivescan = 1
- id = "14bb3463-b99f-57e1-8cff-fe9a34771093"
- condition:
- uint16(0) == 0x5a4d
- and filename == "spoolsv.exe"
- and ( filesize < 50KB or filesize > 1000KB )
-}
-
-rule Suspicious_Size_smss_exe {
- meta:
- description = "Detects uncommon file size of smss.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-23"
- noarchivescan = 1
- id = "7bdc8953-9240-5d22-b2a6-fe95fbc101c2"
- condition:
- uint16(0) == 0x5a4d
- and filename == "smss.exe"
- and ( filesize < 40KB or filesize > 5000KB )
-}
-
-rule Suspicious_Size_wininit_exe {
- meta:
- description = "Detects uncommon file size of wininit.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- date = "2015-12-23"
- noarchivescan = 1
- id = "7b58f497-f214-5bf3-8a5c-8edb52749d09"
- condition:
- uint16(0) == 0x5a4d
- and filename == "wininit.exe"
- and ( filesize < 90KB or filesize > 800KB )
-}
-
-rule Suspicious_AutoIt_by_Microsoft {
- meta:
- description = "Detects a AutoIt script with Microsoft identification"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research - VT"
- date = "2017-12-14"
- score = 60
- hash1 = "c0cbcc598d4e8b501aa0bd92115b4c68ccda0993ca0c6ce19edd2e04416b6213"
- id = "69b1c93d-ab12-5fdc-b6eb-fb135796d3a9"
- strings:
- $s1 = "Microsoft Corporation. All rights reserved" fullword wide
- $s2 = "AutoIt" fullword ascii
- condition:
- uint16(0) == 0x5a4d and filesize < 2000KB and all of them
-}
-
-rule SUSP_Size_of_ASUS_TuningTool {
- meta:
- description = "Detects an ASUS tuning tool with a suspicious size"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
- date = "2018-10-17"
- modified = "2022-12-21"
- score = 60
- noarchivescan = 1
- hash1 = "d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a"
- id = "d22a1bf9-55d6-5cb4-9537-ad13b23af4d1"
- strings:
- $s1 = "\\Release\\ASGT.pdb" ascii
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and filesize > 70KB and all of them
-}
-
-rule SUSP_PiratedOffice_2007 {
- meta:
- description = "Detects an Office document that was created with a pirated version of MS Office 2007"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://twitter.com/pwnallthethings/status/743230570440826886?lang=en"
- date = "2018-12-04"
- score = 40
- hash1 = "210448e58a50da22c0031f016ed1554856ed8abe79ea07193dc8f5599343f633"
- id = "b36e9a59-7617-503b-968d-5b6b72b227ea"
- strings:
- $s7 = "Grizli777 " ascii
- condition:
- uint16(0) == 0xcfd0 and filesize < 300KB and all of them
-}
-
-rule SUSP_Scheduled_Task_BigSize {
- meta:
- description = "Detects suspiciously big scheduled task XML file as seen in combination with embedded base64 encoded PowerShell code"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research"
- date = "2018-12-06"
- id = "61b07b30-1058-5a53-99e7-2c48ec9d23b5"
- strings:
- $a0 = "" wide
- $fp2 = "Office Feature Updates Logon" wide
- $fp3 = "Microsoft Shared" fullword wide
- condition:
- uint16(0) == 0xfeff and filesize > 20KB and all of ($a*) and not 1 of ($fp*)
-}
-
-rule SUSP_Putty_Unnormal_Size {
- meta:
- description = "Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware)"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research"
- date = "2019-01-07"
- modified = "2022-06-30"
- score = 50
- hash1 = "e5e89bdff733d6db1cffe8b3527e823c32a78076f8eadc2f9fd486b74a0e9d88"
- hash2 = "ce4c1b718b54973291aefdd63d1cca4e4d8d4f5353a2be7f139a290206d0c170"
- hash3 = "adb72ea4eab7b2efc2da6e72256b5a3bb388e9cdd4da4d3ff42a9fec080aa96f"
- hash4 = "1c0bd6660fa43fa90bd88b56cdd4a4c2ffb4ef9d04e8893109407aa7039277db"
- id = "576b118c-d4be-5ce2-994a-ce3f943dda88"
- strings:
- $s1 = "SSH, Telnet and Rlogin client" fullword wide
-
- $v1 = "Release 0.6" wide
- $v2 = "Release 0.70" wide
-
- $fp1 = "KiTTY fork" fullword wide
- condition:
- uint16(0) == 0x5a4d
- and $s1 and 1 of ($v*)
- and not 1 of ($fp*)
- // has offset
- and filesize != 524288
- and filesize != 495616
- and filesize != 483328
- and filesize != 524288
- and filesize != 712176
- and filesize != 828400
- and filesize != 569328
- and filesize != 454656
- and filesize != 531368
- and filesize != 524288
- and filesize != 483328
- and filesize != 713592
- and filesize != 829304
- and filesize != 571256
- and filesize != 774200
- and filesize != 854072
- and filesize != 665144
- and filesize != 774200
- and filesize != 854072
- and filesize != 665144
- and filesize != 640000 /* putty provided by Safenet https://thalesdocs.com/gphsm/luna/7.1/docs/network/Content/install/sa_hw_install/hardware_installation_lunasa.htm */
- and filesize != 650720 /* Citrix XenCenter */
- and filesize != 662808 /* Citrix XenCenter */
- and filesize != 651256 /* Citrix XenCenter */
- and filesize != 664432 /* Citrix XenCenter */
-}
-
-rule SUSP_RTF_Header_Anomaly {
- meta:
- description = "Detects malformed RTF header often used to trick mechanisms that check for a full RTF header"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://twitter.com/ItsReallyNick/status/975705759618158593"
- date = "2019-01-20"
- modified = "2022-09-15"
- score = 50
- id = "fb362640-9a45-5ee5-8749-3980e0549932"
- condition:
- uint32(0) == 0x74725c7b and /* {\rt */
- not uint8(4) == 0x66 /* not f */
-}
-
-rule WEBSHELL_ASPX_ProxyShell_Aug21_1 {
- meta:
- description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and extension"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/"
- date = "2021-08-13"
- id = "8f01cbda-b1cf-5556-9f6a-e709df6dadb2"
- condition:
- uint32(0) == 0x4e444221 /* PST header: !BDN */
- and extension == ".aspx"
-}
diff --git a/yara-Neo23x0/thor_inverse_matches.yar b/yara-Neo23x0/thor_inverse_matches.yar
deleted file mode 100644
index 014c43f..0000000
--- a/yara-Neo23x0/thor_inverse_matches.yar
+++ /dev/null
@@ -1,581 +0,0 @@
-/*
- THOR Yara Inverse Matches
- > Detect system file manipulations and common APT anomalies
-
- This is an extract from the THOR signature database
-
- Reference:
- http://www.bsk-consulting.de/2014/05/27/inverse-yara-signature-matching/
- https://www.bsk-consulting.de/2014/08/28/scan-system-files-manipulations-yara-inverse-matching-22/
-
- Notice: These rules require an external variable called "filename"
-
- License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
-
-*/
-
-import "pe"
-
-private rule WINDOWS_UPDATE_BDC
-{
-meta:
- score = 0
-condition:
- (uint32be(0) == 0x44434d01 and // magic: DCM PA30
- uint32be(4) == 0x50413330)
- or
- (uint32be(0) == 0x44434401 and
- uint32be(12)== 0x50413330) // magic: DCD PA30
-}
-
-/* Rules -------------------------------------------------------------------- */
-
-rule iexplore_ANOMALY {
- meta:
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal iexplore.exe - typical strings not found in file"
- date = "23/04/2014"
- score = 55
- nodeepdive = 1
- id = "ea436608-d191-5058-b844-025e48082edc"
- strings:
- $win2003_win7_u1 = "IEXPLORE.EXE" wide nocase
- $win2003_win7_u2 = "Internet Explorer" wide fullword
- $win2003_win7_u3 = "translation" wide fullword nocase
- $win2003_win7_u4 = "varfileinfo" wide fullword nocase
- condition:
- filename == "iexplore.exe"
- and uint16(0) == 0x5a4d
- and not filepath contains "teamviewer"
- and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
- and filepath contains "C:\\"
- and not filepath contains "Package_for_RollupFix"
-}
-
-rule svchost_ANOMALY {
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal svchost.exe - typical strings not found in file"
- date = "23/04/2014"
- score = 55
- id = "5630054d-9fa4-587f-ba78-cda4478f9cc1"
- strings:
- $win2003_win7_u1 = "svchost.exe" wide nocase
- $win2003_win7_u3 = "coinitializesecurityparam" wide fullword nocase
- $win2003_win7_u4 = "servicedllunloadonstop" wide fullword nocase
- $win2000 = "Generic Host Process for Win32 Services" wide fullword
- $win2012 = "Host Process for Windows Services" wide fullword
- condition:
- filename == "svchost.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
-}
-
-/* removed 1 rule here */
-
-rule explorer_ANOMALY {
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal explorer.exe - typical strings not found in file"
- date = "27/05/2014"
- score = 55
- id = "ecadd78f-21a1-5a9f-8f3f-cb51e872805b"
- strings:
- $s1 = "EXPLORER.EXE" wide fullword
- $s2 = "Windows Explorer" wide fullword
- condition:
- filename == "explorer.exe"
- and uint16(0) == 0x5a4d
- and not filepath contains "teamviewer"
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule sethc_ANOMALY {
- meta:
- description = "Sethc.exe has been replaced - Indicates Remote Access Hack RDP"
- author = "F. Roth"
- reference = "http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf"
- date = "2014/01/23"
- score = 70
- id = "9dfbab4e-3dc8-5246-a051-1618f2ca5f39"
- strings:
- $s1 = "stickykeys" fullword nocase
- $s2 = "stickykeys" wide nocase
- $s3 = "Control_RunDLL access.cpl" wide fullword
- $s4 = "SETHC.EXE" wide fullword
- condition:
- filename == "sethc.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule Utilman_ANOMALY {
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal utilman.exe - typical strings not found in file"
- date = "01/06/2014"
- score = 70
- id = "98daff9b-1600-56b3-87ff-637deaa6808c"
- strings:
- $win7 = "utilman.exe" wide fullword
- $win2000 = "Start with Utility Manager" fullword wide
- $win2012 = "utilman2.exe" fullword wide
- condition:
- ( filename == "utilman.exe" or filename == "Utilman.exe" )
- and uint16(0) == 0x5a4d
- and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
-}
-
-rule osk_ANOMALY {
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file"
- date = "01/06/2014"
- score = 55
- id = "6b78b001-f863-5a24-a9d1-ee5e8305766b"
- strings:
- $s1 = "Accessibility On-Screen Keyboard" wide fullword
- $s2 = "\\oskmenu" wide fullword
- $s3 = "&About On-Screen Keyboard..." wide fullword
- $s4 = "Software\\Microsoft\\Osk" wide
- condition:
- filename == "osk.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule magnify_ANOMALY {
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal magnify.exe (Magnifier) - typical strings not found in file"
- date = "01/06/2014"
- score = 55
- id = "db75201e-81a3-5f82-bf6f-ba155bfbcf81"
- strings:
- $win7 = "Microsoft Screen Magnifier" wide fullword
- $win2000 = "Microsoft Magnifier" wide fullword
- $winxp = "Software\\Microsoft\\Magnify" wide
- condition:
- filename =="magnify.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
-}
-
-rule narrator_ANOMALY {
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal narrator.exe - typical strings not found in file"
- date = "01/06/2014"
- score = 55
- id = "a51f1916-f89a-58a9-b65c-91bf99575b80"
- strings:
- $win7 = "Microsoft-Windows-Narrator" wide fullword
- $win2000 = "&About Narrator..." wide fullword
- $win2012 = "Screen Reader" wide fullword
- $winxp = "Software\\Microsoft\\Narrator"
- $winxp_en = "SOFTWARE\\Microsoft\\Speech\\Voices" wide
- condition:
- filename == "narrator.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
-}
-
-rule notepad_ANOMALY {
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- description = "Abnormal notepad.exe - typical strings not found in file"
- date = "01/06/2014"
- score = 55
- id = "16ddcd9e-ab6f-593e-80e0-a90399cbc3df"
- strings:
- $win7 = "HELP_ENTRY_ID_NOTEPAD_HELP" wide fullword
- $win2000 = "Do you want to create a new file?" wide fullword
- $win2003 = "Do you want to save the changes?" wide
- $winxp = "Software\\Microsoft\\Notepad" wide
- $winxp_de = "Software\\Microsoft\\Notepad" wide
- condition:
- filename == "notepad.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
-}
-
-/* NEW ---------------------------------------------------------------------- */
-
-rule csrss_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- hash = "17542707a3d9fa13c569450fd978272ef7070a77"
- id = "bbd2841a-ec72-5eb4-b34a-5ecbf9c5b517"
- strings:
- $s1 = "Client Server Runtime Process" fullword wide
- $s4 = "name=\"Microsoft.Windows.CSRSS\"" fullword ascii
- $s5 = "CSRSRV.dll" fullword ascii
- $s6 = "CsrServerInitialization" fullword ascii
- condition:
- filename == "csrss.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule conhost_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- hash = "1bd846aa22b1d63a1f900f6d08d8bfa8082ae4db"
- id = "9803fa1b-bcaf-5451-831b-fc0dc9d711f2"
- strings:
- $s2 = "Console Window Host" fullword wide
- condition:
- filename == "conhost.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule wininit_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- hash = "2de5c051c0d7d8bcc14b1ca46be8ab9756f29320"
- id = "a251984f-c667-55ec-8cc3-3888e80ddf1e"
- strings:
- $s1 = "Windows Start-Up Application" fullword wide
- condition:
- filename == "wininit.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule winlogon_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- hash = "af210c8748d77c2ff93966299d4cd49a8c722ef6"
- id = "ee424459-8048-52b8-ba97-4d09265a881f"
- strings:
- $s1 = "AuthzAccessCheck failed" fullword
- $s2 = "Windows Logon Application" fullword wide
- condition:
- filename == "winlogon.exe"
- and not 1 of ($s*)
- and uint16(0) == 0x5a4d
- and not WINDOWS_UPDATE_BDC
- and not filepath contains "Malwarebytes"
-}
-
-rule SndVol_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- hash = "e057c90b675a6da19596b0ac458c25d7440b7869"
- id = "0c4d705f-4b24-55f9-bcf4-3f65eea0b7af"
- strings:
- $s1 = "Volume Control Applet" fullword wide
- condition:
- filename == "sndvol.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule doskey_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- hash = "f2d1995325df0f3ca6e7b11648aa368b7e8f1c7f"
- id = "be9c239a-2918-5330-bbd0-33cc17067f70"
- strings:
- $s3 = "Keyboard History Utility" fullword wide
- condition:
- filename == "doskey.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule lsass_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- hash = "04abf92ac7571a25606edfd49dca1041c41bef21"
- id = "0c0f6129-3e01-56d3-b297-cee231567759"
- strings:
- $s1 = "LSA Shell" fullword wide
- $s2 = "Local Security Authority Process " fullword ascii
- $s3 = "Local Security Authority Process" fullword wide
- $s4 = "LsapInitLsa" fullword
- condition:
- filename == "lsass.exe"
- and uint16(0) == 0x5a4d
- and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
-}
-
-rule taskmgr_ANOMALY {
- meta:
- description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe"
- author = "Florian Roth (Nextron Systems)"
- reference = "not set"
- date = "2015/03/16"
- nodeepdive = 1
- hash = "e8b4d84a28e5ea17272416ec45726964fdf25883"
- id = "e1c3a150-6e7e-5ead-a338-0bac6f43185d"
- strings:
- $s0 = "Windows Task Manager" fullword wide
- $s1 = "taskmgr.chm" fullword
- $s2 = "TmEndTaskHandler::" ascii
- $s3 = "CM_Request_Eject_PC" /* Win XP */
- $s4 = "NTShell Taskman Startup Mutex" fullword wide
- condition:
- ( filename == "taskmgr.exe" or filename == "Taskmgr.exe" ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
- and uint16(0) == 0x5a4d
- and filepath contains "C:\\"
- and not filepath contains "Package_for_RollupFix"
-}
-
-/* removed 22 rules here */
-
-/* APT ---------------------------------------------------------------------- */
-
-rule APT_Cloaked_PsExec
- {
- meta:
- description = "Looks like a cloaked PsExec. This may be APT group activity."
- date = "2014-07-18"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 60
- id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
- strings:
- $s0 = "psexesvc.exe" wide fullword
- $s1 = "Sysinternals PsExec" wide fullword
- condition:
- uint16(0) == 0x5a4d and $s0 and $s1
- and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
- and not filepath matches /RECYCLE.BIN\\S-1/
-}
-
-/* removed 6 rules here */
-
-rule APT_Cloaked_SuperScan
- {
- meta:
- description = "Looks like a cloaked SuperScan Port Scanner. This may be APT group activity."
- date = "2014-07-18"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 50
- id = "96027f7d-822c-5c5e-acd9-cde8289c6b50"
- strings:
- $s0 = "SuperScan4.exe" wide fullword
- $s1 = "Foundstone Inc." wide fullword
- condition:
- uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan"
-}
-
-rule APT_Cloaked_ScanLine
- {
- meta:
- description = "Looks like a cloaked ScanLine Port Scanner. This may be APT group activity."
- date = "2014-07-18"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 50
- id = "78041dc0-491b-5a44-a125-3ad72b266cf8"
- strings:
- $s0 = "ScanLine" wide fullword
- $s1 = "Command line port scanner" wide fullword
- $s2 = "sl.exe" wide fullword
- condition:
- uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe"
-}
-
-rule SUSP_Renamed_Dot1Xtray {
- meta:
- description = "Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research"
- date = "2018-11-15"
- hash1 = "f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68"
- id = "3685a79e-7dd6-5221-b58a-6ec1c61030cc"
- strings:
- $a1 = "\\Symantec_Network_Access_Control\\" ascii
- $a2 = "\\dot1xtray.pdb" ascii
- $a3 = "DOT1X_NAMED_PIPE_CONNECT" fullword wide /* Goodware String - occured 2 times */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them
- and not filename matches /dot1xtray.exe/i
- and not filepath matches /Recycle.Bin/i
-}
-
-rule APT_Cloaked_CERTUTIL {
- meta:
- description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
- author = "Florian Roth (Nextron Systems)"
- reference = "Internal Research"
- date = "2018-09-14"
- modified = "2022-06-27"
- id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
- strings:
- $s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
- $s5 = "certutil.pdb" fullword ascii
- $s3 = "Password Token" fullword ascii
- condition:
- uint16(0) == 0x5a4d and all of them
- and not filename contains "certutil"
- and not filename contains "CertUtil"
- and not filename contains "Certutil"
- and not filepath contains "\\Bromium\\"
-}
-
-rule APT_SUSP_Solarwinds_Orion_Config_Anomaly_Dec20 {
- meta:
- description = "Detects a suspicious renamed Afind.exe as used by different attackers"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://twitter.com/iisresetme/status/1339546337390587905?s=12"
- date = "2020-12-15"
- score = 70
- nodeepdive = 1
- id = "440a3eb9-b573-53ea-ab26-c44d9cf62401"
- strings:
- $s1 = "ReportWatcher" fullword wide ascii
-
- $fp1 = "ReportStatus" fullword wide ascii
- condition:
- filename == "SolarWindows.Orion.Core.BusinessLayer.dll.config"
- and $s1
- and not $fp1
-}
-
-rule PAExec_Cloaked {
- meta:
- description = "Detects a renamed remote access tool PAEXec (like PsExec)"
- author = "Florian Roth (Nextron Systems)"
- reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
- date = "2017-03-27"
- score = 70
- hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
- id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
- strings:
- $x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
- $x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
- $x3 = "PAExec %s - Execute Programs Remotely" fullword wide
- $x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
- $x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
- $x6 = "%%SystemRoot%%\\%s.exe" fullword wide
- $x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
- $x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
- condition:
- ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
- and not filename == "paexec.exe"
- and not filename == "PAExec.exe"
- and not filename == "PAEXEC.EXE"
- and not filename matches /Install/
- and not filename matches /uninstall/
-}
-
-rule SUSP_VULN_DRV_PROCEXP152_May23 {
- meta:
- description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS), often used by attackers to elevate privileges (false positives are possible in cases in which old versions of process explorer are still present on the system)"
- author = "Florian Roth"
- reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
- date = "2023-05-05"
- modified = "2023-07-28"
- score = 50
- hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
- id = "748eb390-f320-5045-bed2-24ae70471f43"
- strings:
- $a1 = "\\ProcExpDriver.pdb" ascii
- $a2 = "\\Device\\PROCEXP152" wide fullword
- $a3 = "procexp.Sys" wide fullword
- condition:
- uint16(0) == 0x5a4d
- and filesize < 200KB
- and all of them
-}
-
-rule SUSP_VULN_DRV_PROCEXP152_Renamed_May23 {
- meta:
- description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS) that has been renamed (often used by attackers to elevate privileges)"
- author = "Florian Roth"
- reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
- date = "2023-05-05"
- score = 70
- hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
- id = "af2ec5d5-3453-5d35-8d19-4f37c61fabce"
- strings:
- $a1 = "\\ProcExpDriver.pdb" ascii
- $a2 = "\\Device\\PROCEXP152" wide fullword
- $a3 = "procexp.Sys" wide fullword
- condition:
- uint16(0) == 0x5a4d
- and filesize < 200KB
- and all of them
- and not filename matches /PROCEXP152\.SYS/i
-}
-
-rule SUSP_ANOMALY_Teams_Binary_Nov23 : SCRIPT {
- meta:
- description = "Detects a suspicious binary with the name teams.exe, update.exe or squirrel.exe in the AppData folder of Microsoft Teams that is unsigned or signed by a different CA"
- author = "Florian Roth"
- score = 60
- reference = "https://twitter.com/steve_noel/status/1722698479636476325/photo/1"
- date = "2023-11-11"
- id = "60557ed1-ac16-5e3b-b105-157dc34f6ad7"
- strings:
- $a1 = "Microsoft Code Signing PCA" ascii
- condition:
- (
- filename iequals "teams.exe" or
- filename iequals "update.exe" or
- filename iequals "squirrel.exe"
- )
- and filepath icontains "\\AppData\\Local\\Microsoft\\Teams"
- and pe.number_of_signatures == 0
- and not $a1
-}
-
-rule SAM_Hive_Backup {
- meta:
- description = "Detects a SAM hive backup file - SAM is the Security Account Manager - contains password hashes"
- author = "Florian Roth"
- reference = "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry"
- score = 60
- nodeepdive = 1
- date = "2015-03-31"
- modified = "2023-12-12"
- id = "31fb6c0c-966d-5002-bf8c-4129964c81ff"
- strings:
- $s1 = "\\SystemRoot\\System32\\Config\\SAM" wide
- condition:
- uint32(0) == 0x66676572 and $s1 in (0..200)
- and not filepath contains "\\System32\\Config"
- and not filepath contains "\\System32\\config"
- and not filepath contains "System Volume Information"
- and not filepath contains "\\config\\RegBack"
-}
diff --git a/yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar b/yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar
deleted file mode 100644
index 5b11630..0000000
--- a/yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar
+++ /dev/null
@@ -1,6831 +0,0 @@
-
-rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3"
- hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02"
- hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe"
- hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa"
- date = "2023-06-14"
- score = 70
- id = "1dadf1a5-6eea-5d47-be5e-9c93bf23f49a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0"
- date = "2023-06-14"
- score = 70
- id = "c9596048-1bc9-5d4f-8c34-97494f2d4e9e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
- hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
- date = "2023-06-14"
- score = 70
- id = "299e1312-e4ff-5152-a046-b020c825df5a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elrawdsk/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0"
- date = "2023-06-14"
- score = 70
- id = "0854ee57-7214-5959-86be-afd26950432c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f"
- date = "2023-06-14"
- score = 70
- id = "e14e96ea-42e6-5946-9237-a16f9c072d2c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2"
- date = "2023-06-14"
- score = 70
- id = "1af90e2a-a7b8-5ae0-98a4-ffe0543cda9c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63"
- hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775"
- hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22"
- hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26"
- hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0"
- hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578"
- hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad"
- date = "2023-06-14"
- score = 70
- id = "9a0e6700-1e63-5d7d-b255-d8492162395c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a"
- hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf"
- hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d"
- hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe"
- hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3"
- date = "2023-06-14"
- score = 70
- id = "8790783a-921d-513e-9df5-6565e6f6709f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RwDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921"
- hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351"
- hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3"
- date = "2023-06-14"
- score = 70
- id = "0d3a77dc-c2c8-5741-b574-e3a1afe4e43d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vmdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_A130 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433"
- hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d"
- date = "2023-06-14"
- score = 70
- id = "ed7c99d8-ba92-53fa-b633-e64e5d7fe5a3"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c"
- date = "2023-06-14"
- score = 70
- id = "353bb544-18f6-5c1b-b100-b2ddb55c3cc2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc"
- hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478"
- hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7"
- hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a"
- hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476"
- hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06"
- hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa"
- hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7"
- hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879"
- hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd"
- hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2"
- date = "2023-06-14"
- score = 70
- id = "c36713ac-c8f2-5061-8d1e-42a5c33a60e9"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c"
- hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e"
- hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e"
- hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b"
- hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c"
- hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036"
- hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289"
- date = "2023-06-14"
- score = 70
- id = "4b16ba1a-e7d7-500b-8ebc-aac1561a22f5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B50F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e"
- hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b"
- date = "2023-06-14"
- score = 70
- id = "5d7314e6-51aa-5220-9aa2-6d6c826550bb"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5"
- hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062"
- date = "2023-06-14"
- score = 70
- id = "7f7ebb0c-bb5a-5585-80d9-9638233554a3"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0x64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21"
- date = "2023-06-14"
- score = 70
- id = "5b426649-d516-5dcd-964d-968ebf0cce24"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwRwDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833"
- date = "2023-06-14"
- score = 70
- id = "1b982901-3e6b-5aa6-8720-8d9305350dc7"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5"
- date = "2023-06-14"
- score = 70
- id = "e3bcd228-a606-585f-a2fc-b4113ee87708"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb"
- date = "2023-06-14"
- score = 70
- id = "052f73e5-4140-5d25-85d7-3e69937edb29"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Monitor_win10_x64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890"
- date = "2023-06-14"
- score = 70
- id = "d60b5524-2fc9-52d4-8911-57bf41fc47a8"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PhlashNT/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d"
- date = "2023-06-14"
- score = 70
- id = "a197bb49-05c6-5f73-a598-2df9ff503ffa"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743"
- date = "2023-06-14"
- score = 70
- id = "e94c3003-24cc-5dfd-baf1-7377497a4b16"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f"
- hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba"
- hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15"
- hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c"
- hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6"
- hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512"
- hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe"
- hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc"
- hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1"
- hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758"
- hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90"
- hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b"
- date = "2023-06-14"
- score = 70
- id = "4de41d13-ffdc-56fa-a5fe-c72ea5bf872f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a"
- hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0"
- hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd"
- date = "2023-06-14"
- score = 70
- id = "cc670ae4-3be4-5e70-9b8c-4bf52aa3191d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /driver7-x86-withoutdbg/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b"
- date = "2023-06-14"
- score = 70
- id = "853fcdcf-12e5-5783-b582-f8449d575d8c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f"
- date = "2023-06-14"
- score = 70
- id = "8cd1c035-64aa-5bad-b2df-f7b50a90c92b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1"
- date = "2023-06-14"
- score = 70
- id = "4e938de0-3822-57a1-987b-818cb7a169d2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb"
- hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65"
- hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a"
- date = "2023-06-14"
- score = 70
- id = "b8fae701-2e8a-542d-8672-4c76f109fa75"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_I2cIo/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8"
- date = "2023-06-14"
- score = 70
- id = "d9c795cd-876a-535f-b64e-55b1cae39da1"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mtcBSv64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0"
- date = "2023-06-14"
- score = 70
- id = "87c2d1a5-15a0-51ef-a1be-8c22ffabf03a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495"
- date = "2023-06-14"
- score = 70
- id = "565bd15e-3769-5fd3-90c7-5e5f75fb3bb5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viraglt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf"
- date = "2023-06-14"
- score = 70
- id = "9513ae4a-9a61-51da-823c-76d33b2cf809"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFltX64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf"
- date = "2023-06-14"
- score = 70
- id = "f63927d6-7bbf-590d-b3e0-f5cd70160760"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44"
- hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0"
- date = "2023-06-14"
- score = 70
- id = "04bee759-d8ca-5f28-9eb5-b6397c58ce8d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ncpl/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Bsmisys_5962 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIXP64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347"
- hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9"
- date = "2023-06-14"
- score = 70
- id = "8ebe6df1-b307-50ea-83c8-2984223da6dd"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BSMIXP64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_99F4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1"
- hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7"
- hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8"
- hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793"
- hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449"
- hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4"
- hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb"
- hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530"
- hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5"
- hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03"
- hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6"
- hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d"
- hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6"
- hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2"
- hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be"
- hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805"
- hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504"
- hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57"
- hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4"
- hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558"
- hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e"
- hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94"
- hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d"
- hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482"
- hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7"
- hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1"
- hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499"
- hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526"
- hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005"
- hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a"
- hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0"
- date = "2023-06-14"
- score = 70
- id = "120b0300-f965-5c0e-a996-b98efee72d75"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43"
- hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf"
- hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26"
- date = "2023-06-14"
- score = 70
- id = "e25beaaf-9c1e-5d39-9938-2548ed97325e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_5F5E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be"
- hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5"
- hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3"
- hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb"
- date = "2023-06-14"
- score = 70
- id = "352c2210-c58d-57be-98f3-39ba15d97cf9"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Bs_Def/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74"
- date = "2023-06-14"
- score = 70
- id = "2b0714b8-ddd7-5313-83d3-53fcb7bb9c43"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIOx64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486"
- hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961"
- hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399"
- date = "2023-06-14"
- score = 70
- id = "3e356a91-0fce-57fe-a2f9-a9ceca2309ae"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989"
- date = "2023-06-14"
- score = 70
- id = "fbe0700a-ba46-53e7-b519-ad7a6ca42183"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc"
- date = "2023-06-14"
- score = 70
- id = "8f464004-8afe-58c8-9170-52a0496b6158"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Se64a/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917"
- date = "2023-06-14"
- score = 70
- id = "c612b1f8-cff0-532e-8a2f-aa24cdad8920"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1"
- date = "2023-06-14"
- score = 70
- id = "ee7f79aa-59fb-54c6-bb4d-939f3b48f4c8"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039"
- hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3"
- date = "2023-06-14"
- score = 70
- id = "d4f27c90-7d23-5969-b635-64eeb859960c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a"
- date = "2023-06-14"
- score = 70
- id = "9e5a5fc6-24ac-5df2-999f-1d1063bd3f46"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668"
- hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e"
- hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98"
- hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126"
- date = "2023-06-14"
- score = 70
- id = "82418e8e-31cb-5499-9263-f0edc2d2b1e7"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3"
- date = "2023-06-14"
- score = 70
- id = "61d26f77-ddd9-5f83-b531-886eb05331a0"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250"
- hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a"
- date = "2023-06-14"
- score = 70
- id = "800313e5-3004-57e6-9f4c-969153ede685"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0"
- hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c"
- date = "2023-06-14"
- score = 70
- id = "5c6ff79e-d218-5d5f-a057-e6971ef447bf"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0"
- hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7"
- date = "2023-06-14"
- score = 70
- id = "188a50cc-7cf9-545d-87c1-9d3fce1070be"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_80CB {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3"
- hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955"
- date = "2023-06-14"
- score = 70
- id = "1675607c-efae-5099-be11-bc206c0712b5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Dh_Kernel_10/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00"
- hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9"
- date = "2023-06-14"
- score = 70
- id = "619ff7aa-13db-5f36-987f-36e5f3af4f4b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad"
- date = "2023-06-14"
- score = 70
- id = "b3c63fd3-4741-57b7-9de9-d2d2d391882f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52"
- date = "2023-06-14"
- score = 70
- id = "4df83628-e87e-5e13-b6dd-033541771ae3"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84"
- hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8"
- date = "2023-06-14"
- score = 70
- id = "1895c269-a7f5-5b4e-8fea-6ac70c16f79b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd"
- date = "2023-06-14"
- score = 70
- id = "b71a72cc-08d0-572e-b404-ba2f01dc20a6"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880"
- date = "2023-06-14"
- score = 70
- id = "88bfa047-8980-51e0-8baf-9a9301b36283"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173"
- hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7"
- hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a"
- date = "2023-06-14"
- score = 70
- id = "729acf46-93eb-5ab1-a696-d4cc6bf43a53"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c"
- date = "2023-06-14"
- score = 70
- id = "788423ac-b11d-593a-a043-0bcdcf49465e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E16D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48"
- hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790"
- hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a"
- hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d"
- date = "2023-06-14"
- score = 70
- id = "1a622734-cb50-5d17-aa0a-d5a04b26b386"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /libnicm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e"
- date = "2023-06-14"
- score = 70
- id = "f9cdf106-d925-5630-82a0-dd03a708e6f1"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272"
- date = "2023-06-14"
- score = 70
- id = "b467d87b-12bc-56ef-9901-520e73be1b50"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d"
- date = "2023-06-14"
- score = 70
- id = "045c065f-82e8-5302-b1b4-d5a49491fb84"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv106.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838"
- hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9"
- hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d"
- hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7"
- hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c"
- hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b"
- hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc"
- date = "2023-06-14"
- score = 70
- id = "8a32a060-72e4-586a-9269-48ca9e7b49f7"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv106/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145"
- date = "2023-06-14"
- score = 70
- id = "577bb210-93ca-5f9f-a297-c8bce58dfd1f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /etdsupp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501"
- date = "2023-06-14"
- score = 70
- id = "39d8757d-888a-5098-b1c0-7954b233599e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca"
- hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f"
- hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa"
- hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414"
- hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748"
- date = "2023-06-14"
- score = 70
- id = "0bb01569-32ea-52c5-a5cd-27ed4eddfa4b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Agent64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605"
- date = "2023-06-14"
- score = 70
- id = "32290d09-5e5a-5cd7-ae87-5be0646fbbc1"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_904E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a"
- hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190"
- date = "2023-06-14"
- score = 70
- id = "f8c55d27-288b-50ea-a8ef-bbd4f9d0739f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008"
- date = "2023-06-14"
- score = 70
- id = "0f9f6aaf-37f7-593c-8086-0907e7c09e24"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a"
- hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de"
- hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f"
- hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc"
- hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb"
- hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14"
- date = "2023-06-14"
- score = 70
- id = "99ca2e37-5fcd-5fe2-8e38-88d1153fe950"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrIbDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48"
- date = "2023-06-14"
- score = 70
- id = "fb17b415-51c9-5bd1-b557-8d57015f90e1"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0"
- date = "2023-06-14"
- score = 70
- id = "f896b0df-8862-5345-8feb-bdbddedda0bc"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7795 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a"
- date = "2023-06-14"
- score = 70
- id = "d7c72129-94ab-5ff6-8b39-5c8c24ac1949"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194"
- date = "2023-06-14"
- score = 70
- id = "04c4bd4a-67ca-5dbb-9347-ad1a5c949895"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7"
- date = "2023-06-14"
- score = 70
- id = "e74ef985-275d-5d14-97a3-e3085600aaa6"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFlt/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe"
- date = "2023-06-14"
- score = 70
- id = "8613524c-6928-5d5a-9dd3-d067b93ac4b4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LenovoDiagnosticsDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009"
- date = "2023-06-14"
- score = 70
- id = "ee5c03fc-8778-57ef-b300-2009bbf9208f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DBUtilDrv2/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b"
- hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a"
- date = "2023-06-14"
- score = 70
- id = "e4a1e60c-3b56-518b-ba68-798dd6d5fce6"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4"
- date = "2023-06-14"
- score = 70
- id = "610c253b-de94-5ebd-af97-d0a6b1339d81"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /asmmap64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_FB81 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f"
- hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22"
- hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0"
- date = "2023-06-14"
- score = 70
- id = "922f318f-7f43-5844-8037-e40fcce7cb1a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /nscm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129"
- date = "2023-06-14"
- score = 70
- id = "b352e8e9-b15a-5969-966d-00462cd461f4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23BA {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade"
- hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf"
- date = "2023-06-14"
- score = 70
- id = "dd239b64-e8dd-5850-9ec3-125245b6f0cd"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LHA/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233"
- date = "2023-06-14"
- score = 70
- id = "ab17ebdd-3335-5868-a2b8-f6247cf7b778"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LMIinfo/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2"
- date = "2023-06-14"
- score = 70
- id = "b347378c-88d1-52bb-8a30-a6558a4bc725"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445"
- date = "2023-06-14"
- score = 70
- id = "3582ec77-9fac-5e3a-9795-ac4429aeea01"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f"
- date = "2023-06-14"
- score = 70
- id = "40c14c2c-4e0b-5de6-a095-a6f68d9de2b2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d"
- date = "2023-06-14"
- score = 70
- id = "ad49ce42-e771-5b2c-a292-670c60de11af"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f"
- date = "2023-06-14"
- score = 70
- id = "3435fbbb-b668-580e-a820-d65415d2daaa"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7"
- date = "2023-06-14"
- score = 70
- id = "2c802dbd-41c6-5651-ad49-ba034d725a49"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357"
- date = "2023-06-14"
- score = 70
- id = "a9a3ad7f-01cd-5e4f-964b-1ebd8faa1a92"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HOSTNT/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba"
- date = "2023-06-14"
- score = 70
- id = "67859aea-01d4-5463-9f4c-f6b4db2a7c30"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo11X64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21"
- date = "2023-06-14"
- score = 70
- id = "4a43c176-9f5b-56c0-8655-0b90f862ec6e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4"
- date = "2023-06-14"
- score = 70
- id = "718285a7-b151-5ccd-8dcf-9edac9db7d61"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd"
- hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10"
- date = "2023-06-14"
- score = 70
- id = "2c22997e-aaa3-5a23-83bb-0f4be8da3837"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2899 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7"
- hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2"
- date = "2023-06-14"
- score = 70
- id = "7d961433-d8f7-526b-b5f1-29d896f39a5f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01"
- date = "2023-06-14"
- score = 70
- id = "3851c445-23c0-59a1-85e9-a32758a73bd8"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc"
- date = "2023-06-14"
- score = 70
- id = "7523cea1-54f0-5328-90ec-e5170c5cfe01"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c"
- hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2"
- hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88"
- hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c"
- date = "2023-06-14"
- score = 70
- id = "3e19f0b1-a1ce-5f2e-a26d-1c7ff8e82f16"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c"
- date = "2023-06-14"
- score = 70
- id = "86dedef9-d4dc-5c62-b03c-502c0f80ae57"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /speedfan/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c"
- date = "2023-06-14"
- score = 70
- id = "bcdf7111-a4ee-5603-b42e-b1acbaf80d69"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148"
- date = "2023-06-14"
- score = 70
- id = "0434de42-0da2-5e6c-9c07-e742e53b5c98"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22"
- date = "2023-06-14"
- score = 70
- id = "ec649ec9-8a01-5665-b18f-eabb5da7c6ea"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_075D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85"
- hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
- date = "2023-06-14"
- score = 70
- id = "ebf21994-6431-57ba-9c7f-d768cbf7eb33"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471"
- hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2"
- hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff"
- date = "2023-06-14"
- score = 70
- id = "2f1a0973-929d-506e-b344-ce9d37c8eaf5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b"
- date = "2023-06-14"
- score = 70
- id = "f5ff0000-66e2-5f32-87b2-f66481c904b4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4"
- date = "2023-06-14"
- score = 70
- id = "bcfba84e-b503-5dd7-b64d-85fcda1c559f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee"
- hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3"
- date = "2023-06-14"
- score = 70
- id = "45887d8b-facf-5053-bc58-16bd214a24f1"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e"
- hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc"
- hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7"
- date = "2023-06-14"
- score = 70
- id = "1078dda3-be3d-57d2-becf-dbe54943e48b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf"
- date = "2023-06-14"
- score = 70
- id = "54bb3bce-fafa-519c-a701-2857ba3b8a97"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef"
- date = "2023-06-14"
- score = 70
- id = "239d02c6-0f72-5ce8-833c-62b7e8e371e8"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee"
- hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9"
- hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c"
- hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5"
- hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7"
- hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5"
- hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572"
- hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1"
- date = "2023-06-14"
- score = 70
- id = "081a636c-c65c-500e-9eee-7da4347f658a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882"
- date = "2023-06-14"
- score = 70
- id = "1e317c82-53b6-5ab2-9298-1dd046f6fd65"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf"
- date = "2023-06-14"
- score = 70
- id = "94cea41e-38ce-5786-b483-91778b9d1b23"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2"
- date = "2023-06-14"
- score = 70
- id = "f54f0567-711e-5cfd-bc81-34854e8c6cb2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab"
- date = "2023-06-14"
- score = 70
- id = "eaed99a4-a035-5f0a-bcbe-8f0e2953da40"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b"
- date = "2023-06-14"
- score = 70
- id = "9cd3e34b-90ba-5e52-b049-966a7dceed9d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677"
- hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab"
- hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82"
- date = "2023-06-14"
- score = 70
- id = "a3e882e8-d5ae-5b62-b95c-5132299e1682"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036"
- date = "2023-06-14"
- score = 70
- id = "af95748b-1c9d-5065-9a12-2a9826a4f245"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9"
- date = "2023-06-14"
- score = 70
- id = "57d993b7-ce28-5f14-872a-71bbb4f79d2e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CupFixerx64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0"
- date = "2023-06-14"
- score = 70
- id = "e7e44244-24cc-556d-9a3c-d797535979a5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30"
- date = "2023-06-14"
- score = 70
- id = "7a7404ea-d835-5d65-9c8e-1f694d9458fe"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41"
- date = "2023-06-14"
- score = 70
- id = "029b7abb-cea8-5713-b220-476d2b2fc30e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IOMap64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53"
- date = "2023-06-14"
- score = 70
- id = "e61c9ebc-6ec1-5302-934b-f023601a34d8"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9"
- date = "2023-06-14"
- score = 70
- id = "2e64bafa-9707-53f1-981c-ce1e863a8cfc"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa"
- hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8"
- date = "2023-06-14"
- score = 70
- id = "e53b6cb1-981b-5639-8186-5b1a96bdb9b0"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6"
- date = "2023-06-14"
- score = 70
- id = "64fe7b58-75a4-5a83-a621-c77c63d6ca1c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mydrivers/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75"
- date = "2023-06-14"
- score = 70
- id = "aa83d18f-662b-573d-873a-a88179982b9e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_8E63 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f"
- hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184"
- hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c"
- date = "2023-06-14"
- score = 70
- id = "d967bff5-7db8-587b-9422-a43280230261"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /kEvP64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b"
- date = "2023-06-14"
- score = 70
- id = "7fbdb3fe-4655-5656-babb-d99a3ff0c00f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b"
- hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c"
- date = "2023-06-14"
- score = 70
- id = "cc96821c-2dbb-5205-9aa4-55fb8cbe12b5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0"
- date = "2023-06-14"
- score = 70
- id = "6c116541-9615-5ede-ad94-7879306eee68"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5"
- date = "2023-06-14"
- score = 70
- id = "db63af64-4b16-5873-b2ba-792f3d8cdbc7"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf"
- date = "2023-06-14"
- score = 70
- id = "ff70dd78-039c-53db-8692-5a34d2d0b82a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889"
- date = "2023-06-14"
- score = 70
- id = "9bf0e4e6-84e3-58ae-8a53-caa45cf7cf1d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b"
- date = "2023-06-14"
- score = 70
- id = "ac00f0ae-fb0b-50e4-91f4-ea2f46bdb27b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a"
- date = "2023-06-14"
- score = 70
- id = "76145e28-0c1d-5916-b966-0ce7dcad8a90"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4"
- date = "2023-06-14"
- score = 70
- id = "fae3ff35-0e7c-542f-85c1-8fecca9078f3"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b"
- date = "2023-06-14"
- score = 70
- id = "71498e5d-a30f-5501-a45f-3c01f1dac039"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e"
- hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5"
- date = "2023-06-14"
- score = 70
- id = "0c8db0c4-24fa-5a66-b60d-f121a535f14a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5"
- date = "2023-06-14"
- score = 70
- id = "5f75950b-3802-55d5-ad51-37ab9c31d5e4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FairplayKD/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c"
- date = "2023-06-14"
- score = 70
- id = "be9dd90a-22ec-5981-8f8e-16cfd2b9b824"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850"
- date = "2023-06-14"
- score = 70
- id = "0648fea6-a29e-5cc4-bdf9-e74966dbeb71"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3"
- date = "2023-06-14"
- score = 70
- id = "8e5947fc-33c2-53c4-b9cb-548373df35dc"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918"
- date = "2023-06-14"
- score = 70
- id = "d5efbb84-070c-5caa-92c0-d320088d2e73"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa"
- date = "2023-06-14"
- score = 70
- id = "323095b4-4fee-5c73-99f1-fe1142889cea"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960"
- date = "2023-06-14"
- score = 70
- id = "0c9f3005-da64-5545-b9d3-4c9c43152dca"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca"
- date = "2023-06-14"
- score = 70
- id = "67cbef32-1033-55ff-8a49-b12ee01e6800"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7"
- date = "2023-06-14"
- score = 70
- id = "6f5fdb7c-ed88-5e1f-9f03-d86bf9646ee2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80"
- date = "2023-06-14"
- score = 70
- id = "98494db9-778d-531c-9688-535d539cd953"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /otipcibus/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258"
- date = "2023-06-14"
- score = 70
- id = "f6bf8995-aba2-52ff-ba26-eabbef6933bd"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab"
- date = "2023-06-14"
- score = 70
- id = "a40d5b51-bdcd-5ca9-b708-220f0d3e5c83"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097"
- date = "2023-06-14"
- score = 70
- id = "35a9803d-08a8-5cad-9eb6-ac7a9366f32b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa"
- date = "2023-06-14"
- score = 70
- id = "1e9534ab-0139-5550-93ac-e0e2e4f54c3f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 800KB and all of them and not filename matches /PCHunter/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3"
- date = "2023-06-14"
- score = 70
- id = "ec46068f-99f6-5335-a695-c2d4f67661c4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c"
- date = "2023-06-14"
- score = 70
- id = "dcdacb63-7b72-512e-98fc-f9899eef184f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f"
- date = "2023-06-14"
- score = 70
- id = "ab5fa19d-04b9-53b1-8c25-311b2b70de67"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06"
- date = "2023-06-14"
- score = 70
- id = "5011ac46-4366-57f2-8102-10fffffb3c27"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_B179 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de"
- hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc"
- date = "2023-06-14"
- score = 70
- id = "0b7fdb14-88a4-55cc-ab9e-062dd05df561"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwOs2Ec7x64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9"
- date = "2023-06-14"
- score = 70
- id = "375a9cb2-5ba6-56d1-944c-38c724f3746d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a"
- date = "2023-06-14"
- score = 70
- id = "6af53a8a-2e39-536a-a817-a29748de5055"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2"
- date = "2023-06-14"
- score = 70
- id = "9225e30b-aca2-5989-a73b-8d40d72e2a01"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461"
- date = "2023-06-14"
- score = 70
- id = "90404bf8-2575-5437-898d-6dfb22b04027"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b"
- date = "2023-06-14"
- score = 70
- id = "f5af1fa3-89f3-5e06-8f67-bb26b89a5c1d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085"
- date = "2023-06-14"
- score = 70
- id = "fc4c8180-77b2-593e-b4c0-5340871291bd"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c"
- date = "2023-06-14"
- score = 70
- id = "084f65a0-6a2a-59b6-9a5a-3f45a4f5c892"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f"
- hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924"
- date = "2023-06-14"
- score = 70
- id = "63c99882-aa1c-522c-ae84-485306bdbea4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /vboxdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36"
- hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6"
- date = "2023-06-14"
- score = 70
- id = "6eecc3dd-cbcf-5d2f-8005-e027230e64b1"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4"
- hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b"
- hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d"
- date = "2023-06-14"
- score = 70
- id = "4ecccfaa-43fb-582e-9a9e-77529ee9234f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8"
- date = "2023-06-14"
- score = 70
- id = "492872fa-b936-526f-94c6-c9524039e583"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c"
- date = "2023-06-14"
- score = 70
- id = "272c95fe-bf5a-53d8-b54b-10dfa4f2945a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10"
- date = "2023-06-14"
- score = 70
- id = "715dc163-ea21-5633-9d27-6b80e5207fb6"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswVmm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427"
- hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38"
- hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229"
- date = "2023-06-14"
- score = 70
- id = "f7ade11a-24e4-5e93-9a9b-d7700b0182db"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339"
- date = "2023-06-14"
- score = 70
- id = "8f96b69a-eec3-5b8d-b938-902b02f32e29"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb"
- date = "2023-06-14"
- score = 70
- id = "f9a24212-2805-5af3-906f-56ba8a60409c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c"
- date = "2023-06-14"
- score = 70
- id = "e13ccc4c-bee8-5b8d-a94c-8c6d42b7656e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704"
- date = "2023-06-14"
- score = 70
- id = "dac8f089-8029-55f6-afcc-f2095c22a925"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo10X64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39"
- date = "2023-06-14"
- score = 70
- id = "51c17b83-1d09-58c5-857c-f144ff6f5108"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1"
- date = "2023-06-14"
- score = 70
- id = "f4cb25ca-f56d-5bdc-a53c-5bc91c677e49"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e"
- date = "2023-06-14"
- score = 70
- id = "9faf0f73-9c1e-549c-a375-8b3c3b89652c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8"
- date = "2023-06-14"
- score = 70
- id = "89b49564-f27a-5184-9710-a3b5c3b435fb"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c"
- date = "2023-06-14"
- score = 70
- id = "70f1192d-29b0-5e55-9a0c-e0a17ca5e57a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0"
- date = "2023-06-14"
- score = 70
- id = "3ed4ee1e-989f-5729-9f93-e1a84cf0565b"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e"
- date = "2023-06-14"
- score = 70
- id = "ef749b9f-ba3a-53f6-ba93-d8a57f4ef398"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa"
- hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675"
- date = "2023-06-14"
- score = 70
- id = "f178f1b8-8f10-50e2-9d17-f83e09e2b020"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c"
- date = "2023-06-14"
- score = 70
- id = "c633441c-348f-527e-8187-51b28a53b63a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408"
- date = "2023-06-14"
- score = 70
- id = "f4821039-4998-5f15-99a7-72c4a1219d94"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d"
- date = "2023-06-14"
- score = 70
- id = "54df9ee8-fd07-5c87-a94f-63289f1844f5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c"
- date = "2023-06-14"
- score = 70
- id = "9d1dabed-5497-5325-b982-653aed3fd039"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /amsdk/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b"
- date = "2023-06-14"
- score = 70
- id = "eff2a649-3401-5c91-8856-602c4e976982"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b"
- date = "2023-06-14"
- score = 70
- id = "932a6fdd-6631-5af4-94bf-7fbf48243d7f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185"
- date = "2023-06-14"
- score = 70
- id = "e786e683-d225-506b-ae7d-7c81aa4ac14d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280"
- date = "2023-06-14"
- score = 70
- id = "58289f86-0988-5bf7-b009-8315f1b3696f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24"
- date = "2023-06-14"
- score = 70
- id = "51fc8e1a-fbf2-59cf-9cde-464859a4160c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa"
- date = "2023-06-14"
- score = 70
- id = "70173412-67b5-5647-ab39-354b69193668"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d"
- date = "2023-06-14"
- score = 70
- id = "27aa8117-0bc2-5f84-98df-d7360bba16a4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /physmem/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a"
- date = "2023-06-14"
- score = 70
- id = "defc1d03-fae1-5a21-b8ca-f39bdbecaad6"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47"
- date = "2023-06-14"
- score = 70
- id = "8ea15559-48f5-5f9c-bf03-1ee3b0cac919"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285"
- date = "2023-06-14"
- score = 70
- id = "e5ec701e-320e-5991-988f-a1334b9a85ff"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6"
- date = "2023-06-14"
- score = 70
- id = "b964d59a-0fbf-56be-ae31-323431384cf2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /amp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35"
- date = "2023-06-14"
- score = 70
- id = "39029753-a7bc-555f-9c5b-075e934f344a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /superbmc/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4"
- date = "2023-06-14"
- score = 70
- id = "d3a08d45-760a-538c-93ee-6363e1931b2a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54"
- hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5"
- date = "2023-06-14"
- score = 70
- id = "0deb0c4b-e67b-5d53-bd95-3d7fd7833958"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b"
- date = "2023-06-14"
- score = 70
- id = "fc2c48af-ca7f-5481-b77a-1378df03f8c6"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5"
- hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c"
- hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f"
- hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece"
- hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282"
- date = "2023-06-14"
- score = 70
- id = "cc5590d8-d1c0-5abe-86ee-c68bf005031d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f"
- date = "2023-06-14"
- score = 70
- id = "515d9838-49af-5f17-aed3-47386b5ea8aa"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b"
- hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b"
- date = "2023-06-14"
- score = 70
- id = "5b79a437-d01b-588e-9ebb-b9ec5eaaffcc"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed"
- date = "2023-06-14"
- score = 70
- id = "a949774e-d4d6-50bb-b95c-b9964f2c9054"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1"
- date = "2023-06-14"
- score = 70
- id = "6effbb24-7e9f-5ba2-85fc-348719c1875d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69"
- date = "2023-06-14"
- score = 70
- id = "8d7f71b6-6477-58ed-8840-01f1431354d3"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566"
- date = "2023-06-14"
- score = 70
- id = "dd403a42-674c-55b6-b22e-1b6abd0d64ad"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289"
- date = "2023-06-14"
- score = 70
- id = "4a38e7a2-564f-5e50-85ee-cd0d60a7e584"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280"
- date = "2023-06-14"
- score = 70
- id = "3f866c44-1ed4-5b68-b137-6c5867dbd23c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e"
- date = "2023-06-14"
- score = 70
- id = "e20746e7-2863-50ad-9b62-2a0e68a229be"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_RCIO64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20"
- hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f"
- date = "2023-06-14"
- score = 70
- id = "4b8f46b5-c709-5fdf-a6d6-1cf7745fc989"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /amifldrv64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af"
- hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b"
- hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d"
- date = "2023-06-14"
- score = 70
- id = "8a86b8d4-fc20-5b4e-9ff7-f19d229d7eff"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpoutx64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56"
- date = "2023-06-14"
- score = 70
- id = "616ba0c6-a6fe-550c-9e04-bbeba84118ba"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3"
- date = "2023-06-14"
- score = 70
- id = "d8069eed-ff86-59ff-a410-12a8f57764e2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d"
- hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b"
- date = "2023-06-14"
- score = 70
- id = "08d52deb-a03e-5738-8416-71071d8f683a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687"
- date = "2023-06-14"
- score = 70
- id = "3ab90f44-3463-5e71-8637-b85450e8f45d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4"
- date = "2023-06-14"
- score = 70
- id = "d348bd57-9044-5fcd-905f-795ae2e5adc4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004"
- date = "2023-06-14"
- score = 70
- id = "25ccdffd-65c4-52aa-9bd3-1bd219b28ad0"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IObitUnlocker/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_93D8 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63"
- date = "2023-06-14"
- score = 70
- id = "d7f84859-7bbf-5077-bb7a-e3de30f7a458"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rzpnk/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69"
- date = "2023-06-14"
- score = 70
- id = "7c0bdc84-8e81-5a5f-be68-c166478147fb"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4"
- date = "2023-06-14"
- score = 70
- id = "6c6c46f1-00ad-5a6f-89f4-7fd7911676ac"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea"
- date = "2023-06-14"
- score = 70
- id = "ae0da285-f043-5d20-8157-8b33c827f488"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee"
- date = "2023-06-14"
- score = 70
- id = "a2496fca-4e17-54a1-af5b-016e74c3adaa"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5"
- date = "2023-06-14"
- score = 70
- id = "e8f74917-d750-52e4-a9d0-832620ef8b24"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162"
- date = "2023-06-14"
- score = 70
- id = "0fa674cc-8084-5a92-804b-3572af484c63"
- strings:
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ADV64DRV/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5"
- date = "2023-06-14"
- score = 70
- id = "d857b678-5cd6-5784-b9ae-b5171c811a9d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c"
- date = "2023-06-14"
- score = 70
- id = "dce72757-4557-559c-89d3-3c526628ccbd"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a"
- date = "2023-06-14"
- score = 70
- id = "a83e9bdc-24f4-54a1-aad9-80e84b9e3502"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05"
- date = "2023-06-14"
- score = 70
- id = "7c820b70-f985-596b-8426-05035c0bfafc"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDPowerProfiler/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761"
- date = "2023-06-14"
- score = 70
- id = "9f1349f3-a816-5209-bf11-d84dfa035169"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8"
- date = "2023-06-14"
- score = 70
- id = "7fc1fa6a-9c53-51b8-8c41-cdffe6baa132"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c"
- date = "2023-06-14"
- score = 70
- id = "96f9b580-772e-5b98-ad82-06fcd246a980"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775"
- date = "2023-06-14"
- score = 70
- id = "200441c8-14b2-5c30-afe7-2b1a0a979827"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1"
- date = "2023-06-14"
- score = 70
- id = "0c7fa8ed-1c1b-524a-b81d-62c145832fd9"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4"
- date = "2023-06-14"
- score = 70
- id = "599205df-343a-5d3d-9894-c1d1f67e8805"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 600KB and all of them and not filename matches /Lv561av/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5"
- date = "2023-06-14"
- score = 70
- id = "668c02d0-dabf-598f-8c90-5d6f0e3399e2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89"
- date = "2023-06-14"
- score = 70
- id = "f8eac5b8-e6b4-5749-aa2a-a5e7feefd389"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1"
- date = "2023-06-14"
- score = 70
- id = "fe86a574-2863-59d4-8021-d1a16d3f8cb2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b"
- date = "2023-06-14"
- score = 70
- id = "cc1da8e7-b6ef-5580-93f3-d1d0ce2ddac7"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b"
- hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df"
- date = "2023-06-14"
- score = 70
- id = "940ec295-fcb3-58ed-94fc-41d27943ff0e"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NalDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow10x64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993"
- date = "2023-06-14"
- score = 70
- id = "062699e5-a4c4-5428-9867-450293bd591f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow10x64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89"
- date = "2023-06-14"
- score = 70
- id = "8db66d7c-9c5b-5ec5-a0d3-6eeac0faad51"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c"
- date = "2023-06-14"
- score = 70
- id = "d8ad2385-f6ec-54df-b61e-e39d7e42ab9f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097"
- date = "2023-06-14"
- score = 70
- id = "a054c49f-545a-50e4-9233-aa02e16be947"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64"
- date = "2023-06-14"
- score = 70
- id = "699ffd4c-b617-5176-8309-f29c2cb00441"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980"
- date = "2023-06-14"
- score = 70
- id = "c8838651-0a16-565f-8d0a-0bafb7655f34"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WCPU/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219"
- date = "2023-06-14"
- score = 70
- id = "2dd7f773-866a-5d1b-9048-9f632a5940fd"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad"
- date = "2023-06-14"
- score = 70
- id = "8ecfdace-3521-59b7-8f71-357e6aa89f12"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c"
- hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5"
- date = "2023-06-14"
- score = 70
- id = "7d87c723-84b9-56cd-84e1-ef5cdbd61d13"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HW/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf"
- date = "2023-06-14"
- score = 70
- id = "cf02e07e-5d9c-55ee-a253-3a1c28ee77bc"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1"
- date = "2023-06-14"
- score = 70
- id = "ffbaa9ba-f68a-554a-9fe8-544bb2e4880f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508"
- date = "2023-06-14"
- score = 70
- id = "43d4d647-32f2-5838-9182-c72420786bdb"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvflash/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439"
- date = "2023-06-14"
- score = 70
- id = "4dd6a8d8-f4b0-5a4f-889f-288c3c58564c"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712"
- date = "2023-06-14"
- score = 70
- id = "3ad3446c-e086-5f48-9494-b40dc410d350"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f"
- date = "2023-06-14"
- score = 70
- id = "aecc5ac9-d563-53cd-8c12-c8c21bd69772"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9"
- hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc"
- date = "2023-06-14"
- score = 70
- id = "5486718a-942a-5c48-b2ba-619ec75f9a5f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b"
- date = "2023-06-14"
- score = 70
- id = "af3aeaf1-cf11-534a-98ce-f0fc91a55594"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c"
- date = "2023-06-14"
- score = 70
- id = "c982914b-d99f-5ff4-a520-285308d54947"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca"
- date = "2023-06-14"
- score = 70
- id = "9c70d8f6-1bd9-5a04-be49-ba4eb5d3bbb3"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VProEventMonitor/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c"
- date = "2023-06-14"
- score = 70
- id = "6fc3cdb0-6d5f-56f8-8f36-0ff5bef55de3"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /krpocesshacker/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed"
- date = "2023-06-14"
- score = 70
- id = "0319c351-404e-5272-b0d5-952ce977838f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd"
- date = "2023-06-14"
- score = 70
- id = "87a0873b-23fb-5a11-a3f4-942f30cdcfa7"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109"
- date = "2023-06-14"
- score = 70
- id = "a8590fdf-3af6-5231-b089-bb07eef1e2d4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CtiIo64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b"
- date = "2023-06-14"
- score = 70
- id = "820cc12f-f611-50d6-8091-4aca403d3e97"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysDrv3S/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8"
- date = "2023-06-14"
- score = 70
- id = "92155ad4-0564-570b-8b9b-39ec68a937af"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3"
- date = "2023-06-14"
- score = 70
- id = "4a81c778-c70d-57f7-b57e-3f2de7bfbd27"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz_x64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9"
- date = "2023-06-14"
- score = 70
- id = "8f7f8c67-774d-5864-a9a9-e43896a8e1f4"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073"
- date = "2023-06-14"
- score = 70
- id = "c37e0f2e-edf4-57bc-96d3-2256241603b7"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"
- hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd"
- date = "2023-06-14"
- score = 70
- id = "f2b28250-5041-59a9-a49f-9b9597e630ef"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb"
- date = "2023-06-14"
- score = 70
- id = "d9027c11-b261-5751-a75f-149cc317a186"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c"
- date = "2023-06-14"
- score = 70
- id = "529c87c6-e363-57ca-894e-84af66030798"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52"
- date = "2023-06-14"
- score = 70
- id = "9607a849-b445-5b65-8aec-34c637c49101"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /phymem64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1"
- hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb"
- date = "2023-06-14"
- score = 70
- id = "4f275c35-b939-507c-8c6b-2851cc48cd35"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40"
- date = "2023-06-14"
- score = 70
- id = "e8b4df5f-9449-5943-ad88-479215dbca33"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada"
- date = "2023-06-14"
- score = 70
- id = "398bc71f-c1a6-57bb-81df-6e378a64e39a"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4"
- date = "2023-06-14"
- score = 70
- id = "70296e41-c455-5353-a682-272346ecc4c8"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */
- condition:
- uint16(0) == 0x5a4d and filesize < 1000KB and all of them and not filename matches /VBoxDrv/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506"
- date = "2023-06-14"
- score = 70
- id = "bf7ca47b-217f-50a3-a634-d34a788c0e6d"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9"
- date = "2023-06-14"
- score = 70
- id = "2ef0b4a6-b99a-5726-b485-08ad34af82c2"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9"
- date = "2023-06-14"
- score = 70
- id = "ee625dbd-bb74-5c20-bfd9-05a50b0ab728"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4"
- date = "2023-06-14"
- score = 70
- id = "d913ce75-2d9f-58e5-8cf9-c58062b16116"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524"
- date = "2023-06-14"
- score = 70
- id = "dbfbd9f6-bb1e-5d55-bf0c-0c33f1947de0"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8"
- date = "2023-06-14"
- score = 70
- id = "f149cf06-3087-5976-9b85-3779caa99ab5"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_HWMIO64_W10/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6"
- date = "2023-06-14"
- score = 70
- id = "d31d0885-997d-54ac-8dc0-dc4703b0a105"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
- condition:
- uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683"
- date = "2023-06-14"
- score = 70
- id = "fa919157-ac17-529a-ac52-77794cfaae58"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d"
- date = "2023-06-14"
- score = 70
- id = "604edf79-865e-5d1e-bc2d-b2948d4ba5c1"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60"
- date = "2023-06-14"
- score = 70
- id = "96c759e8-6824-5845-82fc-512810a6cc8f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
- condition:
- uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
-}
-
-
-rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 {
- meta:
- description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
- author = "Florian Roth"
- reference = "https://github.com/magicsword-io/LOLDrivers"
- hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba"
- date = "2023-06-14"
- score = 70
- id = "dfb8899e-3cbb-55c5-b531-761200da2d8f"
- strings:
- $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
- $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
- $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */
- $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */
- $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
- $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
- $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
- $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
- condition:
- uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
-}
diff --git a/yara-Neo23x0/yara_mixed_ext_vars.yar b/yara-Neo23x0/yara_mixed_ext_vars.yar
deleted file mode 100644
index 74778fc..0000000
--- a/yara-Neo23x0/yara_mixed_ext_vars.yar
+++ /dev/null
@@ -1,556 +0,0 @@
-/*
- This is a collection of rules that use external variables
- They work with scanners that support the use of external variables, like
- THOR, LOKI or SPARK
- https://www.nextron-systems.com/compare-our-scanners/
-*/
-
-import "pe"
-import "math"
-
-rule Acrotray_Anomaly {
- meta:
- description = "Detects an acrotray.exe that does not contain the usual strings"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- score = 75
- id = "e3fef644-e535-5137-ac98-2fd1b7ca4361"
- strings:
- $s1 = "PDF/X-3:2002" fullword wide
- $s2 = "AcroTray - Adobe Acrobat Distiller helper application" fullword wide
- $s3 = "MS Sans Serif" fullword wide
- $s4 = "COOLTYPE.DLL" fullword ascii
- condition:
- uint16(0) == 0x5a4d and filesize < 3000KB
- and ( filename == "acrotray.exe" or filename == "AcroTray.exe" )
- and not all of ($s*)
-}
-
-rule COZY_FANCY_BEAR_modified_VmUpgradeHelper {
- meta:
- description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
- date = "2016-06-14"
- id = "97b844a4-0fa4-5850-8803-2212a69e3d16"
- strings:
- $s1 = "VMware, Inc." wide fullword
- $s2 = "Virtual hardware upgrade helper service" fullword wide
- $s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii
- condition:
- uint16(0) == 0x5a4d and
- filename == "VmUpgradeHelper.exe" and
- not all of ($s*)
-}
-
-rule IronTiger_Gh0stRAT_variant
-{
- meta:
- author = "Cyber Safety Solutions, Trend Micro"
- description = "This is a detection for a s.exe variant seen in Op. Iron Tiger"
- reference = "http://goo.gl/T5fSJC"
- id = "e7eeee0f-d7a1-5359-bc1f-5a2a883c7227"
- strings:
- $str1 = "Game Over Good Luck By Wind" nocase wide ascii
- $str2 = "ReleiceName" nocase wide ascii
- $str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii
- $str4 = "Winds Update" nocase wide ascii fullword
- condition:
- uint16(0) == 0x5a4d and (any of ($str*))
- and not filename == "UpdateSystemMib.exe"
-}
-
-rule OpCloudHopper_Cloaked_PSCP {
- meta:
- description = "Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
- date = "2017-04-07"
- score = 90
- id = "c1e2e456-dbdd-54cf-b0e0-b356f291cfcd"
- strings:
- $s1 = "AES-256 SDCTR" ascii
- $s2 = "direct-tcpip" ascii
- condition:
- all of them and filename == "rundll32.exe"
-}
-
-rule msi_dll_Anomaly {
- meta:
- description = "Detetcs very small and supicious msi.dll"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
- date = "2017-02-10"
- hash1 = "8c9048e2f5ea2ef9516cac06dc0fba8a7e97754468c0d9dc1e5f7bce6dbda2cc"
- id = "92cd5c51-ed84-5428-9105-50139f9289c8"
- strings:
- $x1 = "msi.dll.eng" fullword wide
- condition:
- uint16(0) == 0x5a4d and filesize < 15KB and filename == "msi.dll" and $x1
-}
-
-rule PoS_Malware_MalumPOS_Config
-{
- meta:
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- date = "2015-06-25"
- description = "MalumPOS Config File"
- reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/"
- id = "0fd2b9c2-d016-5db2-8fcc-618df6c815de"
- strings:
- $s1 = "[PARAMS]"
- $s2 = "Name="
- $s3 = "InterfacesIP="
- $s4 = "Port="
- condition:
- all of ($s*) and filename == "log.ini" and filesize < 20KB
-}
-
-rule Malware_QA_update_test {
- meta:
- description = "VT Research QA uploaded malware - file update_.exe"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "VT Research QA"
- date = "2016-08-29"
- score = 80
- hash1 = "3b3392bc730ded1f97c51e23611740ff8b218abf0a1100903de07819eeb449aa"
- id = "8f319277-1eaf-559e-87ad-f4ab89b04ca5"
- strings:
- $s1 = "test.exe" fullword ascii
- $s2 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP" fullword ascii
- condition:
- uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == "update.exe"
-}
-
-
-/* These only work with external variable "filename" ------------------------ */
-/* as used in LOKI, THOR, SPARK --------------------------------------------- */
-
-rule SysInterals_PipeList_NameChanged {
- meta:
- description = "Detects NirSoft PipeList"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://goo.gl/Mr6M2J"
- date = "2016-06-04"
- score = 90
- hash1 = "83f0352c14fa62ae159ab532d85a2b481900fed50d32cc757aa3f4ccf6a13bee"
- id = "01afcf29-a74c-5be2-8b24-694a2802ef34"
- strings:
- $s1 = "PipeList" ascii fullword
- $s2 = "Sysinternals License" ascii fullword
- condition:
- uint16(0) == 0x5a4d and filesize < 170KB and all of them
- and not filename contains "pipelist.exe"
- and not filename contains "PipeList.exe"
-}
-
-/*
- Yara Rule Set
- Author: Florian Roth
- Date: 2016-04-26
- Identifier: regsvr32 issue
-*/
-
-/* Rule Set ----------------------------------------------------------------- */
-
-rule SCT_Scriptlet_in_Temp_Inet_Files {
- meta:
- description = "Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)"
- license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
- author = "Florian Roth (Nextron Systems)"
- reference = "http://goo.gl/KAB8Jw"
- date = "2016-04-26"
- id = "8b729257-3676-59b2-961c-dae1085cbbf6"
- strings:
- $s1 = "" fullword ascii nocase
- $s2 = "ActiveXObject(\"WScript.Shell\")" ascii
- condition:
- ( uint32(0) == 0x4D583F3C or uint32(0) == 0x6D78F3C ) /* 50000KB and not filename matches /WER/
-}
-
-rule lsadump {
- meta:
- description = "LSA dump programe (bootkey/syskey) - pwdump and others"
- author = "Benjamin DELPY (gentilkiwi)"
- score = 80
- nodeepdive = 1
- id = "3bfa8dd8-720d-5326-ac92-0fb96cf21219"
- strings:
- $str_sam_inc = "\\Domains\\Account" ascii nocase
- $str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
- $hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
- $str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
- $hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
-
- $fp1 = "Sysinternals" ascii
- $fp2 = "Apple Inc." ascii wide
- $fp3 = "Kaspersky Lab" ascii fullword
- $fp4 = "ESET Security" ascii
- $fp5 = "Disaster Recovery Module" wide
- $fp6 = "Bitdefender" wide fullword
- condition:
- uint16(0) == 0x5a4d and
- (($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )
- and not 1 of ($fp*)
- and not filename contains "Regdat"
- and not filetype == "EXE"
- and not filepath contains "Dr Watson"
- and not extension == "vbs"
-}
-
-rule SUSP_ServU_SSH_Error_Pattern_Jul21_1 {
- meta:
- description = "Detects suspicious SSH component exceptions that could be an indicator of exploitation attempts as described in advisory addressing CVE-2021-35211 in ServU services"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
- date = "2021-07-12"
- score = 60
- id = "1a89f0b0-445c-5867-94cd-f07ba1becad6"
- strings:
- $s1 = "EXCEPTION: C0000005;" ascii
- $s2 = "CSUSSHSocket::ProcessReceive();" ascii
- condition:
- filename == "DebugSocketlog.txt"
- and all of ($s*)
-}
-
-rule SUSP_ServU_Known_Mal_IP_Jul21_1 {
- meta:
- description = "Detects suspicious IP addresses used in exploitation of ServU services CVE-2021-35211 and reported by Solarwinds"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
- date = "2021-07-12"
- score = 60
- id = "118272a7-7ec9-568b-99e0-8cfe97f3f64e"
- strings:
- $xip1 = "98.176.196.89" ascii fullword
- $xip2 = "68.235.178.32" ascii fullword
- $xip3 = "208.113.35.58" ascii fullword
- $xip4 = "144.34.179.162" ascii fullword
- $xip5 = "97.77.97.58" ascii fullword
- condition:
- filename == "DebugSocketlog.txt"
- and 1 of them
-}
-
-rule SUSP_EXPL_Confluence_RCE_CVE_2021_26084_Indicators_Sep21 {
- meta:
- description = "Detects ELF binaries owner by the confluence user but outside usual confluence directories"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis"
- date = "2021-09-01"
- score = 55
- id = "395d37ea-1986-5fdd-b58c-562ae0d8be35"
- condition:
- uint32be(0) == 0x7f454c46 /* ELF binary */
- and owner == "confluence"
- and not filepath contains "/confluence/"
-}
-
-rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 {
- meta:
- description = "Detects a file that has been replaced with a note by a security solution like an Antivirus or a filtering proxy server"
- author = "Florian Roth (Nextron Systems)"
- reference = "https://www.virustotal.com/gui/search/filename%253A*.exe%2520tag%253Ahtml%2520size%253A10kb-%2520size%253A2kb%252B/files"
- date = "2023-01-28"
- score = 60
- id = "58bc8288-6bdb-57d5-9de5-a54a39584838"
- strings:
- $x01 = "Web Filter Violation"
- $x02 = "Google Drive can't scan this file for viruses."
- $x03 = " target=\"_blank\">Cloudflare "
- $x05 = "-- Sophos Warn FileType Page -->"
- $x06 = "Certain Sophos products may not be exported for use by government end-users" // accept EULA
- $x07 = "
Bitly displays this warning when a link has been flagged as suspect. There are many"
- $x08 = "Something went wrong. Don't worry, your files are still safe and the Dropbox team has been notified."
- $x09 = "
sinkhole
"
- $x10 = "The requested short link is blocked by website administration due to violation of the website policy terms."
- $x11 = " Malwarebytes"
- $x13 = "Blocked by VIPRE "
- $x14 = "Your request appears to be from an automated process "
- $x15 = "Advanced Security blocked access to"
- $x16 = "
Suspected phishing site | Cloudflare "
- $x17 = ">This link has been flagged "
- $x18 = "Trend Micro Apex One "
- $x19 = "Hitachi ID Identity and Access Management Suite"
- $x20 = ">http://www.fortinet.com/ve?vn="
- $x21 = "access to URL with fixed IP not allowed" // FritzBox
- $x23 = "Web Page Blocked "
- $x24 = "Malicious Website Blocked "
- $x25 = "STOPzilla has detected"
- $x26 = ">Seqrite Endpoint Security"
- $x27 = "K7 Safe Surf "
- $x28 = "Blocked by VIPRE "
-
- $g01 = "blocked access" fullword
- $g02 = "policy violation" fullword
- $g03 = "violation of "
- $g04 = "blocked by" fullword
- $g05 = "Blocked by" fullword
- $g07 = "Suspected Phishing"
- $g08 = "ile quarantined"
- $g09 = " is infected "
- $g10 = "Blocked"
- $g11 = "site blocked" fullword
- $g12 = "Site Blocked" fullword
- $g13 = "blocked for" fullword
- $g14 = "is blocked" fullword
- $g15 = "potentially harmful"
- $g16 = "Page Blocked" fullword
- $g17 = "page blocked" fullword
- condition:
- extension == ".exe" and not uint16(0) == 0x5a4d and 1 of them
- or (
- extension == ".rar" or
- extension == ".ps1" or
- extension == ".vbs" or
- extension == ".bat"
- )
- and 1 of ($x*)
-}
-
-/* too many FPs
-rule APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1 {
- meta:
- description = "Detects Comadmin file that houses Snake's kernel driver and the driver's loader"
- author = "CSA"
- reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
- date = "2023-05-10"
- score = 75
- condition:
- uint16(0) == 0x5a4d
- and (
- filename == "WerFault.exe"
- or filename == "werfault.exe"
- )
- and filepath contains "\\WinSxS\\"
- and for any rsrc in pe.resources: (
- rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 3240
- )
- and for any rsrc in pe.resources: (
- rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 1384
- )
- and for any rsrc in pe.resources: (
- rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 7336
- )
-}
-*/
-
-rule APT_MAL_RU_Snake_Malware_Queue_File_May23_1 {
- meta:
- description = "Detects Queue files used by Snake malware"
- author = "Florian Roth"
- reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
- date = "2023-05-10"
- score = 80
- id = "c7ed554e-b55e-5c3f-aa8b-231cb1073f34"
- condition:
- filename matches /(\{[0-9A-Fa-f]{8}\-([0-9A-Fa-f]{4}\-){3}[0-9A-Fa-f]{12}\}\.){2}crmlog/
- /* and filepath contains "\\Registration\\" // not needed - already specific enough */
- // we reduce the range for the entropy calculation to the first 1024 for performance
- // reasons. In a fully encrypted file - as used by Snake - this should already be specific enough
- //and math.entropy(0, filesize) >= 7.0
- and math.entropy(0, 1024) >= 7.0
-}
-
-
-rule SUSP_Password_XLS_Unencrypted {
- meta:
- description = "Detects files named e.g. password.xls, which might contain unportected clear text passwords"
- author = "Arnim Rupp (https://github.com/ruppde)"
- reference = "Internal Research"
- date = "2023-10-04"
- score = 60
- id = "41096ef1-dd02-5956-9053-3d7fb1a5092c"
- condition:
- // match password and the german passwort:
- (
- filename istartswith "passwor" or /* EN / DE */
- filename istartswith "contrase" or /* ES */
- filename istartswith "mot de pass" or /* FR */
- filename istartswith "mot_de_pass" or /* FR */
- filename istartswith "motdepass" or /* FR */
- filename istartswith "wachtwoord" /* NL */
- )
- and (
- // no need to check if an xls is password protected, because it's trivial to break
- (
- filename iendswith ".xls"
- and uint32be(0) == 0xd0cf11e0 // xls
- )
- or
- (
- filename iendswith ".xlsx"
- and uint32be(0) == 0x504b0304 // unencrypted xlsx = pkzip
- )
- )
-}
-
-rule SUSP_Password_XLS_Encrypted {
- meta:
- description = "Detects files named e.g. password.xlsx, which might contain clear text passwords, but are password protected from MS Office"
- author = "Arnim Rupp (https://github.com/ruppde)"
- reference = "Internal Research"
- date = "2023-10-04"
- score = 50
- id = "d3334923-3396-524d-9111-8ccb754ab99e"
- condition:
- // match password and the german passwort:
- (
- filename istartswith "passwor" or /* EN / DE */
- filename istartswith "contrase" or /* ES */
- filename istartswith "mot de pass" or /* FR */
- filename istartswith "mot_de_pass" or /* FR */
- filename istartswith "motdepass" or /* FR */
- filename istartswith "wachtwoord" /* NL */
- )
- and filename iendswith ".xlsx"
- and uint32be(0) == 0xd0cf11e0 // encrypted xlsx = CDFV2
-}
diff --git a/yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar b/yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar
deleted file mode 100644
index 8c649f5..0000000
--- a/yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule AnomaliLABS_Lazarus_wipe_file_routine {
- meta:
- author = "aaron shelmire"
- date = "2015 May 26"
- desc = “Yara sig to detect File Wiping routine of the Lazarus group”
- reference = "https://blog.anomali.com/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks"
- strings:
- $rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }
- /* imports for overwrite function */
- $imp_getTick = "GetTickCount"
- $imp_srand = "srand"
- $imp_CreateFile = "CreateFileA"
- $imp_SetFilePointer = "SetFilePointer"
- $imp_WriteFile = "WriteFile"
- $imp_FlushFileBuffers = "FlushFileBuffers"
- $imp_GetFileSizeEx = "GetFileSizeEx"
- $imp_CloseHandle = "CloseHandle"
- /* imports for rename function */
- $imp_strrchr = "strrchr"
- $imp_rand = "rand"
- $Move_File = "MoveFileA"
- $Move_FileEx = "MoveFileEx"
- $imp_RemoveDir = "RemoveDirectoryA"
- $imp_DeleteFile = "DeleteFileA"
- $imp_GetLastError = "GetLastError"
-condition:
- $rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar b/yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar
deleted file mode 100644
index 9e5d2f9..0000000
--- a/yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule PyInstaller_Binary
- {
-meta:
- author = "Nicholas Albright, ThreatStream"
- desc = "Generic rule to identify PyInstaller Compiled Binaries"
- reference = "https://blog.anomali.com/crushing-python-malware"
-strings:
- $string0 = "zout00-PYZ.pyz"
- $string1 = "python"
- $string2 = "Python DLL"
- $string3 = "Py_OptimizeFlag"
- $string4 = "pyi_carchive"
- $string5 = ".manifest"
-condition:
- all of them // and new_file
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar b/yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar
deleted file mode 100644
index 77b4084..0000000
--- a/yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule chinapic_zip
-
-{
-
- meta:
- description = "Find zip archives of pony panels that have china.jpg"
- author = "Brian Carter"
- last_modified = "March 31, 2017"
-
- strings:
- $txt1 = "china.jpg"
- $txt2 = "config.php"
- $magic = { 50 4b 03 04 }
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
diff --git a/yara-mikesxrs/Brian Carter -carterb/demuzacert.yar b/yara-mikesxrs/Brian Carter -carterb/demuzacert.yar
deleted file mode 100644
index 4f67618..0000000
--- a/yara-mikesxrs/Brian Carter -carterb/demuzacert.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule PotentiallyCompromisedCert
-
-{
- meta:
- description = "Search for PE files using cert issued to DEMUZA "
- author = "Brian Carter"
- last_modified = "July 21, 2017"
- sample = "7ef8f5e0ca92a0f3a5bd8cdc52236564"
- TLP = "WHITE"
-
- strings:
- $magic = { 50 4b 03 04 (14 | 0a) 00 }
-
- $txt1 = "demuza@yandex.ru" nocase
- $txt2 = "https://secure.comodo.net/CPS0C" nocase
- $txt3 = "COMODO CA Limited1"
-
- condition:
- $magic at 0 and all of ($txt*)
-}
diff --git a/yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar b/yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar
deleted file mode 100644
index 3cbfe55..0000000
--- a/yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule INJECTOR_PANEL_SQLITE
-
-{
- meta:
- description = "Find sqlite dbs used with tables inject panel"
- author = "Brian Carter"
- last_modified = "August 14, 2017"
-
- strings:
- $magic = { 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00 }
- $txt1 = "CREATE TABLE Settings"
- $txt2 = "CREATE TABLE Jabber"
- $txt3 = "CREATE TABLE Users"
- $txt4 = "CREATE TABLE Log"
- $txt5 = "CREATE TABLE Fakes"
- $txt6 = "CREATE TABLE ATS_links"
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
diff --git a/yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar b/yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar
deleted file mode 100644
index ed82015..0000000
--- a/yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule PDF_EMBEDDED_DOCM
-
-{
- meta:
- description = "Find pdf files that have an embedded docm with openaction"
- author = "Brian Carter"
- last_modified = "May 11, 2017"
-
- strings:
- $magic = { 25 50 44 46 2d }
-
- $txt1 = "EmbeddedFile"
- $txt2 = "docm)"
- $txt3 = "JavaScript" nocase
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
diff --git a/yara-mikesxrs/Brian Carter -carterb/panelzips.yar b/yara-mikesxrs/Brian Carter -carterb/panelzips.yar
deleted file mode 100644
index 42da6a9..0000000
--- a/yara-mikesxrs/Brian Carter -carterb/panelzips.yar
+++ /dev/null
@@ -1,128 +0,0 @@
-rule chinapic_zip
-
-{
-
- meta:
- description = "Find zip archives of pony panels that have china.jpg"
- author = "Brian Carter"
- last_modified = "March 31, 2017"
-
- strings:
- $txt1 = "china.jpg"
- $txt2 = "config.php"
- $txt3 = "setup.php"
- $magic = { 50 4b 03 04 }
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
-
-rule diamondfox_zip
-
-{
-
- meta:
- description = "Find zip archives of panels"
- author = "Brian Carter"
- last_modified = "March 31, 2017"
-
- strings:
- $txt1 = "gate.php"
- $txt2 = "install.php"
- $txt3 = "post.php"
- $txt4 = "plugins"
- $txt5 = "statistics.php"
- $magic = { 50 4b 03 04 }
- $not1 = "joomla" nocase
-
- condition:
- $magic at 0 and all of ($txt*) and not any of ($not*)
-
-}
-
-rule keybase_zip
-
-{
-
- meta:
- description = "Find zip archives of panels"
- author = "Brian Carter"
- last_modified = "March 31, 2017"
-
- strings:
- $txt1 = "clipboard.php"
- $txt2 = "config.php"
- $txt3 = "create.php"
- $txt4 = "login.php"
- $txt5 = "screenshots.php"
- $magic = { 50 4b 03 04 }
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
-
-rule zeus_zip
-
-{
-
- meta:
- description = "Find zip archives of panels"
- author = "Brian Carter"
- last_modified = "April 19, 2017"
-
- strings:
- $txt1 = "cp.php"
- $txt2 = "gate.php"
- $txt3 = "botnet_bots.php"
- $txt4 = "botnet_scripts.php"
- $magic = { 50 4b 03 04 }
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
-
-rule atmos_zip
-
-{
-
- meta:
- description = "Find zip archives of panels"
- author = "Brian Carter"
- last_modified = "April 27, 2017"
-
- strings:
- $txt1 = "cp.php"
- $txt2 = "gate.php"
- $txt3 = "api.php"
- $txt4 = "file.php"
- $txt5 = "ts.php"
- $txt6 = "index.php"
- $magic = { 50 4b 03 04 }
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
-
-rule new_pony_panel
-
-{
-
- meta:
- description = "New Pony Zips"
-
- strings:
- $txt1 = "includes/design/images/"
- $txt2 = "includes/design/style.css"
- $txt3 = "admin.php"
- $txt4 = "includes/design/images/user.png"
- $txt5 = "includes/design/images/main_bg.gif"
- $magic = { 50 4b 03 04 }
-
- condition:
- $magic at 0 and all of ($txt*)
-
-}
diff --git a/yara-mikesxrs/Brian Carter -carterb/pony_config.yar b/yara-mikesxrs/Brian Carter -carterb/pony_config.yar
deleted file mode 100644
index b1fb013..0000000
--- a/yara-mikesxrs/Brian Carter -carterb/pony_config.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule config_php
-
-{
- meta:
- description = "Find config.php files that have details for the db"
- author = "Brian Carter"
- last_modified = "March 31, 2017"
-
- strings:
- $txt1 = "$mysql_host ="
- $txt2 = "$mysql_user ="
- $txt3 = "mysql_pass ="
- $txt4 = "mysql_database ="
- $txt5 = "global_filter_list"
- $txt6 = "white-list"
- $php1 = " 5
- and new_file
-
-}
diff --git a/yara-mikesxrs/CISA/CADDYWIPER.yar b/yara-mikesxrs/CISA/CADDYWIPER.yar
deleted file mode 100644
index 7975b99..0000000
--- a/yara-mikesxrs/CISA/CADDYWIPER.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule CISA_10376640_04 : trojan wiper CADDYWIPER
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10376640"
- Date = "2022-03-23"
- Last_Modified = "20220324_1700"
- Actor = "n/a"
- Category = "Trojan Wiper"
- Family = "CADDYWIPER"
- Description = "Detects Caddy wiper samples"
- Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115c"
- MD5_1 = "42e52b8daf63e6e26c3aa91e7e971492"
- SHA256_1 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
- strings:
- $s0 = { 44 73 52 6F 6C 65 47 65 74 50 72 69 6D 61 72 79 44 6F 6D 61 69 6E }
- $s1 = { 50 C6 45 A1 00 C6 45 A2 48 C6 45 A3 00 C6 45 A4 59 C6 }
- $s2 = { C6 45 A6 53 C6 45 A7 00 C6 45 A8 49 C6 }
- $s3 = { C6 45 B0 44 C6 45 B1 00 C6 45 B2 52 }
- $s4 = { C6 45 B8 45 C6 45 B9 00 C6 45 BA 39 }
- $s5 = { C6 45 AC 43 C6 45 AD 3A C6 45 AE 5C C6 45 AF }
- $s6 = { 55 C6 45 B0 73 C6 45 B1 65 C6 45 B2 72 C6 45 B3 }
- $s7 = { C6 45 E0 44 C6 45 E1 3A C6 45 E2 5C C6 45 E3 }
- $s8 = { 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
- condition:
- all of them
-}
diff --git a/yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar b/yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar
deleted file mode 100644
index 0849b4b..0000000
--- a/yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule CISA_10328929_01 : trojan webshell exploit CVE_2021_27065
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10328929"
- Date = "2021-03-17"
- Last_Modified = "20210317_2200"
- Actor = "n/a"
- Category = "Trojan WebShell Exploit CVE-2021-27065"
- Family = "HAFNIUM"
- Description = "Detects CVE-2021-27065 Webshellz"
- Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b"
- MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
- SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
- strings:
- $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
- $s1 = { 65 76 61 6C 28 }
- $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
- $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
- $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
- condition:
- $s0 or ($s1 and $s2) or ($s3 and $s4)
-}
diff --git a/yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar b/yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar
deleted file mode 100644
index 9e3c7a6..0000000
--- a/yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule CISA_10328929_02 : trojan webshell exploit CVE_2021_27065
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10328929"
- Date = "2021-03-17"
- Last_Modified = "20210317_2200"
- Actor = "n/a"
- Category = "Trojan WebShell Exploit CVE-2021-27065"
- Family = "HAFNIUM"
- Description = "Detects CVE-2021-27065 Exchange OAB VD MOD"
- Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b"
- MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
- SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
- strings:
- $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
- $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
- $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
- condition:
- $s0 and $s1 and $s2
-}
diff --git a/yara-mikesxrs/CISA/HERMETICWIZARD.yar b/yara-mikesxrs/CISA/HERMETICWIZARD.yar
deleted file mode 100644
index 9648940..0000000
--- a/yara-mikesxrs/CISA/HERMETICWIZARD.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule CISA_10376640_02 : trojan wiper worm HERMETICWIZARD
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10376640"
- Date = "2022-03-12"
- Last_Modified = "20220413_1300"
- Actor = "n/a"
- Category = "Trojan Wiper Worm"
- Family = "HERMETICWIZARD"
- Description = "Detects Hermetic Wizard samples"
- Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
- MD5_1 = "0959bf541d52b6e2915420442bf44ce8"
- SHA256_1 = "5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48"
- strings:
- $s0 = { 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
- $s1 = { 6E 00 6D 00 61 00 6E 00 73 00 65 00 72 00 76 }
- $s2 = { 73 61 6D 72 }
- $s3 = { 62 72 6F 77 73 65 72 }
- $s4 = { 6E 65 74 6C 6F 67 6F 6E }
- $s5 = { 6C 73 61 72 70 63 }
- $s6 = { 6E 74 73 76 63 73 }
- $s7 = { 73 76 63 63 74 6C }
- $s8 = { 73 74 61 72 74 20 63 6D 64 20 2F 63 20 22 70 69 6E 67 20 6C 6F 63 61 6C 68 6F 73 74 }
- $s9 = { 67 00 75 00 65 00 73 00 74 }
- $s10 = { 74 00 65 00 73 00 74 }
- $s11 = { 75 00 73 00 65 00 72 }
- $s12 = { 61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F }
- $s13 = { 51 00 61 00 7A 00 31 00 32 00 33 }
- $s14 = { 51 00 77 00 65 00 72 00 74 00 79 00 31 00 32 }
- $s15 = { 63 6D 64 20 2F 63 20 73 74 61 72 74 20 72 65 67 }
- condition:
- all of them
-}
diff --git a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar b/yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar
deleted file mode 100644
index 734e854..0000000
--- a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule CISA_10376640_03 : trojan wiper worm HERMETICWIZARD
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10376640"
- Date = "2022-03-13"
- Last_Modified = "20220413_1300"
- Actor = "n/a"
- Category = "Trojan Wiper Worm"
- Family = "HERMETICWIZARD"
- Description = "Detects Hermetic Wizard samples"
- Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
- MD5_1 = "58d71fff346017cf8311120c69c9946a"
- SHA256_1 = "2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b"
- strings:
- $s0 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
- $s1 = { 5C 00 5C 00 25 00 73 00 5C 00 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
- $s2 = { 64 00 6C 00 6C 00 00 00 2D 00 69 }
- $s3 = { 2D 00 68 00 00 00 00 00 2D 00 73 }
- $s4 = { 2D 00 63 00 00 00 00 00 2D 00 61 }
- $s5 = { 43 6F 6D 6D 61 6E 64 4C 69 6E 65 54 6F 41 72 67 76 57 }
- condition:
- all of them
-}
diff --git a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar b/yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar
deleted file mode 100644
index 4858849..0000000
--- a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule CISA_10376640_05 : trojan wiper worm HERMETICWIZARD
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10376640"
- Date = "2022-04-14"
- Last_Modified = "20220414_1037"
- Actor = "n/a"
- Category = "Trojan Wiper Worm"
- Family = "HERMETICWIZARD"
- Description = "Detects Hermetic Wizard samples"
- Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
- MD5_1 = "517d2b385b846d6ea13b75b8adceb061"
- SHA256 = "a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec"
- strings:
- $s0 = { 57 69 7A 61 72 64 2E 64 6C 6C }
- $s1 = { 69 6E 66 6C 61 74 65 }
- $s2 = { 4D 61 72 6B 20 41 64 6C 65 72 }
- condition:
- all of them and filesize < 2000KB
-}
diff --git a/yara-mikesxrs/CISA/ISAACWIPER.yar b/yara-mikesxrs/CISA/ISAACWIPER.yar
deleted file mode 100644
index f8571f9..0000000
--- a/yara-mikesxrs/CISA/ISAACWIPER.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-ule CISA_10376640_01 : trojan wiper ISAACWIPER
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10376640"
- Date = "2022-03-14"
- Last_Modified = "20220418_1900"
- Actor = "n/a"
- Category = "Trojan Wiper"
- Family = "ISAACWIPER"
- Description = "Detects ISACC Wiper samples"
- MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
- SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
- MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
- SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
- MD5_3 = "ecce8845921a91854ab34bff2623151e"
- SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
- strings:
- $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
- $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
- $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
- $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
- $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
- $s5 = {53 74 61 72 74 40 34}
- $s6 = {3B 57 34 74 2D 6A}
- $s7 = {43 6C 65 61 6E 65 72 2E}
- condition:
- all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
-}
diff --git a/yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar b/yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar
deleted file mode 100644
index 83036ad..0000000
--- a/yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule CISA_10376640_01 : trojan wiper ISAACWIPER
-{
- meta:
- Author = "CISA Code & Media Analysis"
- Incident = "10376640"
- Date = "2022-03-14"
- Last_Modified = "20220418_1900"
- Actor = "n/a"
- Category = "Trojan Wiper"
- Family = "ISAACWIPER"
- Description = "Detects ISACC Wiper samples"
- Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
- MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
- SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
- MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
- SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
- MD5_3 = "ecce8845921a91854ab34bff2623151e"
- SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
- strings:
- $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
- $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
- $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
- $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
- $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
- $s5 = {53 74 61 72 74 40 34}
- $s6 = {3B 57 34 74 2D 6A}
- $s7 = {43 6C 65 61 6E 65 72 2E}
- condition:
- all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
-}
diff --git a/yara-mikesxrs/Checkpoint/ElMachete_doc.yar b/yara-mikesxrs/Checkpoint/ElMachete_doc.yar
deleted file mode 100644
index 0b2d5f4..0000000
--- a/yara-mikesxrs/Checkpoint/ElMachete_doc.yar
+++ /dev/null
@@ -1,14 +0,0 @@
-rule ElMachete_doc
-{
- meta:
- author = "CPR"
- reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
- hash1 = "8E1360CC27E95FC47924D9BA3EF84CB8FA9E142CFD16E1503C5277D0C16AE241"
- strings:
- $s1 = "You want to continue with the Document" ascii
- $s2 = "certutil -decode" ascii
- $s3 = /C:\\ProgramData\\.{1,20}\.txt/
- $s4 = /C:\\ProgramData\\.{1,20}\.vbe/
- condition:
- uint16be(0) == 0xD0CF and 2 of ($s*)
-}
diff --git a/yara-mikesxrs/Checkpoint/ElMachete_msi.yar b/yara-mikesxrs/Checkpoint/ElMachete_msi.yar
deleted file mode 100644
index e99d561..0000000
--- a/yara-mikesxrs/Checkpoint/ElMachete_msi.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule ElMachete_msi
-{
- meta:
- author = "CPR"
- reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
- hash1 = "ED09DA9D48AFE918F9C7F72FE4466167E2F127A28A7641BA80D6165E82F48431"
- strings:
- $s1 = "MSI Wrapper (8.0.26.0)"
- $s2 = "Windows Installer XML Toolset (3.11.0.1701)"
- $s3 = "\\Lib\\site-packages\\PIL\\"
- $s4 = "\\Lib\\site-packages\\pyHook\\"
- $s5 = "\\Lib\\site-packages\\requests\\"
- $s6 = "\\Lib\\site-packages\\win32com\\"
- $s7 = "\\Lib\\site-packages\\Crypto\\"
- condition:
- 4 of them
-}
diff --git a/yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar b/yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar
deleted file mode 100644
index a9cf611..0000000
--- a/yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar
+++ /dev/null
@@ -1,11 +0,0 @@
-rule Gozi_JJ_struct: trojan {
- meta:
- module = "Gozi_JJ_struct"
- reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/"
- strings:
- $jj = "JJ" ascii
- $pe_file = "This program cannot be run in DOS mode" ascii
- $bss = ".bss" ascii
- condition:
- #jj >= 2 and (for all i in (1,2) : (@jj[i] < 0x400 and @jj[i] > 0x200)) and (@jj[2] - @jj[1] == 0x14) and ($pe_file in (0..1000)) and ($bss in (0..1000))
-}
diff --git a/yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar b/yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar
deleted file mode 100644
index 46bdbb5..0000000
--- a/yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar
+++ /dev/null
@@ -1,7777 +0,0 @@
-*/
-https://research.checkpoint.com/2019/russianaptecosystem/
-*/
-
-import "hash"
-
-private global rule MZOnly {
- strings:
- $mz = "MZ"
- condition:
- $mz at 0
-}
-
-private global rule FileSize {
- condition:
- filesize < 1MB
-}
-rule Karagany {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 89 ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_1 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 29 ?? 66 ?? ?? ?? 89 ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8D ?? ?? 8B ?? ?? BA ?? ?? ?? ?? F7 ?? 01 ?? 89 ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? F7 ?? 03 ?? ?? 8B ?? ?? 29 ?? 89 ?? ?? 8B ?? ?? 8D ?? ?? 5? 6A ?? FF 7? ?? FF 7? ?? FF 5? ?? 85 ?? 74 }
- $block_2 = { 5? 89 ?? 83 ?? ?? B8 ?? ?? ?? ?? 60 C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_3 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 29 ?? 66 ?? ?? ?? 89 ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8D ?? ?? 8B ?? ?? 5? 6A ?? 5? FF 7? ?? FF 5? ?? 85 ?? 74 }
- $block_4 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 8B ?? ?? 01 ?? 83 ?? ?? 83 ?? ?? 8D ?? ?? 83 ?? ?? 8B ?? 01 ?? 89 ?? ?? 8D ?? ?? 85 ?? 74 }
- $block_5 = { 8D ?? ?? 83 ?? ?? 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 5? ?? 85 ?? 0F 84 }
- $block_6 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 74 }
- $block_7 = { 5? 89 ?? 60 8B ?? ?? 8B ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 29 }
- $block_8 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 66 ?? ?? 66 ?? ?? ?? 75 }
- $block_9 = { 8B ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? 8D ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "fcf7bfe68ff302869475b73e4c605a099ed2e1074e79c7b3acb2a451cd2ea915" or
- hash.sha256(0, filesize) == "568e05c51259597cf79b633a041ad090588846b95c85f19a847d731c90a11122" or
- hash.sha256(0, filesize) == "28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0" or
- 10 of them
-}
-
-rule Havex {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 }
- $block_1 = { 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8A ?? 5? F6 ?? 5? 1A ?? 8D ?? ?? FE ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_2 = { 8D ?? ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? 4? 83 ?? ?? 3B ?? 0F 82 }
- $block_3 = { 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 75 }
- $block_4 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_5 = { 07 E8 ?? ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 74 }
- $block_6 = { 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8B ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? EB }
- $block_7 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 }
- $block_8 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 }
- $block_9 = { 66 ?? ?? 66 ?? ?? ?? 66 ?? 33 ?? 4? 5? 0F B7 ?? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D }
- $block_10 = { 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_11 = { 8B ?? ?? 8D ?? ?? 8B ?? 2B ?? D1 ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? 5? C9 C3 }
- $block_12 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 0F 94 ?? 0F B6 ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 8B ?? 4? EB }
- $block_13 = { 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 2B ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 83 }
- $block_14 = { 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 33 ?? 4? 5? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D }
- $block_15 = { E8 ?? ?? ?? ?? 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 }
- $block_16 = { 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? 8B }
- $block_17 = { 8D ?? ?? 83 ?? ?? ?? 5? 33 ?? 8B ?? AB AB AB AB 33 ?? 8D ?? ?? AB AB AB AB 5? }
- $block_18 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F B7 ?? 72 }
- $block_19 = { 8B ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_20 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 }
- $block_21 = { 8B ?? ?? 8D ?? ?? A5 A5 A5 A5 FF 1? ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? C3 }
- $block_22 = { 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_23 = { 33 ?? 66 ?? ?? 0F B7 ?? ?? ?? 4? 5? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D }
- $block_24 = { 6A ?? E8 ?? ?? ?? ?? CC 8B ?? ?? ?? 0F AF ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? C3 }
- $block_25 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_26 = { E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_27 = { 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 74 }
- $block_28 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 0F 94 ?? 0F B6 ?? 5? 5? E8 ?? ?? ?? ?? EB }
- $block_29 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_30 = { E8 ?? ?? ?? ?? 8B ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 83 ?? ?? 0F 83 }
- $block_31 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C }
- $block_32 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_33 = { 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_34 = { FF 8? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? C1 ?? ?? 39 ?? ?? 0F 85 }
- $block_35 = { 5? FF B? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_36 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? A5 A5 A5 6A ?? A5 0F B6 ?? ?? 5? 2B ?? 5? }
- $block_37 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 8A ?? ?? 5? 5? 5? 89 ?? ?? ?? 84 ?? 0F 85 }
- $block_38 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_39 = { 6A ?? 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 74 }
- $block_40 = { 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 }
- $block_41 = { 0F BE ?? ?? ?? FF 7? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_42 = { 8B ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_43 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 3C ?? 0F 84 }
- $block_44 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_45 = { 8B ?? ?? 4? 4? 83 ?? ?? 89 ?? ?? 8A ?? ?? 8A ?? ?? 3A ?? 0F 85 }
- $block_46 = { 8A ?? ?? ?? ?? ?? 8D ?? ?? ?? 30 ?? 0F B6 ?? 4? 83 ?? ?? 72 }
- $block_47 = { 0F B6 ?? ?? 33 ?? 8A ?? ?? ?? ?? ?? 30 ?? 0F B6 ?? 4? 4? 75 }
- $block_48 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB }
- $block_49 = { 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? ?? FF 0? 4? 3B ?? 7C }
- $block_50 = { 8B ?? ?? C1 ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_51 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_52 = { 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 8A ?? ?? 84 ?? 0F 84 }
- $block_53 = { 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 0F B7 ?? 83 ?? ?? 3B ?? 7F }
- $block_54 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_55 = { 8B ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 83 ?? ?? 0F 83 }
- $block_56 = { BE ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_57 = { 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 94 ?? 5? 5? 3C ?? 74 }
- $block_58 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_59 = { FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_60 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? 39 ?? ?? 0F 83 }
- $block_61 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C }
- $block_62 = { 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_63 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_64 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? 3B ?? 0F 84 }
- $block_65 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_66 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? C9 C3 }
-
- condition:
- hash.sha256(0, filesize) == "e38aa99eff1f9fedd99cf541c3255e99f3276839a883cadb6e916649522729e3" or
- hash.sha256(0, filesize) == "e42badd8fb20f1bc72b1cec65c42a96ee60a4b52d19e8f5a7248afee03646ace" or
- hash.sha256(0, filesize) == "45abd87da6a584ab2a66a06b40d3c84650f2a33f5f55c5c2630263bc17ec4139" or
- hash.sha256(0, filesize) == "7e0dafedd01d09e66524f2345d652b29d3f634361c0a69e8d466dcbdfd0e3001" or
- hash.sha256(0, filesize) == "2c109406998723885cf04c3ced7af8010665236459d6fe610e678065994154d4" or
- hash.sha256(0, filesize) == "f65d767afd198039d044b17b96ebad54390549c6e18ead7e19e342d60b70a2c3" or
- hash.sha256(0, filesize) == "a2fe7a346b39a062c60c50167be7dd4f6a8175df054faa67bff33ec42b1072d9" or
- hash.sha256(0, filesize) == "269ea4b883de65f235a04441144519cf6cac80ef666eccf073eedd5f9319be0f" or
- hash.sha256(0, filesize) == "49c1c5e8a71f488a7b560c6751752363389f6272d8c310fee78307dc9dcd3ee2" or
- hash.sha256(0, filesize) == "59af70f71cdf933f117ab97d6f1c1bab82fd15dbe654ba1b27212d7bc20cec8c" or
- hash.sha256(0, filesize) == "0e34262813677090938983039ba9ff3ade0748a3aba25e28d19e2831c036b095" or
- hash.sha256(0, filesize) == "2f24c7ccbd7a9e830ed3f9b3b7be7856e0cc8c1580082433cbe9bf33c86193c6" or
- hash.sha256(0, filesize) == "b139829440aabe33071aa34604f739d70f9a0a3b06051f3190aabf839df2d408" or
- hash.sha256(0, filesize) == "0c20ffcdf2492ccad2e53777a0885c579811f91c05d076ff160684082681fe68" or
- hash.sha256(0, filesize) == "2221c2323fb6e30b9c10ee68d60b7d7be823911540bb115f75b2747d015e35f9" or
- hash.sha256(0, filesize) == "487eaf5cc52528b5f3bb27ba53afffb6d534068b364a41fc887b8c1e1485795a" or
- hash.sha256(0, filesize) == "4ff5f102f0f1284a189485fc4c387c977dd92f0bc6a30c4d837e864aed257129" or
- hash.sha256(0, filesize) == "022da314d1439f779364aba958d51b119ac5fda07aac8f5ced77146dbf40c8ac" or
- hash.sha256(0, filesize) == "6606dd9a5d5182280c12d009a03b8ed6179872fcb08be9aa16f098250cc5b7a7" or
- hash.sha256(0, filesize) == "646c94a0194ca70fbe68c444a0c9b444e195280f9a0d19f12393421311653552" or
- hash.sha256(0, filesize) == "ce99e5f64f2d1e58454f23b4c1de33d71ee0b9fcd52c9eb69569f1c420332235" or
- hash.sha256(0, filesize) == "e029db63346c513be42242e268559174f6b00d818e00d93c14bd443314f65fe5" or
- hash.sha256(0, filesize) == "69b555a37e919c3e6c24cfe183952cdb695255f9458b25d00d15e204d96c737b" or
- hash.sha256(0, filesize) == "fd689fcdcef0f1198b9c778b4d93adfbf6e80118733c94e61a450aeb701750b4" or
- hash.sha256(0, filesize) == "6122db2cdac0373cc8513c57786088a5548721d01e7674e78082774044e92980" or
- hash.sha256(0, filesize) == "2f593c22a8fd0de3bbb57d26320446a9c7eed755ae354957c260908c93d8cf79" or
- hash.sha256(0, filesize) == "1d768ebfbdf97ad5282e7f85da089e174b1db760f1cbdca1a815e8e6245f155a" or
- hash.sha256(0, filesize) == "b8514bff04e8f4e77430202db61ec5c206d3ec0f087a65ee72c9bb94a058b685" or
- hash.sha256(0, filesize) == "d755904743d48c31bdff791bfa440e79cfe1c3fc9458eb708cf8bb78f117dd07" or
- hash.sha256(0, filesize) == "bacac71fcc61db9b55234d1ccf45d5fffd9392c430cdd25ee7a5cea4b24c7128" or
- hash.sha256(0, filesize) == "ee53e509d0f2a3c888232f2232b603463b421b9c08fe7f44ed4eead0643135d3" or
- hash.sha256(0, filesize) == "2efd5355651db8e07613e74b1bf85b50273c1f3bce5e4edbedea0ccdff023754" or
- hash.sha256(0, filesize) == "439e5617d57360f76f24daed3fe0b59f20fc9dade3008fd482260ba58b739a23" or
- hash.sha256(0, filesize) == "c4e2e341689799281eaef47de75f59edceaba281398b41fe7616436f247ab93d" or
- hash.sha256(0, filesize) == "778568b44e13751800bf66c17606dfdfe35bebbb94c8e6e2a2549c7482c33f7a" or
- hash.sha256(0, filesize) == "85d3f636b515f0729c47f66e3fc0c9a0aacf3ec09c4acf8bf20a1411edcdc40a" or
- hash.sha256(0, filesize) == "56a1513bcf959d5df3ff01476ddb4b158ce533658ab7d8dd439324b16f193ac2" or
- hash.sha256(0, filesize) == "61969cd978cd2de3a13a10510d0dea5d0d3b212209804563ed3d42033a9d0f54" or
- hash.sha256(0, filesize) == "98bd5e8353bc9b70f8a52786365bcdb28bd3aef164d62c38dae8df33e04ac11a" or
- hash.sha256(0, filesize) == "2dc296eb532097ac1808df7a16f7740ef8771afda3ac339d144d710f9cefceb4" or
- hash.sha256(0, filesize) == "aafbf4bba99c47e7d05c951ad964ce09493db091ba5945e89df916c6fa95d101" or
- hash.sha256(0, filesize) == "a3a6f0dc5558eb93afa98434020a8642f7b29c41d35fa34809d6801d99d8c4f3" or
- hash.sha256(0, filesize) == "066346170856972f6769705bc6ff4ad21e88d2658b4cacea6f94564f1856ed18" or
- hash.sha256(0, filesize) == "6b2a438e0233fe8e7ba8774e2e5c59bf0b7c12679d52d6783a0010ecad11978c" or
- hash.sha256(0, filesize) == "31db22caf480c471205a7608545370c1b3c0c9be5285a9ef2264e856052b66b4" or
- hash.sha256(0, filesize) == "6296d95b49d795fa10ae6e9c4e4272ea4e1444105bddbf45b34ee067b2603b38" or
- hash.sha256(0, filesize) == "4cf75059f2655ca95b4eba11f1ce952d8e08bb4dbcb12905f6f37cf8145a538d" or
- hash.sha256(0, filesize) == "e73f8b394e51348ef3b6cea7c5e5ecc2ee06bb395c5ac30f6babb091080c1e74" or
- hash.sha256(0, filesize) == "9517a412633b8ebeac875a2da7fe119b72efad62859dc1719b84d561792a9033" or
- hash.sha256(0, filesize) == "d89a80a3fbb0a4a40157c6752bd978bc113b0c413e3f73eb922d4e424edeb8a7" or
- hash.sha256(0, filesize) == "da3c1a7b63a6a7cce0c9ef01cf95fd4a53ba913bab88a085c6b4b8e4ed40d916" or
- hash.sha256(0, filesize) == "d71da8a59f3e474c3bcd3f2f00fae0b235c4e01cd9f465180dd0ab19d6af5526" or
- hash.sha256(0, filesize) == "684ea2083f2f7099f0a611c81f26f30127ad297fcac8988cabb60fcf56979dfc" or
- hash.sha256(0, filesize) == "2c37e0504b98413e0308e44fd84f98e968f6f62399ea06bc38d3f314ee94b368" or
- hash.sha256(0, filesize) == "aef82593822a934b77b81ebc461c496c4610474727539b0b6e1499ca836f0dee" or
- hash.sha256(0, filesize) == "9d530e2254580842574a740698d2348b68b46fd88312c9325321ad0d986f523d" or
- hash.sha256(0, filesize) == "8da93bc4d20e5f38d599ac89db26fc2f1eecbf36c14209302978d46fc4ce5412" or
- hash.sha256(0, filesize) == "170e5eb004357dfce6b41de8637e1dbeb87fa58e8b54a2031aac33afb930f3c8" or
- hash.sha256(0, filesize) == "b3b01b36b6437c624da4b28c4c8f773ae8133fca9dd10dc17742e956117f5759" or
- hash.sha256(0, filesize) == "b0faba6156c7b0cd59b94eeded37d8c1041d4b8dfa6aacd6520a6d28c3f02a5e" or
- hash.sha256(0, filesize) == "5a13d0c954280b4c65af409376de86ac43eb966f25b85973a20d330a34cdd9a6" or
- hash.sha256(0, filesize) == "92c959c36617445a35e6f4f2ee2733861aa1b3baf8728d19a4fd5176f3c80401" or
- hash.sha256(0, filesize) == "edb7caa3dce3543d65f29e047ea789a9e429e46bed5c29c4748e656285a08050" or
- hash.sha256(0, filesize) == "02e5191078497be1e6ea8bac93b6cfb9b3ee36a58e4f7dd343ac1762e7f9301e" or
- hash.sha256(0, filesize) == "170596e88b26f04d349f6014d17a88026ec55eab44888e2a9bb4dd90a79f6878" or
- hash.sha256(0, filesize) == "cb58396d40e69d5c831f46aed93231ed0b7d41fee95f8da7c594c9dbd06ee111" or
- hash.sha256(0, filesize) == "24be375f0e11d88210e53f15cc08d72ab6c6287676c3fe3c6f70b513e5f442ed" or
- hash.sha256(0, filesize) == "8e222cb1a831c407a3f6c7863f3faa6358b424e70a041c196e91fb7989735b68" or
- hash.sha256(0, filesize) == "bb3529aa5312abbee0cfbd00f10c3f2786f452a2ca807f0acbd336602a13ac79" or
- hash.sha256(0, filesize) == "a05b53260c2855829226dffd814022b7ff4750d278d6c46f2e8e0dc58a36a1f9" or
- hash.sha256(0, filesize) == "698ec413986dc7fc761b1a17624ffffb1590902020b9d0cd5d9a6013c67d9100" or
- hash.sha256(0, filesize) == "f1d6e8b07ac486469e09c876c3e267db2b2d651299c87557cbf4eafb861cf79c" or
- hash.sha256(0, filesize) == "4f3ceab96fb55d0b05380a1d95bb494ca44d7a9d7f10ded02d5b6fc27c92cb05" or
- hash.sha256(0, filesize) == "f6aab09e1c52925fe599246dfdb4c1d06bea5c380c4c3e9c33661c869d41a23a" or
- hash.sha256(0, filesize) == "c43ce82560cea125f65c7701c733c61ae3faa782c8b00efcb44fd7dbd32a5c4b" or
- hash.sha256(0, filesize) == "224e8349ba128f0ab57bdebef5287f4b84b9dccbc2d8503f53f6333efd5f9265" or
- hash.sha256(0, filesize) == "cd019e717779e2d2b1f4c27f75e940b5f98d4ebb48de604a6cf2ab911220ae50" or
- hash.sha256(0, filesize) == "593849098bd288b7bed9646e877fa0448dcb25ef5b4482291fdf7123de867911" or
- hash.sha256(0, filesize) == "ecb097f3367f0155887dde9f891ff823ff54ddfe5217cdbb391ea5b10c5a08dc" or
- hash.sha256(0, filesize) == "83e57d8f3810a72a772742d4b786204471a7607e02fa445c3cd083f164cc4af3" or
- hash.sha256(0, filesize) == "4b547b3992838cfb3b61cb25f059c0b56c2f7caaa3b894dbc20bf7b33dadc5a1" or
- hash.sha256(0, filesize) == "0f4046be5de15727e8ac786e54ad7230807d26ef86c3e8c0e997ea76ab3de255" or
- hash.sha256(0, filesize) == "7c1136d6f5b10c22698f7e049dbc493be6e0ce03316a86c422ca9b670cb133aa" or
- hash.sha256(0, filesize) == "72ff91b3f36ccf07e3daf6709db441d2328cecab366fd5ff81fc70dd9eb45db8" or
- hash.sha256(0, filesize) == "d5687b5c5cec11c851e84a1d40af3ef52607575487a70224f63458c24481076c" or
- hash.sha256(0, filesize) == "bcdcb4b5e9aaaee2c46d5b0ed16aca629de9faa5e787c672191e0bdf64619a95" or
- hash.sha256(0, filesize) == "6e5f4296bffa7128b6e8fa72ad1924d2ff19b9d64775bd1e0a9ce9c5944bd419" or
- hash.sha256(0, filesize) == "d3ee530abe41705a819ee9220aebb3ba01531e16df7cded050ba2cf051940e46" or
- hash.sha256(0, filesize) == "bee9f2a01e0049d4cf94016284b16849136233366d1509489797084672e5448f" or
- hash.sha256(0, filesize) == "ec48b131612ef5637b387d9c2b0907d68a080fb77c6168e779fb7f3a0efa04dc" or
- hash.sha256(0, filesize) == "1ef47da67f783f8cc8cda7481769647b754874c91e0c666f741611decd878c19" or
- hash.sha256(0, filesize) == "0850c39a7fcaa7091aaea333d33c71902b263935df5321edcd5089d10e4bbebb" or
- hash.sha256(0, filesize) == "8d343be0ea83597f041f9cbc6ea5b63773affc267c6ad99d31badee16d2c86e5" or
- hash.sha256(0, filesize) == "13da3fe28302a8543dd527d9e09723caeed98006c3064c5ed7b059d6d7f36554" or
- hash.sha256(0, filesize) == "6367cb0663c2898aff64440176b409c1389ca7834e752b350a87748bef3a878b" or
- hash.sha256(0, filesize) == "358da2c5bb5fbd9c9cf791536054bbb387ce37253c31555f5afa544f38de2a3f" or
- hash.sha256(0, filesize) == "ebb16c9536e6387e7f6988448a3142d17ab695b2894624f33bd591ceb3e46633" or
- hash.sha256(0, filesize) == "0ea750a8545252b73f08fe87db08376f789fe7e58a69f5017afa2806046380a5" or
- hash.sha256(0, filesize) == "65a4332dfe474a8bb9b5fa35495aade453da7a03eb0049211e57b5660d08d75c" or
- hash.sha256(0, filesize) == "dc612882987fab581155466810f87fd8f0f2da5c61ad8fc618cef903c9650fcd" or
- hash.sha256(0, filesize) == "d588e789f0b5914bd6f127950c5daf6519c78b527b0ed7b323e42b0613f6566f" or
- hash.sha256(0, filesize) == "c25c1455dcab2f17fd6a25f8af2f09ca31c8d3773de1cb2a55acd7aeaa6963c8" or
- hash.sha256(0, filesize) == "b8f2fdddf7a9d0b813931e0efe4e6473199688320d5e8289928fe87ce4b1d068" or
- hash.sha256(0, filesize) == "94d4e4a8f2d53426154c41120b4f3cf8105328c0cc5d4bd9126a54c14b296093" or
- hash.sha256(0, filesize) == "101e70a5455212b40406fe70361995a3a346264eabd4029200356565d2bacd6a" or
- hash.sha256(0, filesize) == "60f86898506f0fdf6d997f31deff5b6200a6969b457511cc00446bd22dd1f0a4" or
- hash.sha256(0, filesize) == "b647f883911ff20f776e0a42564b13ef961fa584ebd5cfce9dd2990bca5df24e" or
- hash.sha256(0, filesize) == "c987f8433c663c9e8600a7016cdf63cd14590a019118c52238c24c39c9ec02ad" or
- hash.sha256(0, filesize) == "66ec58b4bdcb30d1889972c1ee30af7ff213deece335f798e57ff51fe28752e3" or
- hash.sha256(0, filesize) == "3a88ff66f4eb675f0c3e6c5f947c012945c4e15b77a2cd195de8a8aba23ccb29" or
- hash.sha256(0, filesize) == "43608e60883304c1ea389c7bad244b86ff5ecf169c3b5bca517a6e7125325c7b" or
- hash.sha256(0, filesize) == "abdb2da30435430f808b229f8b6856fafc154a386ef4f7c5e8de4a746e350e0c" or
- hash.sha256(0, filesize) == "7081455301e756d6459ea7f03cd55f7e490622d36a5a019861e6b17141f69bd0" or
- hash.sha256(0, filesize) == "c66525285707daff30fce5d79eb1bdf30519586dfec4edf73e4a0845fd3d0e1c" or
- hash.sha256(0, filesize) == "59c4cba96dbab5d8aa7779eac18b67b2e6f8b03066eb092415d50dff55e43b72" or
- hash.sha256(0, filesize) == "0c9b20f4cb0b3206f81c2afbb2ee4d995c28f74f38216f7d35454af624af8876" or
- hash.sha256(0, filesize) == "6e92c2d298e25bcff17326f69882b636150d2a1af494ef8186565544f0d04d3d" or
- hash.sha256(0, filesize) == "0a0a5b68a8a7e4ed4b6d6881f57c6a9ac55b1a50097588e462fe8d3c486158bf" or
- hash.sha256(0, filesize) == "837e68be35c2f0ab9e2b3137d6f9f7d16cc387f3062a21dd98f436a4bcceb327" or
- hash.sha256(0, filesize) == "fb30c3bb1b25b3d4cca975f2e0c45b95f3eb57a765267271a9689dd526658b43" or
- hash.sha256(0, filesize) == "e3a7fa8636d040c9c3a8c928137d24daa15fc6982c002c5dd8f1c552f11cbcad" or
- 12 of them
-}
-
-rule HavexModuleOPC {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 }
- $block_1 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 }
- $block_2 = { 8D ?? ?? 5? 89 ?? ?? 8B ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_3 = { 89 ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? FF 4? ?? 0F 85 }
- $block_4 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_6 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C }
- $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 8D ?? ?? AB AB AB AB 83 ?? ?? ?? C7 }
- $block_8 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_9 = { 0F B7 ?? 8B ?? C1 ?? ?? 0B ?? D1 ?? 8D ?? ?? F3 ?? 13 ?? 66 }
- $block_10 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB }
- $block_11 = { 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? A5 A5 A5 A5 5? 5? 74 }
- $block_12 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? FF 4? ?? 0F 85 }
- $block_13 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 8B ?? 85 ?? 0F 84 }
- $block_14 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C }
- $block_15 = { 8B ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
-
- condition:
- hash.sha256(0, filesize) == "6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82" or
- hash.sha256(0, filesize) == "004c99be0c355e1265b783aae557c198bcc92ee84ed49df70db927a726c842f3" or
- hash.sha256(0, filesize) == "7933809aecb1a9d2110a6fd8a18009f2d9c58b3c7dbda770251096d4fcc18849" or
- 12 of them
-}
-
-rule KaraganyModuleScreenshot {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 6A ?? 5? C6 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 A5 8D ?? ?? A4 8B ?? ?? ?? ?? ?? 5? FF D? 5? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 5? FF D? 6A ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? 5? FF D? 5? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 5? FF D? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 75 }
- $block_1 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 33 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_3 = { 5? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 8D ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "05fb04474a3785995508101eca7affd8c89c658f7f9555de6d6d4db40583ac53" or
- 5 of them
-}
-
-rule Listrix {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 74 }
- $block_2 = { 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 33 ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_6 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_7 = { 8B ?? ?? ?? 8D ?? ?? ?? 83 ?? ?? 5? 66 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_8 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9" or
- 10 of them
-}
-
-rule KaraganyModuleFileListing {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 88 ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 88 ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 88 ?? ?? 89 ?? ?? 66 ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8D }
- $block_1 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? FF 1? ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 0F B7 ?? ?? 0F B7 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 74 }
- $block_3 = { 0F B7 ?? ?? 0F B7 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_4 = { 8A ?? ?? 8D ?? ?? ?? ?? ?? 04 ?? 5? 88 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_5 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? F6 ?? ?? ?? 0F 84 }
- $block_6 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_7 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4" or
- 8 of them
-}
-
-rule Ddex_loader {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 75 }
- $block_1 = { FF 3? ?? ?? ?? ?? FF 7? ?? FF 7? ?? FF 3? ?? ?? ?? ?? FF 7? ?? 68 ?? ?? ?? ?? FF 3? FF 1? ?? ?? ?? ?? 83 ?? ?? FF 3? E8 ?? ?? ?? ?? FF 7? ?? 8B ?? ?? 5? FF 7? ?? 89 ?? FF D? FF 7? ?? 5? FF 7? ?? FF D? 5? 33 ?? 5? 4? 5? C9 C2 }
- $block_2 = { 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 7? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 74 }
- $block_3 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 68 ?? ?? ?? ?? A5 E8 ?? ?? ?? ?? 85 ?? 75 }
- $block_4 = { 83 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 5? 33 ?? 5? 5? 8B ?? FF D? 39 ?? ?? ?? 0F 86 }
- $block_5 = { 5? 5? 83 ?? ?? ?? ?? 5? 5? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 5? 5? 85 ?? 0F 84 }
- $block_6 = { 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 83 ?? ?? ?? 74 }
- $block_7 = { 0F B7 ?? ?? 5? 5? 6A ?? 5? 5? 5? FF 3? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 75 }
- $block_8 = { 5? E8 ?? ?? ?? ?? 3B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_9 = { 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "377a9c610cc17bbf19470b1a3f847b74e0f56d4f4fd57a3298c630dab403acea" or
- hash.sha256(0, filesize) == "3094ac9d2eeb17d4cda19542f816d15619b4c3fec52b87fdfcd923f4602d827b" or
- hash.sha256(0, filesize) == "76b272828c68b5c6d3693809330555b5a1a6a8bda73228c8edc37afca78a21d6" or
- hash.sha256(0, filesize) == "7a115335c971ad4f15af10ea54e2d3a6db08c73815861db4526335b81ebde253" or
- 10 of them
-}
-
-rule HavexLoader {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 }
- $block_1 = { 66 ?? ?? 66 ?? ?? ?? 66 ?? 33 ?? 4? 5? 0F B7 ?? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D }
- $block_2 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 }
- $block_3 = { E8 ?? ?? ?? ?? 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 }
- $block_4 = { 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 33 ?? 4? 5? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D }
- $block_5 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F B7 ?? 72 }
- $block_6 = { 8D ?? ?? 83 ?? ?? ?? 5? 33 ?? 8B ?? AB AB AB AB 33 ?? 8D ?? ?? AB AB AB AB 5? }
- $block_7 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 }
- $block_8 = { 8B ?? ?? 8D ?? ?? A5 A5 A5 A5 FF 1? ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? C3 }
- $block_9 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_10 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 0F 94 ?? 0F B6 ?? 5? 5? E8 ?? ?? ?? ?? EB }
- $block_11 = { E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_12 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C }
- $block_13 = { 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_14 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_15 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? A5 A5 A5 6A ?? A5 0F B6 ?? ?? 5? 2B ?? 5? }
- $block_16 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 8A ?? ?? 5? 5? 5? 89 ?? ?? ?? 84 ?? 0F 85 }
- $block_17 = { 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 }
- $block_18 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 3C ?? 0F 84 }
- $block_19 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB }
- $block_20 = { 0F B6 ?? ?? 33 ?? 8A ?? ?? ?? ?? ?? 30 ?? 0F B6 ?? 4? 4? 75 }
- $block_21 = { 8A ?? ?? ?? ?? ?? 8D ?? ?? ?? 30 ?? 0F B6 ?? 4? 83 ?? ?? 72 }
- $block_22 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_23 = { 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 0F B7 ?? 83 ?? ?? 3B ?? 7F }
- $block_24 = { 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 8A ?? ?? 84 ?? 0F 84 }
- $block_25 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? 39 ?? ?? 0F 83 }
- $block_26 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C }
- $block_27 = { 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_28 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? C9 C3 }
-
- condition:
- hash.sha256(0, filesize) == "401215e6ae0b80cb845c7e2910dddf08af84c249034d76e0cf1aa31f0cf2ea67" or
- 12 of them
-}
-
-rule HavexModuleOutlook {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 }
- $block_1 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 }
- $block_2 = { 89 ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? FF 4? ?? 0F 85 }
- $block_3 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 }
- $block_4 = { E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_6 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C }
- $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 8D ?? ?? AB AB AB AB 83 ?? ?? ?? C7 }
- $block_8 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB }
- $block_9 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_10 = { 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 0F B7 ?? 83 ?? ?? 3B ?? 7F }
- $block_11 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? FF 4? ?? 0F 85 }
- $block_12 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C }
- $block_13 = { 8B ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
-
- condition:
- hash.sha256(0, filesize) == "0859cb511a12f285063ffa8cb2a5f9b0b3c6364f8192589a7247533fda7a878e" or
- 12 of them
-}
-
-rule HavexModuleNetworkScanner {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 89 ?? ?? 8B ?? D1 ?? 5? 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? 80 E? ?? C0 ?? ?? D3 ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? C1 ?? ?? 0B ?? 33 ?? 4? 89 ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? FF 4? ?? 8B ?? ?? 33 ?? 3B ?? 0F 94 ?? 89 ?? ?? 33 ?? 89 }
- $block_1 = { 8B ?? ?? 03 ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? FF 7? ?? 8B ?? ?? FF 7? ?? 8B ?? FF 7? ?? FF 3? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? B0 ?? 5? C9 C3 }
- $block_2 = { FF 7? ?? 33 ?? 4? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 33 ?? C6 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 }
- $block_3 = { 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? FF 7? ?? 88 ?? 0F BE ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_4 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 }
- $block_5 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 }
- $block_6 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB }
-
- condition:
- hash.sha256(0, filesize) == "9a2a8cb8a0f4c29a7c2c63ee58e55aada0a3895382abe7470de4822a4d868ee6" or
- hash.sha256(0, filesize) == "2120c3a30870921ab5e03146a1a1a865dd24a2b5e6f0138bf9f2ebf02d490850" or
- 7 of them
-}
-
-rule Sysmain {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? 33 ?? AB AB AB 8B ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? FF 7? ?? ?? E8 ?? ?? ?? ?? 85 ?? 75 }
- $block_1 = { FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_2 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? 5? 83 ?? ?? 6A ?? 99 5? F7 ?? 8B ?? 39 ?? ?? 77 }
- $block_3 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 3? FF D? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_5 = { 89 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? D3 ?? 83 ?? ?? 0F B7 ?? 8B ?? ?? 66 ?? ?? ?? 7D }
- $block_7 = { 8D ?? ?? 8D ?? ?? A5 A5 A5 8D ?? ?? 5? A5 FF 1? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 75 }
- $block_8 = { FF 3? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 5? 5? 0F 8E }
- $block_9 = { 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 5? E8 ?? ?? ?? ?? 4? 5? 88 ?? 3B ?? ?? ?? ?? ?? 72 }
- $block_10 = { FF 4? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_11 = { 8B ?? ?? ?? 33 ?? AB AB AB E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_14 = { 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 86 }
- $block_15 = { BE ?? ?? ?? ?? 8D ?? ?? ?? A5 A5 A5 8D ?? ?? ?? A5 E8 ?? ?? ?? ?? 85 ?? 74 }
- $block_16 = { 5? 5? 5? 5? 68 ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_17 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_19 = { BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_20 = { 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_21 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_22 = { 8B ?? ?? ?? ?? ?? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_23 = { FF 4? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? C1 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_24 = { 8B ?? ?? FF 3? E8 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_25 = { 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 5? 5? C9 C3 }
- $block_26 = { FF 4? ?? ?? 8B ?? ?? FF 4? ?? 83 ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_27 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_28 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_29 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_30 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_31 = { FF 4? ?? 8B ?? ?? ?? ?? ?? FF 4? ?? 8D ?? ?? 3B ?? 89 ?? ?? 0F 8C }
- $block_32 = { 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 5? C9 C3 }
- $block_33 = { 68 ?? ?? ?? ?? FF 7? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_34 = { FF 7? ?? ?? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_35 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_36 = { 8D ?? ?? ?? 0F B6 ?? 5? E8 ?? ?? ?? ?? 4? 5? 88 ?? 3B ?? ?? 72 }
- $block_37 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_38 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 2B ?? ?? 75 }
- $block_39 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_40 = { FF 3? E8 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_41 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_42 = { 8D ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_43 = { FF 8? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 8E }
- $block_44 = { BE ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? 85 ?? 0F 84 }
- $block_45 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? C9 C3 }
- $block_46 = { 8B ?? ?? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_47 = { BF ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? 85 ?? 0F 84 }
- $block_48 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_49 = { 5? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_50 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C }
- $block_51 = { 8B ?? ?? 5? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_52 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 85 ?? 0F 84 }
- $block_53 = { 8B ?? ?? 5? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C2 }
- $block_54 = { 8B ?? ?? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C2 }
- $block_55 = { 5? BB ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 86 }
- $block_56 = { FC 6B ?? ?? 64 ?? ?? ?? 8B ?? ?? 8B ?? ?? AD 8B }
-
- condition:
- hash.sha256(0, filesize) == "81e5e73452aa8b14f6c6371af2dccab720a32fadfc032b3c8d96f9cdaab9e9df" or
- hash.sha256(0, filesize) == "31488f632f5f7d3ec0ea82eab1f9baba16826967c3a6fa141069ef5453b1eb95" or
- hash.sha256(0, filesize) == "dc75404b6fc8cdb73258c2cc7bc758347ffb4237c8d18222f3489dc303daf989" or
- hash.sha256(0, filesize) == "53d2a3324f276f29c749727c20708a3421a5144046ce14a8e025a8133316e0ac" or
- hash.sha256(0, filesize) == "d5e3122a263d3f66dcfa7c2fed25c2b8a3be725b2c934fa9d9ef4c5aefbc6cb9" or
- hash.sha256(0, filesize) == "a8e6abaa0ddc34b9db6bda17b502be7f802fb880941ce2bd0473fd9569113599" or
- hash.sha256(0, filesize) == "387d4ea82c51ecda162a3ffd68a3aca5a21a20a46dc08a0ebe51b03b7984abe9" or
- 12 of them
-}
-
-rule IndustroyerWiper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 5? 8B ?? ?? 89 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 0F 10 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 5? 0F 11 ?? ?? 5? 0F 10 ?? ?? ?? ?? ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? ?? ?? 5? 0F 11 ?? ?? 68 ?? ?? ?? ?? 0F 10 ?? ?? ?? ?? ?? 5? 8D ?? ?? 0F 11 ?? ?? 5? 0F 10 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 0F 11 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_1 = { 6A ?? 5? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? 0F 46 ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 46 ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 46 ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 46 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? 6A ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? FF 1? }
- $block_2 = { 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 8B ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 }
- $block_3 = { FF B? ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_5 = { FF B? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F B6 ?? 8B ?? ?? ?? ?? ?? 0F 44 ?? 83 ?? ?? 83 ?? ?? 72 }
-
- condition:
- hash.sha256(0, filesize) == "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910" or
- hash.sha256(0, filesize) == "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81" or
- 6 of them
-}
-
-rule IndustroyerPortScanner {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 83 ?? ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 5? 8B ?? 4? }
- $block_1 = { 5? 8B ?? 5? 8B ?? ?? 83 ?? ?? 5? 8B ?? 5? 39 ?? ?? 8B ?? 0F 42 ?? ?? 8B ?? ?? 2B ?? 3B ?? 0F 86 }
- $block_2 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 83 ?? ?? ?? 5? 0F 43 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 }
- $block_3 = { 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 2B ?? 89 ?? ?? ?? 6A ?? 5? 99 F7 ?? 89 ?? ?? ?? 83 ?? ?? 7C }
- $block_4 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 83 ?? ?? 0F 8F }
- $block_5 = { 83 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 0F 87 }
- $block_6 = { 5? 8B ?? 5? 5? 5? 33 ?? 89 ?? ?? 33 ?? 38 ?? ?? 5? 8B ?? ?? 0F 94 ?? 5? 8B ?? ?? 89 ?? ?? 89 }
- $block_7 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 83 ?? ?? 0F 8C }
- $block_8 = { 8B ?? 33 ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 2B ?? 89 ?? ?? 4? D1 ?? 3B ?? ?? 0F 47 ?? 85 ?? 74 }
- $block_9 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 0F 88 }
- $block_10 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? 6A ?? 5? 99 F7 ?? 8D ?? ?? 8B ?? 83 ?? ?? 0F 86 }
- $block_11 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 0F 8F }
- $block_12 = { 5? 8B ?? 5? F7 ?? ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 89 ?? ?? 89 ?? ?? 74 }
- $block_13 = { 5? 8B ?? 83 ?? ?? 5? 6A ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_14 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 33 ?? 66 }
- $block_15 = { 5? 5? 5? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 }
- $block_16 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 80 7? ?? ?? 0F 85 }
- $block_17 = { 8B ?? ?? 8B ?? ?? 8B ?? C1 ?? ?? 8B ?? 83 ?? ?? 0F B6 ?? ?? 0F AB ?? 88 ?? ?? EB }
- $block_18 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 3B ?? 0F 8F }
- $block_19 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? EB }
- $block_20 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E9 }
- $block_21 = { 8B ?? ?? 0F B7 ?? 8B ?? 83 ?? ?? C1 ?? ?? 5? 0F B6 ?? ?? 0F AB ?? 88 ?? ?? EB }
- $block_22 = { 8B ?? ?? 8B ?? ?? 2B ?? 6A ?? 5? 99 F7 ?? 8D ?? ?? 89 ?? ?? 83 ?? ?? 0F 86 }
- $block_23 = { 8B ?? ?? 2B ?? 8B ?? ?? 3B ?? 89 ?? ?? 0F 42 ?? 83 ?? ?? 2B ?? 3B ?? 76 }
- $block_24 = { 6A ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? CC 8B ?? 85 ?? 74 }
- $block_25 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 0F 85 }
- $block_26 = { 83 ?? ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 5? }
- $block_27 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_28 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 0F 88 }
- $block_29 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 0F 8F }
- $block_30 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 77 }
- $block_31 = { 8D ?? ?? 8D ?? ?? A5 A5 A5 A5 8B ?? ?? 83 ?? ?? ?? 75 }
- $block_32 = { FF 4? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? 5? E8 }
- $block_33 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? 68 ?? ?? ?? ?? EB }
- $block_34 = { 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 0F B6 ?? 3B ?? ?? 75 }
- $block_35 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 80 7? ?? ?? 0F 85 }
- $block_36 = { 2B ?? 99 F7 ?? ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "2dd7d880975dd90ea0d9d400319741c74b9491a0dc2b1c13ce3a850f37e03184" or
- 12 of them
-}
-
-rule IndustroyerPayloadOPC {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 6A ?? 6A ?? FF 7? ?? C6 ?? ?? 5? 6A ?? 5? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 44 ?? EB }
- $block_1 = { 5? 5? 6A ?? FF 7? ?? 33 ?? 5? 6A ?? 66 ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 44 ?? EB }
- $block_2 = { 5? 5? 6A ?? 33 ?? 5? 5? 6A ?? 66 ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 44 ?? EB }
- $block_3 = { 83 ?? ?? 89 ?? ?? 8D ?? ?? 0F 43 ?? ?? C6 ?? ?? 8B ?? ?? 8B ?? ?? EB }
- $block_4 = { 8B ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8B ?? 6A ?? 5? FF 5? ?? 85 ?? 0F 85 }
- $block_5 = { 8B ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 88 }
- $block_6 = { 89 ?? ?? 0F B6 ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? 3B ?? ?? 73 }
- $block_7 = { 0F 57 ?? 0F 11 ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? ?? ?? 66 }
- $block_8 = { 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_9 = { 0F B7 ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
-
- condition:
- hash.sha256(0, filesize) == "156bd34d713d0c8419a5da040b3c2dd48c4c6b00d8a47698e412db16b1ffac0f" or
- 10 of them
-}
-
-rule IndustroyerBackdoor {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 5? FF 7? ?? 5? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 5? 8D ?? ?? ?? ?? ?? 33 ?? 5? 5? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 5? 8B ?? 8B ?? ?? 33 ?? 8B ?? ?? 5? 03 ?? 8B ?? 2B ?? 5? 33 ?? 3B ?? 0F 47 ?? 8B ?? ?? 85 ?? 74 }
- $block_3 = { 89 ?? ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 9? 9? 3D ?? ?? ?? ?? 0F 84 }
- $block_4 = { 83 ?? ?? 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_5 = { 5? FF 7? ?? 33 ?? 4? 5? 5? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_6 = { 33 ?? 5? 5? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_7 = { 83 ?? ?? 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_8 = { 8B ?? ?? 33 ?? 8B ?? ?? 5? 03 ?? 8B ?? 2B ?? 5? 33 ?? 3B ?? 0F 47 ?? 8B ?? ?? 85 ?? 74 }
- $block_9 = { 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_10 = { 5? FF 1? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 9? 9? 9? 9? FF 7? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_11 = { 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_12 = { 33 ?? 0F 94 ?? 89 ?? ?? 9? 9? 9? 9? 33 ?? E8 ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_13 = { 33 ?? 5? 5? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_14 = { FF 1? ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 5? 6A ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_15 = { E8 ?? ?? ?? ?? FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_16 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 84 }
- $block_17 = { 5? FF 1? ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 3D ?? ?? ?? ?? 0F 84 }
- $block_18 = { 5? FF 7? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_19 = { 8D ?? ?? 5? 5? 6A ?? FF 7? ?? 5? FF 3? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_20 = { 2B ?? ?? 03 ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_21 = { 89 ?? ?? 33 ?? FF 3? 4? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 82 }
- $block_22 = { FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_23 = { 5? 8D ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_24 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_25 = { E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_26 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_27 = { 33 ?? 21 ?? ?? 66 ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_28 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_29 = { FF 3? E8 ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_30 = { 5? E8 ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_31 = { 33 ?? 5? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_32 = { 6A ?? 5? E8 ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_33 = { 8D ?? ?? 5? 5? FF 7? ?? 5? 3D ?? ?? ?? ?? 0F 84 }
- $block_34 = { 8D ?? ?? 5? 5? 6A ?? 5? 81 F? ?? ?? ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47" or
- hash.sha256(0, filesize) == "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77" or
- hash.sha256(0, filesize) == "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4" or
- hash.sha256(0, filesize) == "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571" or
- 12 of them
-}
-
-rule IndustroyerPayloadIEC104 {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 33 ?? 89 ?? 66 ?? ?? ?? 0F B6 ?? ?? 88 ?? 0F B6 ?? ?? 88 ?? ?? 0F B6 ?? ?? 83 ?? ?? 74 }
- $block_1 = { B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 8D ?? ?? 8B ?? C1 ?? ?? 2B ?? 0F 84 }
- $block_2 = { 8B ?? ?? ?? ?? ?? 5? 6A ?? FF 3? ?? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 80 7? ?? ?? 0F 84 }
- $block_3 = { 5? 8B ?? 5? 8B ?? ?? 8B ?? 0F B6 ?? 88 ?? ?? 0F B6 ?? ?? 88 ?? ?? 8A ?? ?? A8 ?? 74 }
- $block_4 = { C6 ?? ?? ?? 0F B6 ?? ?? 0F BE ?? ?? D0 ?? 0F BE ?? C1 ?? ?? 03 ?? 89 ?? ?? 0F B6 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 33 ?? 2B ?? ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 86 }
- $block_7 = { 0F B6 ?? ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 }
- $block_8 = { 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 8B ?? 0F 1F }
- $block_9 = { FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 80 7? ?? ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad" or
- 10 of them
-}
-
-rule Telebots {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 03 ?? 5? 8B ?? ?? ?? ?? ?? 03 ?? 0F 84 }
- $block_1 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 94 ?? 4? }
- $block_2 = { 0F B7 ?? ?? 5? 0F AF ?? ?? FF 7? ?? 03 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B }
- $block_3 = { 5? 5? 5? 6A ?? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_4 = { 8B ?? ?? 6A ?? 5? 8B ?? F3 ?? 8B ?? ?? 8D ?? ?? A5 66 ?? A4 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 }
- $block_5 = { 80 3? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 0F B7 ?? 74 }
- $block_6 = { 5? 5? 5? FF 7? ?? FF 7? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_7 = { 8B ?? ?? 6A ?? 5? 8B ?? F3 ?? 8B ?? ?? 8D ?? ?? 66 ?? A4 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 }
- $block_8 = { 8B ?? ?? 05 ?? ?? ?? ?? 0F B7 ?? 89 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 75 }
- $block_9 = { 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 0F B7 ?? B9 ?? ?? ?? ?? 66 ?? ?? 77 }
- $block_10 = { 5? 8B ?? 83 ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? A3 ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_11 = { 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 0F B7 ?? B9 ?? ?? ?? ?? 66 ?? ?? 76 }
- $block_12 = { 0F B7 ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8D ?? ?? 85 ?? 74 }
- $block_13 = { 6A ?? 5? 8B ?? F3 ?? 0F B7 ?? 5? FF 7? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? EB }
- $block_14 = { 0F B6 ?? ?? 99 8B ?? 03 ?? ?? ?? ?? ?? 13 ?? ?? ?? ?? ?? 89 ?? ?? 39 ?? ?? ?? ?? ?? 75 }
- $block_15 = { FF 7? ?? ?? 8D ?? ?? ?? FF 7? ?? ?? 5? 5? FF 7? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_16 = { 0F B7 ?? ?? 8B ?? ?? 01 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 75 }
- $block_17 = { 33 ?? 39 ?? ?? 6A ?? 0F 95 ?? 4? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 74 }
- $block_18 = { 6A ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 39 ?? ?? 0F 84 }
- $block_19 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_20 = { 8D ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_21 = { 33 ?? 4? 66 ?? ?? ?? 6A ?? C6 ?? ?? 5? 66 ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 8B }
- $block_22 = { 8D ?? ?? 5? 8B ?? ?? 6A ?? FF 7? ?? 03 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_23 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 3B ?? 0F 8C }
- $block_24 = { 5? FF 7? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 9F ?? 8D ?? ?? EB }
- $block_25 = { 0F B7 ?? ?? 83 ?? ?? ?? 5? 5? 0F B7 ?? ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 7E }
- $block_26 = { 8D ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_27 = { 0F B7 ?? ?? 01 ?? ?? 81 4? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? 76 }
- $block_28 = { 8B ?? ?? 83 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_29 = { 8D ?? ?? 5? 8B ?? ?? 8B ?? ?? FF 3? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_30 = { 33 ?? 4? 6A ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_31 = { 5? 5? FF 1? ?? ?? ?? ?? 5? FF 7? ?? 33 ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_32 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_33 = { 0F B7 ?? ?? 21 ?? ?? 21 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 }
- $block_34 = { 5? 8B ?? 5? 5? 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_35 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_36 = { FF 7? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_37 = { FF 7? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_38 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_39 = { 8B ?? ?? 83 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 75 }
- $block_40 = { 80 3? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 74 }
- $block_41 = { 5? FF 7? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_42 = { 8B ?? ?? 6A ?? 6A ?? 89 ?? FF D? 5? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_43 = { 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_44 = { 8D ?? ?? 66 ?? ?? 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 74 }
- $block_45 = { 0F B7 ?? 0F B7 ?? 5? FF 7? ?? 2B ?? 03 ?? 5? E8 ?? ?? ?? ?? 83 }
- $block_46 = { 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_47 = { 0F B7 ?? ?? 83 ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 75 }
- $block_48 = { 83 ?? ?? ?? 0F B7 ?? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 85 ?? 75 }
- $block_49 = { 6A ?? 5? 8B ?? F3 ?? 8B ?? 8D ?? ?? A5 A5 A5 A5 A4 8B ?? EB }
- $block_50 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_51 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_52 = { 8D ?? ?? 66 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 85 ?? 74 }
- $block_53 = { 5? 5? BE ?? ?? ?? ?? 8B ?? A5 A5 66 ?? 6A ?? A4 5? }
- $block_54 = { 8D ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 75 }
- $block_55 = { 0F B7 ?? 5? FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 }
- $block_56 = { FF 7? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_57 = { 5? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_58 = { 8B ?? 8B ?? A5 A5 A5 83 ?? ?? 83 ?? ?? 4? A5 75 }
- $block_59 = { 99 03 ?? ?? ?? ?? ?? 13 ?? 89 ?? ?? 89 ?? ?? EB }
- $block_60 = { 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_61 = { FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C2 }
- $block_62 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_63 = { 0F B7 ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? 3B ?? 0F 83 }
-
- condition:
- hash.sha256(0, filesize) == "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745" or
- 12 of them
-}
-
-rule PotaoUSBSpreader {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF D? 89 ?? ?? 6A ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? 5? C3 }
- $block_1 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? 6A ?? 5? 88 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? }
- $block_2 = { 81 E? ?? ?? ?? ?? 5? 5? 8B ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF D? A1 ?? ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? 5? 8B ?? ?? ?? 6A ?? 8B ?? 6A ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF D? 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? 5? 8B ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 8B ?? ?? ?? 8B ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_3 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? 83 ?? ?? 8D ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? FF D? 8B ?? ?? 8D ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_4 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF D? 8B ?? ?? 8D ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_5 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 5? 5? 89 ?? ?? ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 5? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_6 = { 83 ?? ?? 5? 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 83 ?? ?? 0F 84 }
- $block_7 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 5? FF D? 8B ?? ?? 6A ?? FF D? 8B ?? 8B ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 84 }
- $block_8 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? D3 ?? F6 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "7492e84a30e890ebe3ca5140ad547965cc8c43f0a02f66be153b038a73ee5314" or
- hash.sha256(0, filesize) == "4688afcc161603bfa1c997b6d71b9618be96f9ff980e5486c451b1cc2c5076cb" or
- hash.sha256(0, filesize) == "09c04206b57bb8582faffb37e4ebb6867a02492ffc08268bcbc717708d1a8919" or
- hash.sha256(0, filesize) == "b8b02cc57e45bcf500b433806e6a4f8af7f0ac0c5fc9adfd11820eebf4eb5d79" or
- hash.sha256(0, filesize) == "e3892d2d9f87ea848477529458d025898b24a6802eb4df13e96b0314334635d0" or
- hash.sha256(0, filesize) == "95631685006ac92b7eb0755274e2a36a3c9058cf462dd46f9f4f66e8d67b9db2" or
- hash.sha256(0, filesize) == "34e6fb074284e58ca80961feda4fe651d6d658077914a528a4a6efa91ecc749d" or
- hash.sha256(0, filesize) == "461dd5a58ffcad9fffba9181e234f2e0149c8b8ba28c7ea53753c74fdfa0b0d5" or
- hash.sha256(0, filesize) == "1acae7c11fb559b81df5fc6d0df0fe502e87f674ca9f4aefc2d7d8f828ba7f5c" or
- hash.sha256(0, filesize) == "99a09ad92cc1a2564f3051057383cb6268893bc4a62903eabf3538c6bfb3aa9c" or
- hash.sha256(0, filesize) == "7d15bd854c1dfef847cdd3caabdf4ab81f2410ee5c7f91d377cc72eb81135ff4" or
- hash.sha256(0, filesize) == "12bb18fa9a12cb89dea3733b342940b80cd453886390079cb4c2ffcd664baeda" or
- hash.sha256(0, filesize) == "340b09d661a6ac45af53c348a5c1846ad6323d34311e66454e46c1d38d53af8b" or
- hash.sha256(0, filesize) == "3d78f52fa0c08d8bf3d42074bf76ee56aa233fb9a6bc76119998d085d94368ca" or
- hash.sha256(0, filesize) == "f1d7e36af4c30bf3d680c87bbc4430de282d00323bf8ae9e17b04862af286736" or
- hash.sha256(0, filesize) == "e57eb9f7fdf3f0e90b1755d947f1fe7bb65e67308f1f4a8c25bc2946512934b7" or
- hash.sha256(0, filesize) == "339a5199e6d0b5f781b08b2ca0ad0495e75e52b8e2fd69e1d970388fbca7a0d6" or
- hash.sha256(0, filesize) == "90b20b1687909c2f76f750ba3fd4b14731ce736c08c3a8608d28eae3f4cd68f3" or
- hash.sha256(0, filesize) == "61862a55dcf8212ce9dd4a8f0c92447a6c7093681c592eb937a247e38c8109d4" or
- hash.sha256(0, filesize) == "93accb71bf4e776955756c76990298decfebe4b1dd9fbf9d368e81dc1cb9532d" or
- 10 of them
-}
-
-rule PotaoDropper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? 99 B1 ?? E8 ?? ?? ?? ?? 33 ?? ?? 33 ?? ?? 89 ?? ?? 89 }
- $block_1 = { 8B ?? ?? 0F BE ?? ?? 33 ?? 8B ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 75 }
- $block_2 = { B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 }
- $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 74 }
- $block_4 = { 8B ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 7C }
- $block_5 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 03 ?? 5? 8B ?? 5? C3 }
- $block_6 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB }
- $block_7 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 75 }
- $block_8 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 89 ?? ?? FC 33 ?? 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B }
- $block_9 = { 83 ?? ?? ?? ?? ?? ?? 60 0F 31 33 ?? 4? D1 ?? 23 ?? 89 ?? ?? 61 8B ?? ?? EB }
- $block_10 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_11 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_12 = { 8B ?? ?? 0F BE ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 33 ?? 8B ?? ?? 88 }
- $block_13 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 74 }
- $block_14 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 75 }
- $block_15 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? EB }
- $block_16 = { B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 }
- $block_17 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? EB }
- $block_18 = { 5? 8B ?? 5? 5? 5? 5? FC 33 ?? 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B }
- $block_19 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_20 = { B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 }
- $block_21 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F BF ?? 81 F? ?? ?? ?? ?? 75 }
- $block_22 = { B2 ?? B1 ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? ?? ?? EB }
- $block_23 = { 0F B6 ?? ?? C6 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_24 = { 8B ?? ?? 89 ?? 33 ?? 85 ?? 0F 94 ?? 5? 5? 5? 8B ?? C9 C3 }
- $block_25 = { 8B ?? ?? 03 ?? ?? 0F BE ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 79 }
- $block_26 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_27 = { 83 ?? ?? ?? E8 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_28 = { 89 ?? ?? 8B ?? ?? 5? 5? A3 ?? ?? ?? ?? 5? C9 C3 }
- $block_29 = { 8B ?? ?? 89 ?? 33 ?? 85 ?? 0F 94 ?? 8B ?? C9 C3 }
- $block_30 = { 83 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 0F 85 }
- $block_31 = { 8B ?? ?? 03 ?? ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 }
- $block_32 = { 5? 8B ?? 5? 89 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "97afe4b12a9fed40ad20ab191ba0a577f5a46cbfb307e118a7ae69d04adc2e2d" or
- hash.sha256(0, filesize) == "904bb2efe661f654425e691b7748556e558a636d4f25c43af9d2d4dfbe83262e" or
- hash.sha256(0, filesize) == "2de76a3c07344ce322151dbb42febdff97ade8176466a3af07e5280bd859a186" or
- hash.sha256(0, filesize) == "793a8ce811f423dfde47a5f44ae50e19e7e41ad055e56c7345927eac951e966b" or
- hash.sha256(0, filesize) == "29dfc81b400a1400782623c618cb1d507f5d17bb13de44f123a333093648048f" or
- hash.sha256(0, filesize) == "b62589ee5ba94d15edcf8613e3d57255dd7a12fce6d2dbd660fd7281ce6234f4" or
- hash.sha256(0, filesize) == "4e88b8b121d768c611fe16ae1f008502b2191edc6f2ee84fef7b12b4d86fe000" or
- hash.sha256(0, filesize) == "d2c11706736fda2b178ac388206472fd8d050e0f13568c84b37683423acd155d" or
- hash.sha256(0, filesize) == "f1f61a0f9488be3925665f8063006f90fab1bf0bd0b6ff5f7799f8995ff8960e" or
- 12 of them
-}
-
-rule Potaov1Packed {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? FF 5? ?? 85 ?? 0F 84 }
- $block_1 = { 6A ?? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 9? 9? 9? 9? 9? 9? 9? 9? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_3 = { 9? 9? 9? 9? 9? 9? 9? 9? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_4 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 0F B7 ?? ?? 83 ?? ?? ?? 33 ?? 8D ?? ?? ?? 66 ?? ?? ?? 0F 83 }
- $block_5 = { FF 7? ?? 03 ?? FF 7? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_6 = { 5? 8D ?? ?? 5? 5? 5? 5? 5? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_7 = { 9? 9? 9? 9? 9? 9? 9? 9? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_8 = { F3 ?? ?? ?? ?? 0F 57 ?? F3 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F 86 }
- $block_9 = { 8D ?? ?? E8 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 3B ?? 74 }
- $block_10 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? C9 C2 }
- $block_11 = { 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? C9 C2 }
- $block_12 = { 83 ?? ?? ?? ?? ?? ?? 60 0F 31 33 ?? 4? D1 ?? 23 ?? 89 ?? ?? 61 8B ?? ?? EB }
- $block_13 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 5? 5? 89 ?? ?? 39 ?? ?? ?? ?? ?? 0F 84 }
- $block_14 = { FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_15 = { D9 ?? ?? D9 ?? ?? DC ?? ?? ?? ?? ?? DF ?? F6 ?? ?? 0F 8A }
- $block_16 = { 2B ?? 4? 89 ?? ?? ?? 60 9? 9? 9? 9? 9? 9? 61 33 ?? 33 }
- $block_17 = { 2B ?? 4? 89 ?? ?? 60 9? 9? 9? 9? 9? 9? 61 33 ?? 33 }
- $block_18 = { 6A ?? FF 1? ?? ?? ?? ?? 0C ?? 9E AD 9? B5 ?? CB }
-
- condition:
- hash.sha256(0, filesize) == "20198aad15943b67fea8a0826d5b77f014de5691fd6b3bc3a7c0331ca4681ce1" or
- hash.sha256(0, filesize) == "ab8d308fd59a8db8a130fcfdb6db56c4f7717877c465be98f71284bdfccdfa25" or
- hash.sha256(0, filesize) == "54a76f5cd5a32ed7d5fa78e5d8311bafc0de57a475bc2fddc23ee4b3510b9d44" or
- hash.sha256(0, filesize) == "945c594aee1b5bd0f3a72abe8f5a3df74fc6ca686887db5e40fe859e3fc90bb1" or
- hash.sha256(0, filesize) == "8a508924e46c9afadb6d8e863942bd33ce278b1cc1033dd3a8e2a77b8d3648a3" or
- hash.sha256(0, filesize) == "2ff0941fe3514abc12484ad2853d22fd7cb36469a313b5ecb6ef0c6391cf78ab" or
- hash.sha256(0, filesize) == "ac73eb13779656a5692082c11733731ec4e177ca46f36abdffb28efa39c0940b" or
- 12 of them
-}
-
-rule PotaoDropperFakeExcel {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? 33 ?? 69 ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 33 ?? 69 ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 5? 33 ?? 5? 5? C2 }
- $block_1 = { 33 ?? 4? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB }
- $block_2 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 5? 03 ?? 5? 5? 8B ?? 5? C2 }
- $block_3 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 03 ?? 5? 8B ?? 5? C3 }
- $block_4 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB }
- $block_5 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? 33 ?? 85 ?? 0F 94 ?? 5? 89 ?? 5? 5? 8B ?? 8B ?? 5? C3 }
- $block_7 = { C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_8 = { 8B ?? ?? 5? 33 ?? 89 ?? 85 ?? 5? 0F 94 ?? 5? C9 C2 }
- $block_9 = { 1B ?? 83 ?? ?? 85 ?? 5? 0F 94 ?? 5? 8B ?? 5? C3 }
-
- condition:
- hash.sha256(0, filesize) == "aa23a93d2fed81daacb93ea7ad633426e04fcd063ff2ea6c0af5649c6cfa0385" or
- hash.sha256(0, filesize) == "048621ecf8f25133b2b09d512bb0fe15fc274ec7cb2ccc966aeb44d7a88beb5b" or
- hash.sha256(0, filesize) == "8bc189dee0a71b3a8a1767e95cc726e13808ed7d2e9546a9d6b6843cea5eb3bd" or
- hash.sha256(0, filesize) == "c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88" or
- hash.sha256(0, filesize) == "d6f126ab387f1d856672c730991573385c5746c7c84738ab97b13c897063ff4a" or
- 10 of them
-}
-
-rule PotaoDropperw {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 03 ?? ?? ?? ?? ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 88 ?? EB }
- $block_1 = { 5? 5? 8D ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 83 ?? ?? 74 }
- $block_3 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB }
- $block_4 = { 5? 8B ?? 83 ?? ?? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 }
- $block_5 = { 5? 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 }
- $block_6 = { A1 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? 33 ?? 88 ?? ?? FF 0? ?? ?? ?? ?? EB }
- $block_7 = { FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? C9 C3 }
- $block_8 = { 8B ?? 8D ?? ?? A5 A5 66 ?? 8D ?? ?? 89 ?? ?? 83 ?? ?? ?? EB }
- $block_9 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 9B 89 ?? ?? 83 ?? ?? ?? 75 }
- $block_10 = { FF 7? ?? FF 1? ?? ?? ?? ?? 9B 89 ?? ?? 83 ?? ?? ?? 75 }
- $block_11 = { 8B ?? ?? 4? 5? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 }
- $block_12 = { 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 88 ?? ?? ?? ?? ?? EB }
- $block_13 = { 8B ?? ?? 89 ?? 33 ?? 85 ?? 0F 94 ?? 8B ?? C9 C2 }
-
- condition:
- hash.sha256(0, filesize) == "61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9" or
- hash.sha256(0, filesize) == "4328b06093a4ad01f828dc837053cb058fe00f3a7fd5cfb9d1ff7feb7ebb8e32" or
- hash.sha256(0, filesize) == "cf3b0d8e9a7d0ad32351ade0c52de583b5ca2f72e5af4adbf638c81f4ad8fbcb" or
- hash.sha256(0, filesize) == "dbc1b98b1df1d9c2dc8a5635682ed44a91df6359264ed63370724afa9f19c7ee" or
- hash.sha256(0, filesize) == "15760f0979f2ba1b4d991f19e8b59fc1e61632fcc88755a4d147c0f5d47965c5" or
- hash.sha256(0, filesize) == "b9c285f485421177e616a148410ddc5b02e43f0af375d3141b7e829f7d487bfd" or
- 12 of them
-}
-
-rule PotaoDebugDropper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 0F BE ?? ?? 33 ?? 8B ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 75 }
- $block_1 = { B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 }
- $block_2 = { 8B ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 7C }
- $block_3 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 75 }
- $block_4 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 89 ?? ?? FC 33 ?? 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B }
- $block_5 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_6 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_7 = { 6A ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? ?? ?? EB }
- $block_8 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 74 }
- $block_9 = { 8B ?? ?? 0F BE ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 33 ?? 8B ?? ?? 88 }
- $block_10 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 75 }
- $block_11 = { B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 }
- $block_12 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_13 = { B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 }
- $block_14 = { 0F B6 ?? ?? C6 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_15 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F BF ?? 81 F? ?? ?? ?? ?? 75 }
- $block_16 = { 8B ?? ?? 03 ?? ?? 0F BE ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 79 }
- $block_17 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_18 = { 5? 8B ?? 5? 89 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "f845778c3f2e3272145621776a90f662ee9344e3ae550c76f65fd954e7277d19" or
- hash.sha256(0, filesize) == "c821cb34c86ec259af37c389a8f6cd635d98753576c675882c9896025a1abc53" or
- hash.sha256(0, filesize) == "910f55e1c4e75696405e158e40b55238d767730c60119539b644ef3e6bc32a5d" or
- 12 of them
-}
-
-rule WildNeutronJripbot {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_1 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 0F B6 ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 4? 83 ?? ?? 83 ?? ?? 72 }
- $block_3 = { 8B ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_4 = { 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_6 = { 8B ?? ?? ?? 0F B6 ?? ?? ?? 5? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? FF 4? ?? ?? 83 ?? ?? ?? ?? 5? 5? 72 }
- $block_7 = { 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_8 = { 8D ?? ?? ?? 5? BB ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 8B ?? ?? ?? ?? ?? 0F 84 }
- $block_9 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? FF D? 0F B7 ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? 89 ?? ?? ?? 5? E9 }
- $block_10 = { 8B ?? ?? ?? ?? ?? 8B ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF B? ?? ?? ?? ?? FF 5? ?? 85 ?? 0F 85 }
- $block_11 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_12 = { 33 ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 3? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_13 = { 5? 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 8B ?? 39 ?? ?? ?? ?? ?? 0F 8E }
- $block_14 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? 5? 66 ?? ?? 0F 84 }
- $block_15 = { 8A ?? ?? 0F B6 ?? 8B ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_16 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_17 = { 0F B7 ?? 8B ?? ?? 33 ?? 8D ?? ?? ?? F7 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 85 ?? 0F 84 }
- $block_18 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? 66 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_19 = { 8D ?? ?? 5? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 0F BF ?? ?? ?? ?? ?? 0F BF ?? ?? 4? 3B ?? 75 }
- $block_20 = { 83 ?? ?? 5? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 8D ?? ?? AB AA 8B ?? ?? 5? 8D }
- $block_21 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_22 = { 0F BF ?? ?? ?? ?? ?? 2B ?? D1 ?? 03 ?? 0F B7 ?? 9? 99 F7 ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_23 = { 33 ?? 66 ?? ?? 0F B7 ?? ?? 83 ?? ?? F7 ?? 1B ?? 23 ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_24 = { 0F B7 ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 6A ?? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 }
- $block_25 = { 8A ?? ?? 0F B6 ?? 8B ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_26 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_27 = { 8D ?? ?? ?? 5? 5? 8B ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 39 ?? ?? ?? 0F 8E }
- $block_28 = { FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? FF 8? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_29 = { 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 77 }
- $block_30 = { 0F B7 ?? ?? 33 ?? 66 ?? ?? ?? 5? 0F 94 ?? 83 ?? ?? 33 ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_31 = { 8B ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 39 ?? ?? 5? 0F 94 ?? 8D ?? ?? 5? 89 ?? ?? 8D }
- $block_32 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? EB }
- $block_33 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_34 = { 0F B7 ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_35 = { 5? E8 ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 5? 66 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_36 = { 0F B7 ?? 33 ?? 83 ?? ?? 0F 94 ?? 83 ?? ?? 66 ?? ?? 0F B7 ?? 83 ?? ?? 33 ?? 66 ?? ?? 75 }
- $block_37 = { 8B ?? 5? 5? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_38 = { 8B ?? ?? 03 ?? 8B ?? ?? 03 ?? 03 ?? D1 ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_39 = { 8D ?? ?? ?? 5? 6A ?? BA ?? ?? ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_40 = { BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_41 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_42 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_43 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_44 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_45 = { 8B ?? ?? 2B ?? ?? D1 ?? 03 ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_46 = { 0F B6 ?? ?? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? ?? 83 ?? ?? 8D }
- $block_47 = { BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_48 = { 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 5? 5? 5? 5? 0F B7 ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? EB }
- $block_49 = { 8B ?? 5? E8 ?? ?? ?? ?? 03 ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_50 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D }
- $block_51 = { 8B ?? ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_52 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 84 }
- $block_53 = { 0F B7 ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 }
- $block_54 = { 0F BF ?? 33 ?? 8B ?? F7 ?? 4? 89 ?? ?? ?? ?? ?? 0F B7 ?? 8B ?? 0F AF ?? 3B ?? 72 }
- $block_55 = { 8B ?? 2B ?? D1 ?? 8D ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_56 = { 8B ?? ?? ?? ?? ?? 33 ?? 33 ?? 81 E? ?? ?? ?? ?? 1B ?? 89 ?? ?? ?? ?? ?? 0F 88 }
- $block_57 = { 2B ?? 8D ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_58 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 }
- $block_59 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_60 = { 8B ?? ?? ?? 2B ?? D1 ?? 8D ?? ?? B9 ?? ?? ?? ?? 66 ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_61 = { FF B? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_62 = { 8B ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_63 = { 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? 89 ?? ?? ?? ?? ?? 66 ?? ?? 0F 84 }
- $block_64 = { 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 5? 6A ?? 5? 5? 5? 0F B7 }
- $block_65 = { 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_66 = { 0F B7 ?? 33 ?? 83 ?? ?? 0F 94 ?? 66 ?? ?? ?? 83 ?? ?? 33 ?? 66 ?? ?? ?? 75 }
- $block_67 = { 8B ?? ?? ?? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_68 = { 5? 8B ?? 5? 5? 83 ?? ?? ?? A1 ?? ?? ?? ?? 5? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_69 = { 0F B7 ?? ?? 83 ?? ?? 8D ?? ?? ?? 5? 5? FF 5? ?? ?? 8B ?? 83 ?? ?? 85 ?? 75 }
- $block_70 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 8C }
- $block_71 = { FF B? ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_72 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_73 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_74 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_75 = { 8B ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? AB AB AB 66 ?? AA BB }
- $block_76 = { 0F B7 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_77 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_78 = { 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 }
- $block_79 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 23 ?? 23 ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_80 = { 8D ?? ?? 66 ?? ?? ?? 0F BF ?? 4? 66 ?? ?? 89 ?? ?? 3B ?? ?? ?? ?? ?? 75 }
- $block_81 = { 33 ?? 85 ?? 0F 94 ?? 5? 5? 5? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_82 = { 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_83 = { 8B ?? ?? 2B ?? D1 ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_84 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 86 }
- $block_85 = { 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF D? 84 ?? 0F 84 }
- $block_86 = { 6A ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_87 = { 0F B7 ?? 33 ?? 66 ?? ?? 66 ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 74 }
- $block_88 = { BB ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_89 = { 8B ?? 2B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? D1 ?? 89 ?? ?? 85 ?? 0F 8E }
- $block_90 = { 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_91 = { 0F BF ?? ?? 0F BF ?? ?? ?? ?? ?? 03 ?? B8 ?? ?? ?? ?? 2B ?? 3B ?? 75 }
- $block_92 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_93 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_94 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? F6 ?? ?? 0F 85 }
- $block_95 = { C7 ?? ?? ?? ?? ?? 0F B7 ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? 0F 84 }
- $block_96 = { 8D ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_97 = { 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_98 = { BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_99 = { 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9" or
- hash.sha256(0, filesize) == "ccc851cbd600592f1ed2c2969a30b87f0bf29046cdfa1590d8f09cfe454608a5" or
- hash.sha256(0, filesize) == "b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45" or
- hash.sha256(0, filesize) == "8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a" or
- hash.sha256(0, filesize) == "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92" or
- hash.sha256(0, filesize) == "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e" or
- 12 of them
-}
-
-rule WildNeutronTunnel {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 89 ?? ?? E8 ?? ?? ?? ?? C6 ?? ?? 89 ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_3 = { 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_5 = { 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_6 = { 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 95 ?? ?? ?? 39 ?? 0F 86 }
- $block_7 = { 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 85 }
- $block_8 = { A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 44 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 74 }
- $block_9 = { E8 ?? ?? ?? ?? F6 ?? 0F BE ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 75 }
- $block_10 = { 5? 8B ?? 5? 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_11 = { C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_13 = { A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 44 ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 74 }
- $block_14 = { 8B ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? F3 ?? C7 ?? ?? ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 74 }
- $block_15 = { 0F B7 ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 31 ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 75 }
- $block_16 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? 31 ?? 0F A4 ?? ?? C1 ?? ?? 01 ?? 11 ?? 39 ?? 0F 83 }
- $block_17 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 8B ?? ?? C6 ?? ?? ?? 4? 83 ?? ?? 0F 87 }
- $block_18 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 }
- $block_19 = { E8 ?? ?? ?? ?? 9? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 85 ?? 0F 84 }
- $block_20 = { 8B ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? 80 3? ?? 0F 45 ?? 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_21 = { 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_22 = { 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_23 = { 5? 83 ?? ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_24 = { B8 ?? ?? ?? ?? 85 ?? BA ?? ?? ?? ?? 0F 44 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 }
- $block_25 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_26 = { 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 84 ?? 89 ?? 74 }
- $block_27 = { 8B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 }
- $block_28 = { B8 ?? ?? ?? ?? 85 ?? BA ?? ?? ?? ?? 0F 45 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 }
- $block_29 = { 8B ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 0F 44 ?? ?? ?? 89 ?? ?? ?? E9 }
- $block_30 = { 5? 5? 5? 5? 89 ?? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 31 ?? 85 ?? 0F 84 }
- $block_31 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 }
- $block_32 = { 83 ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 44 ?? 83 ?? ?? 19 ?? 83 ?? ?? 83 ?? ?? 19 ?? 83 }
- $block_33 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 95 ?? 85 ?? 74 }
- $block_34 = { E8 ?? ?? ?? ?? F6 ?? 0F BE ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 75 }
- $block_35 = { 0F B6 ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 4? 83 ?? ?? 83 ?? ?? 83 ?? ?? 72 }
- $block_36 = { 8B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? 0F B7 ?? 8D ?? ?? 8B ?? ?? 03 ?? EB }
- $block_37 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 31 ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_38 = { C1 ?? ?? 03 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? ?? 0F 88 }
- $block_39 = { 8B ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_40 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_41 = { 89 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 83 ?? ?? 8D ?? ?? ?? 31 ?? 39 ?? 0F 82 }
- $block_42 = { 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 }
- $block_43 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? 88 ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? 80 F? ?? 0F 84 }
- $block_44 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_45 = { 31 ?? 83 ?? ?? 0F 94 ?? 89 ?? 89 ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_46 = { 8B ?? ?? B8 ?? ?? ?? ?? 89 ?? C1 ?? ?? D3 ?? 09 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? ?? ?? 0F 85 }
- $block_47 = { 8B ?? ?? 83 ?? ?? 66 ?? ?? ?? ?? ?? 0F 94 ?? 83 ?? ?? ?? ?? 0F 94 ?? 20 ?? 88 ?? ?? ?? 74 }
- $block_48 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_49 = { 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? 33 ?? ?? ?? ?? ?? 0F 85 }
- $block_50 = { 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 }
- $block_51 = { 8B ?? ?? ?? 89 ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_52 = { 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_53 = { 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_54 = { 0F B6 ?? ?? 83 ?? ?? 32 ?? ?? 0F B6 ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? 83 ?? ?? 83 ?? ?? 75 }
- $block_55 = { 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 8C }
- $block_56 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_57 = { 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? 31 ?? 85 ?? 0F 94 ?? E9 }
- $block_58 = { 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 4? 83 ?? ?? 0F 8E }
- $block_59 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_60 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 }
- $block_61 = { 89 ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_62 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_63 = { 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_64 = { A1 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 84 ?? 0F 85 }
- $block_65 = { 83 ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 89 ?? 0F 84 }
- $block_66 = { FF D? 0F B6 ?? 68 ?? ?? ?? ?? 83 ?? ?? 6A ?? 89 ?? ?? ?? ?? ?? FF D? 5? FF D? 85 ?? 74 }
- $block_67 = { 0F B6 ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 4? 83 ?? ?? 83 ?? ?? 83 ?? ?? 72 }
- $block_68 = { E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 }
- $block_69 = { 5? 89 ?? 83 ?? ?? 0F B7 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 31 ?? 8B ?? ?? 66 ?? ?? ?? 74 }
- $block_70 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_71 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 31 ?? 85 ?? 0F 84 }
- $block_72 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 31 ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_73 = { C1 ?? ?? 03 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 89 ?? ?? ?? 0F 88 }
- $block_74 = { 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 0F 85 }
- $block_75 = { 5? 5? 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_76 = { E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_77 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 94 ?? 84 ?? 0F 85 }
- $block_78 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 94 ?? 84 ?? 0F 84 }
- $block_79 = { 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? 89 ?? 83 ?? ?? 0F 8F }
- $block_80 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? 89 ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_81 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_82 = { 5? 5? 5? 5? 83 ?? ?? 89 ?? 89 ?? ?? ?? 89 ?? 8B ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_83 = { 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 }
- $block_84 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 39 ?? 0F 8E }
- $block_85 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 85 }
- $block_86 = { 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_87 = { 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_88 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_89 = { 8B ?? B9 ?? ?? ?? ?? 8B ?? ?? F3 ?? 0F 97 ?? 89 ?? 0F 92 ?? 89 ?? 38 ?? 74 }
- $block_90 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 8C }
- $block_91 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_92 = { 8B ?? ?? ?? 4? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_93 = { 0F BE ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 84 ?? 75 }
- $block_94 = { 89 ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 0F 85 }
- $block_95 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? 31 ?? 85 ?? 0F 85 }
- $block_96 = { E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? BA ?? ?? ?? ?? 0F 84 }
- $block_97 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 }
- $block_98 = { 5? 89 ?? 5? 83 ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 31 ?? 85 ?? 0F 84 }
- $block_99 = { 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 89 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c" or
- hash.sha256(0, filesize) == "cfacc5389683518ecdd78002c975af6870fa5876337600e0b362abbbab0a19d2" or
- hash.sha256(0, filesize) == "81955e36dd46f3b05a1d7e47ffd53b7d1455406d952c890b5210a698dd97e938" or
- 12 of them
-}
-
-rule WildNeutron {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 5? BE ?? ?? ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 85 ?? 0F 84 }
- $block_1 = { 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_2 = { 8B ?? ?? ?? 83 ?? ?? ?? ?? FE ?? ?? ?? 83 ?? ?? ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? A5 A5 A5 A5 7C }
- $block_3 = { 8B ?? ?? 8B ?? ?? 03 ?? 0F B6 ?? 6A ?? 5? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_4 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C3 }
- $block_5 = { FF 7? ?? 8B ?? ?? FF 7? ?? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_6 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 5? C9 C3 }
- $block_7 = { 01 ?? ?? 68 ?? ?? ?? ?? FF 7? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_8 = { 8B ?? ?? 8B ?? ?? 03 ?? 0F B6 ?? 6A ?? 5? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_9 = { 0F B6 ?? 5? 0D ?? ?? ?? ?? 5? FF 7? ?? 8D ?? ?? 89 ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 }
- $block_10 = { 8B ?? ?? 5? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 33 ?? 39 ?? ?? 5? 0F 94 ?? 8B ?? 5? 89 ?? ?? 8D }
- $block_11 = { 8D ?? ?? 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? 03 ?? 8D ?? ?? ?? 39 ?? ?? ?? ?? ?? 74 }
- $block_12 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 66 ?? ?? 0F B7 ?? 83 ?? ?? 5? 89 ?? E8 ?? ?? ?? ?? 5? 85 ?? 75 }
- $block_13 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_14 = { 2B ?? ?? 8B ?? ?? 83 ?? ?? ?? ?? 89 ?? 6A ?? 5? BF ?? ?? ?? ?? 8B ?? 33 ?? 66 ?? ?? 0F 85 }
- $block_15 = { 5? 8B ?? 83 ?? ?? 5? 5? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_16 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 5? 5? 5? C9 C3 }
- $block_17 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 8B ?? ?? 83 ?? ?? 83 ?? ?? ?? 5? 8D ?? ?? 5? 89 ?? ?? 0F 82 }
- $block_18 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8D ?? ?? 6A ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_19 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? 03 ?? 8D ?? ?? 6A ?? 5? 39 ?? ?? ?? ?? ?? 73 }
- $block_20 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 5? C1 ?? ?? 5? 5? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_21 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 33 ?? AB AB 8B ?? 5? E9 }
- $block_22 = { 8D ?? ?? 5? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_23 = { 8D ?? ?? 5? FF 7? ?? 8B ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 4? 83 ?? ?? 3B ?? 0F 86 }
- $block_24 = { 8B ?? ?? 81 C? ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? F3 ?? 0F B6 ?? ?? 89 ?? ?? 83 ?? ?? 0F 87 }
- $block_25 = { 5? 8B ?? A5 A5 A5 A5 8D ?? ?? 6A ?? 5? FF 7? ?? 89 ?? ?? FF 5? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_26 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_27 = { 8B ?? ?? 83 ?? ?? 5? 5? 89 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_28 = { 8B ?? ?? 83 ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_29 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_30 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_31 = { 8B ?? ?? ?? C1 ?? ?? 8A ?? 8A ?? ?? ?? 2A ?? 80 C? ?? D2 ?? 89 ?? ?? ?? 84 ?? 0F 85 }
- $block_32 = { 0F B6 ?? ?? 89 ?? ?? 4? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_33 = { 8B ?? 0F B6 ?? 6A ?? FF 7? ?? 8D ?? ?? 8B ?? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_34 = { 8D ?? ?? ?? 5? 5? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_35 = { 8A ?? 88 ?? ?? 0F B6 ?? 4? FE ?? ?? C6 ?? ?? ?? 8A ?? ?? ?? ?? ?? 88 ?? ?? 84 ?? 79 }
- $block_36 = { 8B ?? ?? 8B ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 A5 8B ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B ?? 5? }
- $block_37 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? 5? 5? C9 C3 }
- $block_38 = { 33 ?? 5? 0F B6 ?? ?? 4? 8B ?? 8B ?? D3 ?? 8D ?? ?? D3 ?? 89 ?? ?? 4? 39 ?? ?? 76 }
- $block_39 = { 0F B6 ?? 0F B6 ?? ?? 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 74 }
- $block_40 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_41 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 83 ?? ?? 89 ?? ?? 03 ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_42 = { 8B ?? ?? FF 7? ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_43 = { 0F B6 ?? 89 ?? 8B ?? 03 ?? ?? 6A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_44 = { FF 7? ?? 8D ?? ?? FF 7? ?? 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_45 = { 8B ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 }
- $block_46 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? 5? 5? 0F 84 }
- $block_47 = { 8B ?? ?? 89 ?? ?? 03 ?? 5? 8B ?? ?? 03 ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_48 = { 8D ?? ?? 5? 5? 89 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_49 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 82 }
- $block_50 = { 8B ?? ?? 8B ?? ?? C1 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_51 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_52 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_53 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_54 = { FF 3? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_55 = { 03 ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_56 = { 80 7? ?? ?? ?? 8A ?? 0F 95 ?? 0A ?? 33 ?? 3A ?? 0F 95 ?? 0F AF ?? 09 ?? 4? 75 }
- $block_57 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? 89 }
- $block_58 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_59 = { 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? C1 ?? ?? 0B ?? 89 ?? ?? 75 }
- $block_60 = { 8D ?? ?? 5? FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_61 = { 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? 5? 5? C9 C3 }
- $block_62 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_63 = { 5? 8B ?? 0F B6 ?? ?? 5? 0F B6 ?? C1 ?? ?? 0B ?? 8D ?? ?? 5? 3B ?? ?? 0F 85 }
- $block_64 = { 8D ?? ?? 5? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 }
- $block_65 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_66 = { 89 ?? ?? 8B ?? 89 ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 8F }
- $block_67 = { 8B ?? ?? 83 ?? ?? 0F 94 ?? 89 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 74 }
- $block_68 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_69 = { 8D ?? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_70 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_71 = { 5? 8B ?? ?? 8B ?? ?? BF ?? ?? ?? ?? 03 ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 }
- $block_72 = { 0F B6 ?? ?? 8B ?? ?? 8A ?? ?? 32 ?? 88 ?? 4? 4? 83 ?? ?? 83 ?? ?? ?? 75 }
- $block_73 = { 5? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 8D ?? ?? 89 ?? 3D ?? ?? ?? ?? 77 }
- $block_74 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_75 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_76 = { 83 ?? ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_77 = { 8D ?? ?? 5? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_78 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_79 = { 83 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_80 = { 8D ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 0F AF ?? 89 }
- $block_81 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 }
- $block_82 = { 2B ?? 5? 8D ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 }
- $block_83 = { 5? 8B ?? 5? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? 8B ?? ?? 5? 83 ?? ?? 0F 85 }
- $block_84 = { 0F B6 ?? ?? 5? 0F B6 ?? 83 ?? ?? C1 ?? ?? 0B ?? 2B ?? 89 ?? 3B ?? 7D }
- $block_85 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_86 = { 8D ?? ?? 5? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_87 = { 8B ?? ?? FF 7? ?? 83 ?? ?? 5? FF 7? ?? FF 5? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_88 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 89 ?? ?? 76 }
- $block_89 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 4? 8D ?? ?? A5 A5 A5 A5 89 ?? ?? 75 }
- $block_90 = { D1 ?? 04 ?? 14 ?? 3A ?? ?? 1B ?? 1C ?? 0F 9C ?? 5? 18 ?? 22 ?? 4? CF }
- $block_91 = { 33 ?? 39 ?? ?? 0F 94 ?? 21 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 23 ?? E9 }
-
- condition:
- hash.sha256(0, filesize) == "d026f0ca46a82907f3cdd31cbe1b0d7c3ca2c7b90892a855549ab21d456df5b3" or
- hash.sha256(0, filesize) == "8cbe98930191e4c2e8f9e1a67d4b4cf828e37314728456cf4c00e5435d4878f6" or
- hash.sha256(0, filesize) == "973f5084662fd80d886d518c9295a1a24fcfcd8843a628f98f5223847d4b4cf1" or
- hash.sha256(0, filesize) == "2291700fb2908bb55eb76b3c319908b09e885f1a4700f17ba3c8ada9193b7ae5" or
- hash.sha256(0, filesize) == "c9272ed0e0266e5ecc5af0cd7760175789d41b5a7814d9e6e338b7d836f9796d" or
- hash.sha256(0, filesize) == "f7f003b6f3b77e3cb21d27218634236cdc853c7b71f353c1ef6583992a42b8b5" or
- hash.sha256(0, filesize) == "ca03a812cc11edf1efba5a14bc78494cf6c227e60df7a69b4606f2bbaaafaf7a" or
- hash.sha256(0, filesize) == "c3b8f989d3ab2587fa2d15487cc0933113f5d1ba3f181f3d3a2eedfd830a9ad4" or
- hash.sha256(0, filesize) == "c84c779ae60885dac387db3d747d30dd1a889506262b1a7b41be6690883db0e6" or
- hash.sha256(0, filesize) == "544f05d18b4c3e5ed8defe313951d7afde9e3c46201ea34f4fe8b1888369b606" or
- hash.sha256(0, filesize) == "4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865" or
- 12 of them
-}
-
-rule WildNeutronHacktool_MultiPurpose {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 4C ?? ?? 49 ?? ?? ?? 49 ?? ?? ?? 4D ?? ?? ?? 4D ?? ?? ?? 5? 5? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_1 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_2 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { 33 ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 }
- $block_4 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7" or
- 5 of them
-}
-
-rule WildNeutronPasswordDumper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 0F 46 ?? 0F B6 ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? ?? 83 ?? ?? 44 ?? ?? ?? 0F B6 ?? ?? BE ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 41 ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 44 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? 83 ?? ?? 8D ?? ?? 45 ?? ?? ?? 83 ?? ?? 8D ?? ?? 44 ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? 0F 46 ?? 44 ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? 44 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4D ?? ?? 74 }
- $block_1 = { 0F B6 ?? ?? 44 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 0F 46 ?? 0F B6 ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? ?? 83 ?? ?? 44 ?? ?? ?? 0F B6 ?? ?? BE ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 41 ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 44 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? 83 ?? ?? 8D ?? ?? 45 ?? ?? ?? 83 ?? ?? 8D ?? ?? 44 ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? 0F 46 ?? 44 ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? 44 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4D ?? ?? 74 }
- $block_2 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9? }
- $block_3 = { 4C ?? ?? 49 ?? ?? ?? 49 ?? ?? ?? 4D ?? ?? ?? 4D ?? ?? ?? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_5 = { 48 ?? ?? ?? ?? 5? 48 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 44 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 33 ?? 4D ?? ?? 45 ?? ?? ?? 45 ?? ?? 0F 8E }
- $block_7 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_8 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "6f00e11ea02918c6c8d5435326ccf9f12a4cae97d8fdcc7e4a5bf1fbfd97ca0a" or
- hash.sha256(0, filesize) == "9e67848919e4adc9d74aee76858981465c60cc830638fe7cee97cecf4e9bebaf" or
- 10 of them
-}
-
-rule WildNeutronProxy {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0B ?? 23 ?? 23 ?? 8B ?? C1 ?? ?? 81 E? ?? ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? BE ?? ?? ?? ?? 8B ?? 23 ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 23 ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 83 ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 83 ?? ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 83 ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? D1 ?? C1 ?? ?? 23 ?? 0B ?? C1 ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? ?? 89 ?? 8B ?? 83 ?? ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 83 ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 83 ?? ?? 0B ?? 03 ?? 8B ?? 83 ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 83 ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 83 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 03 ?? D1 ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 23 ?? 0B ?? C1 ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? ?? 83 ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 89 ?? 0F 8C }
- $block_1 = { 5? 8B ?? 5? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? 5? C1 ?? ?? 0B ?? 0F B6 ?? ?? 5? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 5? C1 ?? ?? 0B ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? 33 ?? 8B ?? C1 ?? ?? 6A ?? 5? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 8B ?? C1 ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 03 ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? C1 ?? ?? 03 ?? C1 ?? ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 0B ?? 8B ?? D1 ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? C1 ?? ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? C1 ?? ?? 03 ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? BF ?? ?? ?? ?? C1 ?? ?? 23 ?? 0B ?? 83 ?? ?? ?? BA ?? ?? ?? ?? EB }
- $block_2 = { 8B ?? 33 ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? 31 ?? ?? C1 ?? ?? 33 ?? ?? 83 ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 31 ?? ?? 33 ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? C1 ?? ?? 33 ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 33 ?? FF 4? ?? 0F 85 }
- $block_3 = { 8D ?? ?? ?? ?? ?? 8D ?? ?? A5 A5 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? F3 ?? 8D }
- $block_4 = { 5? 8B ?? 5? 5? 0F B6 ?? ?? 5? 0F B6 ?? ?? 5? 8D ?? ?? 0F B6 ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? C1 ?? ?? 0B ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? D1 ?? 8B ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? 33 ?? D1 ?? 89 ?? ?? C7 }
- $block_5 = { D1 ?? 8B ?? 33 ?? ?? 5? 81 E? ?? ?? ?? ?? 33 ?? 33 ?? ?? 5? D1 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 88 ?? 8B ?? C1 ?? ?? 88 ?? ?? 88 ?? ?? 8B ?? 8B ?? C1 ?? ?? 88 ?? ?? 8B ?? C1 ?? ?? 88 ?? ?? 8B ?? C1 ?? ?? C1 ?? ?? 88 ?? ?? 88 ?? ?? 88 ?? ?? 33 ?? C9 C3 }
- $block_6 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 33 ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? AB AB AB 6A ?? AB 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? FF B? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 75 }
- $block_7 = { FF B? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 6A ?? 89 ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? FF B? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_8 = { 2B ?? 89 ?? ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 0F B6 ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? 8D ?? ?? ?? ?? ?? ?? C1 ?? ?? 5? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 03 ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? }
- $block_9 = { FF B? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? FF B? ?? ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? ?? ?? AB AB AB AB 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "1c81bc28ad91baed60ca5e7fee68fbcb976cf8a483112fa81aab71a18450a6b0" or
- 10 of them
-}
-
-rule GreyEnergyMini {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { E8 ?? ?? ?? ?? FF 4? ?? B7 ?? E0 ?? 8E ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 89 ?? F7 ?? ?? 5? AB F3 }
- $block_1 = { 5? 8B ?? 8B ?? ?? 8B ?? ?? 5? 8D ?? ?? 8B ?? ?? 0F BE ?? 5? 8B ?? 5? 2B ?? 5? 89 ?? ?? 5? EB }
- $block_2 = { 0F B7 ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? ?? ?? E9 }
- $block_3 = { 4? E8 ?? ?? ?? ?? FF 6? ?? F4 EC C0 ?? ?? 89 ?? F7 ?? BE ?? ?? ?? ?? F7 ?? 8B ?? ?? 8B ?? E9 }
- $block_4 = { A2 ?? ?? ?? ?? 6D A6 9C 85 ?? ?? ?? ?? ?? B6 ?? 35 ?? ?? ?? ?? 88 ?? F7 ?? DB ?? 12 ?? ?? F9 }
- $block_5 = { 8D ?? ?? 5? 6A ?? FF 7? ?? 5? FF 5? ?? 0F B7 ?? ?? 8D ?? ?? ?? 33 ?? 33 ?? 66 ?? ?? ?? 73 }
- $block_6 = { 29 ?? ?? ?? ?? ?? 4? 66 ?? ?? ?? ?? ?? 9D 09 ?? ?? ?? ?? ?? 87 ?? ?? ?? ?? ?? 1F 5? FC EB }
- $block_7 = { 5? AF 3D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? A0 ?? ?? ?? ?? D7 7F }
- $block_8 = { 03 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? FF 4? ?? 66 ?? ?? ?? 66 ?? ?? ?? 0F 83 }
- $block_9 = { AD 87 ?? ?? 24 ?? E0 ?? B4 ?? 4? FE ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 5? 2E ?? ?? 2D }
- $block_10 = { F5 20 ?? 00 ?? ?? ?? ?? ?? 28 ?? 67 ?? ?? 00 ?? ?? ?? ?? ?? 13 ?? 6C 60 77 }
- $block_11 = { FB 4? B0 ?? 89 ?? F7 ?? BF ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_12 = { 9A ?? ?? ?? ?? ?? ?? 85 ?? CE A2 ?? ?? ?? ?? 62 ?? ?? ?? ?? ?? ?? 4? 7A }
- $block_13 = { AB BD ?? ?? ?? ?? 00 ?? ?? E8 ?? ?? ?? ?? 4? 08 ?? ?? ?? ?? ?? 0F 85 }
- $block_14 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 39 ?? 0F 84 }
- $block_15 = { 8A ?? ?? 88 ?? ?? ?? ?? ?? 8A ?? ?? 88 ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_16 = { 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 }
- $block_17 = { 4? 87 ?? ?? ?? ?? ?? B5 ?? 4? F9 E5 ?? 1A ?? ?? E6 ?? 9E E3 }
- $block_18 = { 8B ?? ?? 0F B7 ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 01 ?? ?? 8B }
- $block_19 = { 11 ?? ?? ?? ?? ?? 00 ?? ?? ?? B3 ?? ED A2 ?? ?? ?? ?? AF 4? }
- $block_20 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? 0F 84 }
- $block_21 = { 0F B7 ?? 89 ?? ?? FF 7? ?? FF 7? ?? FF 5? ?? 89 ?? ?? EB }
- $block_22 = { C7 ?? ?? ?? ?? ?? ?? 88 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_23 = { 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_24 = { 9D 9? 4? 37 9B 0A ?? ?? DD ?? ?? 4? 32 ?? ?? 31 ?? 3E }
- $block_25 = { 0F B7 ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 01 ?? ?? 8B }
- $block_26 = { 27 E7 ?? D0 ?? ?? ?? ?? ?? 86 ?? ?? ?? ?? ?? ?? B0 }
- $block_27 = { C0 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 5? 4? A7 7E }
- $block_28 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_29 = { C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 }
- $block_30 = { 8A ?? ?? ?? ?? ?? 2B ?? 88 ?? ?? 39 ?? ?? 0F 86 }
- $block_31 = { C1 ?? ?? F8 A7 A2 ?? ?? ?? ?? B9 ?? ?? ?? ?? E3 }
- $block_32 = { F1 6D 2F 4? D2 ?? ?? ?? ?? ?? 24 ?? AE 10 ?? 71 }
- $block_33 = { 14 ?? 4? 9B C5 ?? ?? 0C ?? 9? E8 ?? ?? ?? ?? 76 }
-
- condition:
- hash.sha256(0, filesize) == "b60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22" or
- hash.sha256(0, filesize) == "d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a" or
- hash.sha256(0, filesize) == "7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076" or
- hash.sha256(0, filesize) == "dcade5e14c26c19e935b13d5170d74f99e75d3e4dba443db1dab8bea78745584" or
- hash.sha256(0, filesize) == "c2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15" or
- 12 of them
-}
-
-rule GreyEnergyDropperUnpacked {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 8C }
- $block_1 = { 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 66 ?? ?? ?? EB }
- $block_2 = { C7 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_3 = { 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 33 ?? BE ?? ?? ?? ?? F7 ?? 0F BE ?? ?? ?? 3B ?? 74 }
- $block_4 = { 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_5 = { 8B ?? ?? 03 ?? ?? 0F BE ?? 8B ?? ?? 33 ?? BE ?? ?? ?? ?? F7 ?? 0F BE ?? ?? ?? 3B ?? 74 }
- $block_6 = { 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_7 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_8 = { 5? 8B ?? 83 ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_9 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_10 = { 33 ?? 83 ?? ?? ?? 0F 9D ?? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_11 = { 8B ?? ?? 5? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_12 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 6A ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_14 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 75 }
- $block_15 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "d13191de5cca61574e041d4ef2ee83ba618e4bc324fc93ff850c6922370fa651" or
- hash.sha256(0, filesize) == "9e64b19434beee9fad059926a968e64bf31417914f638cd220894a3b6a4780f7" or
- 12 of them
-}
-
-rule GreyEnergyMiniUnpacked {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 5? 8D ?? ?? 5? 5? 5? 5? 5? 5? 5? 5? 5? FF 7? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_1 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 3? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 8B ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 33 ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_3 = { FF 7? ?? FF D? 8B ?? ?? 03 ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 5? 5? FF 7? ?? FF 7? ?? FF D? 85 ?? 0F 84 }
- $block_5 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? 5? FF 7? ?? FF 7? ?? FF D? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_7 = { FF 7? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_8 = { FF 3? FF 1? ?? ?? ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C2 }
- $block_9 = { 83 ?? ?? ?? 83 ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_10 = { 2B ?? D1 ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_11 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 3? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_14 = { FF 7? ?? 8D ?? ?? ?? ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_15 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? 5? FF 7? ?? FF 7? ?? FF D? 85 ?? 0F 84 }
- $block_16 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_17 = { 8B ?? ?? 03 ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_18 = { 0F B7 ?? 8B ?? 83 ?? ?? 8A ?? ?? ?? 0F BE ?? 3B ?? 74 }
- $block_19 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_20 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 86 }
- $block_21 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_22 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_23 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "6fe6aa31c6010febead115f96afd8fae7e086e2cd11032d424388bbaf3ab40fd" or
- hash.sha256(0, filesize) == "b0959c8df85147fd7dc13c83082d2a9d8e464c7e846083d4a9850fa254482106" or
- 12 of them
-}
-
-rule GeminiDuke {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 83 ?? ?? ?? 5? 5? 5? 0F B6 ?? 0F B6 ?? EB }
- $block_1 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? ?? 81 F? ?? ?? ?? ?? 74 }
- $block_2 = { 8B ?? ?? 03 ?? ?? 8B ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 8B ?? ?? 03 ?? ?? 8B ?? ?? 88 ?? ?? E9 }
- $block_3 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? FF D? 84 ?? 0F 85 }
- $block_4 = { 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 83 ?? ?? 5? 5? 8B ?? ?? ?? 5? 5? 33 ?? 0F B6 ?? 0F B6 ?? EB }
- $block_5 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 8B ?? FF D? 85 ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 0F 84 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? FF 7? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_7 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_8 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_9 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 3B ?? 7E }
- $block_10 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 3B ?? 7D }
- $block_11 = { 0F BE ?? ?? 8B ?? ?? 8A ?? ?? ?? 88 ?? 8A ?? ?? 2C ?? 88 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? EB }
- $block_12 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_13 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 5? 8B ?? ?? 81 C? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? 88 }
- $block_14 = { 8D ?? ?? ?? 6A ?? 5? 8B ?? 5? E8 ?? ?? ?? ?? 0F BE ?? 0C ?? 83 ?? ?? 88 ?? ?? ?? 80 C? ?? EB }
- $block_15 = { 8B ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 5? FF D? 88 ?? ?? 83 ?? ?? 83 ?? ?? 72 }
- $block_16 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB }
- $block_17 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 2B ?? 0F B6 ?? ?? 2B ?? 8B ?? ?? 03 ?? ?? 88 ?? C6 }
- $block_18 = { 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_19 = { 8B ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 5? FF D? 88 ?? ?? 83 ?? ?? 3B ?? 7C }
- $block_20 = { 88 ?? ?? ?? ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? ?? 32 ?? ?? ?? 5? 88 ?? ?? ?? ?? ?? 5? C2 }
- $block_21 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 9? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 74 }
- $block_22 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 66 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? EB }
- $block_23 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_24 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? 81 F? ?? ?? ?? ?? 75 }
- $block_25 = { 8B ?? 8B ?? ?? 0F B6 ?? ?? ?? 8D ?? ?? 8B ?? 5? FF 5? ?? 88 ?? ?? ?? 4? 83 ?? ?? 72 }
- $block_26 = { 5? 6A ?? 6A ?? 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_27 = { 6A ?? 6A ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_28 = { 8B ?? ?? 2B ?? 66 ?? ?? ?? ?? ?? 66 ?? 0F B7 ?? 89 ?? ?? 8D ?? ?? 83 ?? ?? 0F 8C }
- $block_29 = { 8B ?? 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? 8B ?? 5? FF 5? ?? 88 ?? ?? 4? 3B ?? ?? ?? 7C }
- $block_30 = { 8D ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 0F BE ?? 0C ?? 83 ?? ?? 88 ?? ?? ?? FE ?? EB }
- $block_31 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 2B ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 3B ?? 7C }
- $block_32 = { 8B ?? ?? ?? ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_33 = { 88 ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 25 ?? ?? ?? ?? 79 }
- $block_34 = { 8A ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_35 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_36 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_37 = { 8B ?? ?? ?? 8A ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 25 ?? ?? ?? ?? 79 }
- $block_38 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 32 ?? 38 ?? 5? C6 ?? ?? ?? 8B ?? 88 ?? ?? 0F 84 }
- $block_39 = { 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 01 ?? ?? ?? ?? ?? 5? 5? 5? C9 C2 }
- $block_40 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? ?? 32 ?? ?? ?? 88 ?? ?? ?? ?? ?? 5? C2 }
- $block_41 = { 0F B6 ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_42 = { 5? 8B ?? 5? 89 ?? ?? 8B ?? ?? 0F B6 ?? ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 79 }
- $block_43 = { 8B ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? ?? 5? 0F 95 ?? 83 ?? ?? C3 }
- $block_44 = { 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_45 = { 0F B7 ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 80 7? ?? ?? ?? 8B ?? 74 }
- $block_46 = { 8B ?? ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 25 ?? ?? ?? ?? 79 }
- $block_47 = { 8B ?? ?? 0F B7 ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 38 ?? ?? 74 }
- $block_48 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? ?? ?? 0F 83 }
- $block_49 = { 8B ?? ?? 03 ?? ?? 2B ?? ?? 66 ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 85 ?? 75 }
- $block_50 = { 8B ?? ?? 8B ?? ?? 0F AF ?? 8B ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 }
- $block_51 = { 5? 8B ?? ?? ?? 32 ?? 38 ?? 5? C6 ?? ?? ?? ?? 8B ?? 88 ?? ?? ?? 0F 84 }
- $block_52 = { 33 ?? 6A ?? 5? F7 ?? 0F BE ?? 80 C? ?? FE ?? 85 ?? 88 ?? ?? ?? 75 }
- $block_53 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 2B ?? 0F B6 ?? ?? 3B ?? 7C }
- $block_54 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 85 ?? 0F 84 }
- $block_55 = { 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_56 = { 0F B6 ?? 8A ?? ?? 88 ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_57 = { 5? 8B ?? 5? 5? 33 ?? 33 ?? 39 ?? ?? 5? 8B ?? ?? 89 ?? ?? 0F 8E }
- $block_58 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_59 = { 5? 8B ?? 5? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_60 = { 0F B7 ?? ?? 0F B7 ?? ?? 99 F7 ?? 88 ?? ?? 0F B6 ?? ?? 85 ?? 74 }
- $block_61 = { 8B ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 94 ?? 84 ?? 0F 85 }
- $block_62 = { 5? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_63 = { 8A ?? ?? 5? 5? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_64 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 8B ?? ?? 8A ?? ?? ?? ?? ?? ?? 88 }
- $block_65 = { 0F BE ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_66 = { 5? 8B ?? 5? 5? 33 ?? 39 ?? ?? 5? 5? 8B ?? 89 ?? ?? 0F 84 }
- $block_67 = { 8A ?? ?? 84 ?? 8B ?? ?? 0F BE ?? 8D ?? ?? ?? C6 ?? ?? 75 }
- $block_68 = { 6A ?? 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_69 = { 5? 8B ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 79 }
- $block_70 = { 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_71 = { 0F B6 ?? ?? 0F B6 ?? ?? 33 ?? 3B ?? 0F 9F ?? 8A ?? E9 }
- $block_72 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 75 }
- $block_73 = { 8B ?? ?? 8B ?? ?? 0F AF ?? 8B ?? ?? 5? 8D ?? ?? ?? E8 }
- $block_74 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_75 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 85 ?? 75 }
- $block_76 = { 8A ?? ?? ?? 84 ?? 0F BE ?? 8D ?? ?? ?? C6 ?? ?? 75 }
- $block_77 = { 0F B6 ?? ?? ?? ?? ?? 4? 25 ?? ?? ?? ?? 5? 5? 79 }
- $block_78 = { 0F B6 ?? ?? 0F B6 ?? ?? 33 ?? 3B ?? 0F 9F ?? E9 }
- $block_79 = { 0F B6 ?? ?? 0F B6 ?? 2B ?? 0F B6 ?? ?? 3B ?? 7C }
- $block_80 = { 0F B7 ?? ?? 0F B7 ?? 99 F7 ?? 84 ?? 88 ?? ?? 74 }
- $block_81 = { 8B ?? ?? C1 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_82 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 3B ?? 7C }
- $block_83 = { 0F BE ?? ?? C6 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 }
- $block_84 = { 5? 5? 33 ?? 33 ?? 39 ?? ?? ?? 89 ?? ?? ?? 0F 8E }
- $block_85 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 8C }
-
- condition:
- hash.sha256(0, filesize) == "bc54acf4e60688ea668ef40ef965f2bad41dcf260ddae26d28b5551461c4b402" or
- hash.sha256(0, filesize) == "1323e3d7656a427733663f03b3037326ffa9c57c68fa8e014a5bf7cb1455359a" or
- hash.sha256(0, filesize) == "a8b01a219a9fe565aadf82bc28b60048c60b640e780386c7a84a425049df5af9" or
- hash.sha256(0, filesize) == "ce2c4dd21b99407bfa7066a6a57d180c00527e7db8ee52558c597550ac8b5d7c" or
- hash.sha256(0, filesize) == "7b9e542426408aa384d0394820f82f330e615a1ad17a777d04720458b33b08a3" or
- 12 of them
-}
-
-rule OnionDuke {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 89 ?? ?? ?? ?? ?? C6 ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { A1 ?? ?? ?? ?? 0F B7 ?? ?? 8A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? C6 ?? ?? ?? 85 ?? 74 }
- $block_2 = { 89 ?? ?? 89 ?? 8B ?? ?? 89 ?? ?? C6 ?? ?? ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_3 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 33 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 8B ?? 83 ?? ?? 0F 8D }
- $block_4 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 5? 8B ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_5 = { 8D ?? ?? 89 ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 8B ?? ?? 8B ?? 89 ?? ?? C6 ?? ?? ?? 3B ?? 0F 8C }
- $block_6 = { 0F B7 ?? ?? ?? 8D ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 8B ?? 6A ?? 8B ?? 75 }
- $block_7 = { 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? FF D? 8B ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? FF D? 3B ?? ?? ?? 0F 83 }
- $block_8 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 33 ?? 83 ?? ?? 0F 94 ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_9 = { FF D? 8B ?? 8B ?? 6A ?? 8B ?? FF D? 33 ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_10 = { 8B ?? ?? 83 ?? ?? ?? 8B ?? ?? 4? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_11 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? FF D? 8B ?? ?? 5? 8B ?? FF D? 85 ?? 0F 84 }
- $block_12 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8B ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? FF D? 0F B7 ?? ?? ?? 8D ?? ?? ?? 3B ?? 0F 85 }
- $block_14 = { 5? 8B ?? 5? 5? 0F B6 ?? ?? C1 ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 5? BF ?? ?? ?? ?? 3B ?? 73 }
- $block_15 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 89 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_16 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 85 ?? 0F 84 }
- $block_17 = { 8B ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 85 }
- $block_18 = { 8B ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 5? C6 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_19 = { A1 ?? ?? ?? ?? 8B ?? 5? 8B ?? ?? 8B ?? FF D? 8B ?? 89 ?? ?? C6 ?? ?? ?? 85 ?? 0F 84 }
- $block_20 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 }
- $block_21 = { 33 ?? 6A ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_22 = { 8B ?? 8B ?? ?? 2B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 0F 84 }
- $block_23 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 }
- $block_24 = { C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? 39 ?? ?? 0F 82 }
- $block_25 = { 8B ?? 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? FF D? 8B ?? 85 ?? 0F 84 }
- $block_26 = { 8B ?? ?? ?? 6A ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_27 = { 5? 8B ?? 5? 5? 5? 8B ?? 8B ?? ?? 8B ?? 8B ?? ?? 5? FF D? 8B ?? 33 ?? 3B ?? 0F 84 }
- $block_28 = { 2B ?? 5? 89 ?? ?? 8D ?? ?? 5? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_29 = { 8B ?? ?? 2B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 0F 84 }
- $block_30 = { 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? 5? FF D? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_31 = { 5? 5? 6A ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 85 ?? 0F 95 ?? 89 ?? ?? 5? 8B ?? C3 }
- $block_32 = { 8B ?? 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? FF D? 85 ?? 0F 84 }
- $block_33 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? 83 ?? ?? ?? 0F 85 }
- $block_34 = { C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 88 ?? ?? 39 ?? ?? 0F 82 }
- $block_35 = { 8B ?? ?? 5? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_36 = { 8B ?? ?? 8B ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_37 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 8B ?? ?? 5? 5? 8B ?? 8B ?? FF D? 85 ?? 0F 84 }
- $block_38 = { 8B ?? ?? 6A ?? 8D ?? ?? 5? 5? 8B ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_39 = { 8B ?? ?? 5? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 98 ?? 83 ?? ?? ?? 72 }
- $block_40 = { 8B ?? 8B ?? ?? 8B ?? FF D? 6A ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_41 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 8B ?? ?? 8B ?? FF D? 85 ?? 0F 84 }
- $block_42 = { 0F B6 ?? ?? 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 8B ?? 6A ?? 8B ?? FF D? }
- $block_43 = { 0F B6 ?? ?? 88 ?? ?? 0F B6 ?? 88 ?? ?? 0F B6 ?? ?? 88 ?? 4? 4? 3B ?? 72 }
- $block_44 = { 89 ?? ?? 8B ?? 8B ?? ?? 8B ?? C7 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_45 = { 8B ?? ?? 8D ?? ?? 33 ?? 3B ?? 0F 94 ?? C6 ?? ?? ?? 8B ?? 83 ?? ?? 72 }
- $block_46 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_47 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? ?? 32 ?? 0F B6 ?? 66 ?? ?? ?? 4? 3B ?? 72 }
- $block_48 = { 8B ?? 8B ?? ?? 8B ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_49 = { C6 ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? 39 ?? ?? 0F 82 }
- $block_50 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_51 = { 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? 5? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_52 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 85 ?? 0F 84 }
- $block_53 = { 5? 8D ?? ?? 5? 89 ?? ?? 8B ?? 6A ?? 5? 8B ?? ?? FF D? 85 ?? 0F 85 }
- $block_54 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? 8B ?? 8B ?? ?? 5? 5? FF D? 3B ?? 0F 8C }
- $block_55 = { FF 1? ?? ?? ?? ?? 33 ?? 3D ?? ?? ?? ?? 0F 94 ?? 8B ?? 85 ?? 0F 84 }
- $block_56 = { 8B ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 8D ?? ?? 89 ?? ?? ?? 3B ?? 0F 87 }
- $block_57 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? FF D? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_58 = { 8B ?? ?? 33 ?? 85 ?? 0F 95 ?? 5? 5? 89 ?? ?? 5? 8B ?? 8B ?? 5? C3 }
- $block_59 = { 8B ?? ?? 0F AF ?? 03 ?? ?? 8B ?? 5? 8B ?? ?? 5? 5? FF D? 3B ?? 74 }
- $block_60 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_61 = { 8B ?? ?? 8B ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 8B ?? 3B ?? 0F 85 }
- $block_62 = { 8B ?? 8A ?? ?? ?? 32 ?? ?? 4? 0F B6 ?? 66 ?? ?? ?? ?? 3B ?? 72 }
- $block_63 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 82 }
- $block_64 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? FF D? 3B ?? 0F 84 }
- $block_65 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 33 ?? 3B ?? 0F 84 }
- $block_66 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 8B ?? ?? 5? FF D? 8B ?? 3B ?? ?? 75 }
- $block_67 = { 8B ?? ?? 03 ?? 33 ?? 3B ?? 0F 94 ?? C6 ?? ?? ?? 83 ?? ?? 72 }
- $block_68 = { 5? E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_69 = { 5? 8B ?? 5? 5? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_70 = { 8B ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 82 }
- $block_71 = { 8D ?? ?? 99 8B ?? 2B ?? D1 ?? 89 ?? ?? 8B ?? 39 ?? ?? 0F 8C }
- $block_72 = { 83 ?? ?? 89 ?? ?? 8B ?? 8B ?? 83 ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_73 = { 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_74 = { 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_75 = { 33 ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_76 = { 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_77 = { FF D? 8B ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_78 = { 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 33 ?? 85 ?? 0F 84 }
- $block_79 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_80 = { 8B ?? 8B ?? 8B ?? ?? FF D? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_81 = { 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_82 = { C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_83 = { 8B ?? ?? ?? 83 ?? ?? 33 ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 85 }
- $block_84 = { 33 ?? 39 ?? ?? C6 ?? ?? ?? 0F 94 ?? 8B ?? 83 ?? ?? 72 }
- $block_85 = { 8B ?? ?? 8B ?? 8B ?? ?? 5? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_86 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_87 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 0F 85 }
- $block_88 = { 8B ?? B8 ?? ?? ?? ?? D3 ?? 8B ?? 23 ?? ?? 3B ?? 0F 85 }
- $block_89 = { 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 33 ?? 3B ?? 0F 84 }
- $block_90 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? 89 ?? ?? 39 ?? ?? 0F 82 }
- $block_91 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 5? 8B ?? 83 ?? ?? 0F 86 }
- $block_92 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 80 7? ?? ?? 8D ?? ?? 75 }
- $block_93 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? 8D ?? ?? 89 ?? ?? 3B ?? 73 }
- $block_94 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_95 = { 8B ?? ?? ?? 8B ?? 89 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_96 = { 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_97 = { 8B ?? 8B ?? ?? 8B ?? 89 ?? ?? FF D? 85 ?? 0F 84 }
- $block_98 = { 8B ?? ?? 2B ?? ?? 83 ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_99 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "65a2ca760bfce4762cd1cb3623c7d5d0ff86187d3bf3ba8fdea1339585a57ec2" or
- hash.sha256(0, filesize) == "0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade" or
- hash.sha256(0, filesize) == "366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b" or
- hash.sha256(0, filesize) == "ddce4b5e1c03d04bb82780a2d0f08469bb589b6fe8f0d4cc2a140b16344f5bd1" or
- hash.sha256(0, filesize) == "49dca913ff5c4782e8f8fa2dfd161110bc5c8cd36c9ce8aa0efd1860ab668e6e" or
- hash.sha256(0, filesize) == "d04bef6765408d528fdf82a46c157b44e8b5e7762a15b0264033c9558ccc48dd" or
- hash.sha256(0, filesize) == "c47f2973f077f21abfb202b54ea18ee2a182e4305ee0046c1bc6d15a1179a43c" or
- hash.sha256(0, filesize) == "3877a522c924f834e442ef19d9b11ab6d3385849e60d5f310f6320e2d9e42804" or
- hash.sha256(0, filesize) == "df818c2dccacc532ba0205749329b7e46d1f6616b40da55e0d994105bd988bd2" or
- hash.sha256(0, filesize) == "489d448514a3ddf30144cc1634e6623e529dd3aee54a050a920a3d4342b4b96a" or
- hash.sha256(0, filesize) == "0474111e44b9aa56d6e6024c6f278e915d57b7862ceb927672fc3417f76a3ba3" or
- hash.sha256(0, filesize) == "4558eb18504f724e4f33f1504ff924ce64701d26d703cf1e42a48504e7f51927" or
- hash.sha256(0, filesize) == "8d86c0985530271618a342579afd1a9ecb27dfb080866e3b888bd3e45e1eb8f5" or
- hash.sha256(0, filesize) == "567332c2a6813d529bcb9196102ad45eceb982143e9d2f326f02cec1511954b0" or
- hash.sha256(0, filesize) == "a9e2d988781e970882fb1cee420bf01dda30730046a82f0faf4703523842feb5" or
- hash.sha256(0, filesize) == "930939256e2c2fa30e7260897d96859c08cf767664e4bd3cedf156b6765b5413" or
- hash.sha256(0, filesize) == "bd589360b299dc4803aa35abca527137a51feadae2b1e3bc2b5a301bb5b245da" or
- hash.sha256(0, filesize) == "6271c4909f39e1f29dcc79cde0f526cbde45d906726e73bd3b52d041a34eda38" or
- hash.sha256(0, filesize) == "540913b3647c28a14418a6f288be9e4d8f99048227efea8ca1b13877269002eb" or
- hash.sha256(0, filesize) == "3af9cfb2797bed22e1d12970d068d794270a0f07d3f3dcfdcdb9abfc3a80e0f8" or
- hash.sha256(0, filesize) == "97afcd01e00d32dc4d1161d7a127933593cfc092ec635af5dc7a775a088b6091" or
- hash.sha256(0, filesize) == "316528ade312cc5ed76f0b44c7f2c2fc84f60ae215992d9393f57431383cf776" or
- hash.sha256(0, filesize) == "d07a802eb6d2c296c3f1bc726b5a716c4a7d8e97053c53e81658a31f969e6ce7" or
- hash.sha256(0, filesize) == "c218b779461d83d70791e0578175503cd69128c9723f2c5d7d36b85073b0f2f9" or
- hash.sha256(0, filesize) == "ef0fab7757a6b5e842297fa2e0dc7a7ce084278c5d12b878bba7d90759a0e22b" or
- hash.sha256(0, filesize) == "ac9c7ac457a605ff836eb6fe127eabc7a251dd73ea0a1fa59a591de30fa75d3f" or
- hash.sha256(0, filesize) == "df03f0ae0622f5040bf449ab8b7559a97da7f746cc2ce24a8ad5336b18699296" or
- 12 of them
-}
-
-rule CosmicDuke {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8A ?? 8B ?? ?? 8B ?? 8B ?? 8B ?? ?? 6A ?? FF D? 0F B6 ?? 83 ?? ?? 8B ?? D3 ?? 09 ?? 80 F? ?? 72 }
- $block_1 = { 5? FF 1? ?? ?? ?? ?? 5? B0 ?? 5? 4? 06 25 ?? ?? ?? ?? 5? 5? 5? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 00 }
- $block_2 = { A1 ?? ?? ?? ?? 8B ?? ?? 5? 6A ?? 6A ?? 81 C? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_3 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_4 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 5? 5? 5? C9 C3 }
- $block_5 = { 8B ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? FF D? F6 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_6 = { 8B ?? 99 6A ?? 5? F7 ?? 0F B6 ?? ?? ?? 2B ?? 03 ?? ?? 8A ?? ?? ?? 88 ?? ?? ?? 4? 3B ?? ?? 72 }
- $block_7 = { 8B ?? 99 6A ?? 5? F7 ?? 0F B6 ?? ?? ?? 2B ?? 8B ?? ?? 03 ?? 8A ?? ?? 88 ?? ?? ?? 4? 3B ?? 72 }
- $block_8 = { 01 ?? 28 ?? ?? 84 ?? ?? 04 ?? 00 ?? ?? D7 05 ?? ?? ?? ?? 5? F1 4? 00 ?? ?? ?? ?? ?? A8 ?? 74 }
- $block_9 = { 5? 8B ?? 83 ?? ?? 5? 4? 1D ?? ?? ?? ?? 2D ?? ?? ?? ?? D2 ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 8E }
- $block_10 = { 12 ?? ?? 04 ?? 06 35 ?? ?? ?? ?? 4? 10 ?? ?? ?? ?? ?? 01 ?? 4? 27 11 ?? ?? ?? ?? ?? 0B ?? 75 }
- $block_11 = { C6 ?? ?? C7 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? 99 01 ?? 5? B3 ?? 11 ?? ?? 38 ?? 74 }
- $block_12 = { 33 ?? 6A ?? 8D ?? ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 5? 74 }
- $block_13 = { 8B ?? 99 83 ?? ?? 8D ?? ?? 8B ?? 99 83 ?? ?? 8D ?? ?? C1 ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 7F }
- $block_14 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_15 = { 8B ?? ?? 8B ?? 4? C1 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 87 }
- $block_16 = { 01 ?? 08 ?? 8B ?? ?? ?? ?? ?? 61 07 0C ?? 16 83 ?? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 04 ?? 74 }
- $block_17 = { 5? 5? 8D ?? ?? 5? 8B ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_18 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 33 ?? 81 7? ?? ?? ?? ?? ?? 5? 0F 85 }
- $block_19 = { 0F B6 ?? ?? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 80 7? ?? ?? 74 }
- $block_20 = { 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 8D ?? ?? ?? ?? ?? ?? 0F 8C }
- $block_21 = { 8D ?? ?? E8 ?? ?? ?? ?? 12 ?? ?? ?? ?? ?? 15 ?? ?? ?? ?? 4? FC E8 ?? ?? ?? ?? 3B ?? 74 }
- $block_22 = { 08 ?? ?? E8 ?? ?? ?? ?? 09 ?? ?? ?? ?? ?? ?? 1D ?? ?? ?? ?? E8 ?? ?? ?? ?? 0E B1 ?? 00 }
- $block_23 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_24 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 85 ?? 0F 8E }
- $block_25 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 3B ?? ?? 0F 94 ?? 84 ?? 0F 85 }
- $block_26 = { 88 ?? ?? ?? ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_27 = { 6A ?? 5? FF 7? ?? 8D ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 39 ?? ?? ?? 0F 8E }
- $block_28 = { 0F B7 ?? ?? ?? 83 ?? ?? 0F AF ?? ?? ?? 0F AF ?? ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 89 }
- $block_29 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 }
- $block_30 = { 8B ?? ?? ?? 89 ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? C1 ?? ?? 33 ?? 33 ?? 85 ?? 0F 8E }
- $block_31 = { A1 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 85 ?? 0F 8E }
- $block_32 = { 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? F7 ?? ?? ?? ?? ?? 0F 84 }
- $block_33 = { 8B ?? ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? 83 ?? ?? 33 ?? 88 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_34 = { 89 ?? ?? FF 7? ?? FF 1? 5? A1 ?? ?? ?? ?? 0E 88 ?? 08 ?? ?? FF 1? 9? 08 ?? ?? CA }
- $block_35 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_36 = { 5? 6A ?? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_37 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 99 83 ?? ?? 03 ?? 8B ?? C1 ?? ?? 4? C1 }
- $block_38 = { 12 ?? ?? 00 ?? ?? AB 25 ?? ?? ?? ?? FF 3? DB ?? ?? ?? ?? ?? 32 ?? ?? 1C ?? 75 }
- $block_39 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 03 ?? FF 4? ?? ?? 89 ?? ?? ?? ?? ?? 0F 85 }
- $block_40 = { 8B ?? ?? 66 ?? ?? ?? C6 ?? ?? 66 ?? ?? ?? 83 ?? ?? FF 4? ?? 89 ?? ?? 0F 85 }
- $block_41 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_42 = { 5? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_43 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 88 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_44 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 2B ?? ?? 66 ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_45 = { 5? 68 ?? ?? ?? ?? FF 7? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_46 = { 89 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_47 = { 5? FF 7? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 5? C9 C3 }
- $block_48 = { A1 ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? C1 ?? ?? 33 ?? 85 ?? 88 ?? ?? ?? 0F 8E }
- $block_49 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 38 ?? ?? 5? 5? 0F 84 }
- $block_50 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 83 ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_51 = { 5? 5? B0 ?? 4? 07 05 ?? ?? ?? ?? 4? 04 ?? 65 ?? 00 ?? ?? 85 ?? 0F 84 }
- $block_52 = { FF 0? ?? ?? ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? C9 C3 }
- $block_53 = { B8 ?? ?? ?? ?? 2B ?? 4? 89 ?? ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 82 }
- $block_54 = { A1 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? ?? C1 ?? ?? 85 ?? 0F 8E }
- $block_55 = { 8B ?? ?? 8B ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 5? ?? 85 ?? 0F 84 }
- $block_56 = { 68 ?? ?? ?? ?? FF D? 81 4? ?? ?? ?? ?? ?? 4? 3B ?? ?? ?? ?? ?? 0F 8C }
- $block_57 = { 0F B6 ?? ?? FF 8? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 4? 3B ?? 72 }
- $block_58 = { 8D ?? ?? ?? E8 ?? ?? ?? ?? 99 6A ?? 5? F7 ?? 33 ?? 88 ?? 85 ?? 74 }
- $block_59 = { 8B ?? ?? 8B ?? ?? 89 ?? 8B ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_60 = { 0C ?? 83 ?? ?? 0E BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 0E 5? 11 ?? ?? EB }
- $block_61 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_62 = { FF 7? ?? E8 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_63 = { 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 3B ?? ?? 0F 94 ?? 84 ?? 0F 85 }
- $block_64 = { 8B ?? ?? 2B ?? ?? 83 ?? ?? 01 ?? ?? F7 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_65 = { 5? 8B ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 5? 5? 3B ?? 0F 84 }
- $block_66 = { 4? F4 8B ?? 0F AF ?? 85 ?? 22 ?? 1C ?? 83 ?? ?? ?? 85 ?? 0F 84 }
- $block_67 = { 0F B6 ?? ?? 99 0F A4 ?? ?? C1 ?? ?? 01 ?? 11 ?? ?? 38 ?? ?? 74 }
- $block_68 = { 8B ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? 5? A9 ?? ?? ?? ?? 0F 85 }
- $block_69 = { FF 4? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 0F 85 }
- $block_70 = { 6A ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_71 = { 8B ?? ?? ?? 5? FF 7? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_72 = { FF 4? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C }
- $block_73 = { 83 ?? ?? ?? 8B ?? ?? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_74 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 0F AF ?? ?? 2B ?? 3B ?? 7C }
- $block_75 = { 39 ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 86 }
- $block_76 = { 8B ?? ?? 8B ?? 5? 8D ?? ?? 5? 6A ?? 5? FF 5? ?? 85 ?? 0F 84 }
- $block_77 = { 68 ?? ?? ?? ?? FF D? 83 ?? ?? ?? 4? 3B ?? ?? ?? ?? ?? 0F 8C }
- $block_78 = { 8B ?? ?? 83 ?? ?? 2B ?? 8D ?? ?? ?? 8B ?? 3B ?? ?? 0F 85 }
- $block_79 = { 68 ?? ?? ?? ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_80 = { 5? 89 ?? 60 8B ?? ?? 03 ?? ?? 5? 8B ?? ?? 8B ?? 85 ?? 74 }
- $block_81 = { 33 ?? 4? 85 ?? 01 ?? 4? 4? 37 01 ?? 03 ?? C9 4? 3B ?? 7E }
- $block_82 = { 0F B6 ?? ?? 99 C1 ?? ?? 83 ?? ?? 11 ?? ?? 38 ?? ?? 5? 74 }
- $block_83 = { 8B ?? ?? 8B ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_84 = { 0F B6 ?? 8A ?? ?? ?? ?? ?? ?? 30 ?? 4? 3B ?? ?? 0F 8C }
- $block_85 = { 21 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 5? ?? 6D 02 ?? E3 }
- $block_86 = { 5? 0A ?? ?? 01 ?? 33 ?? EE 17 04 ?? 89 ?? ?? 04 ?? 70 }
- $block_87 = { 5? FF 7? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_88 = { 8B ?? 2B ?? 03 ?? 89 ?? ?? 8B ?? ?? 2B ?? 3B ?? 0F 83 }
- $block_89 = { 0F B6 ?? ?? 99 C1 ?? ?? 83 ?? ?? 11 ?? ?? 38 ?? ?? 74 }
- $block_90 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? 0F 82 }
- $block_91 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? F6 ?? ?? 0F 84 }
- $block_92 = { 8B ?? ?? 89 ?? ?? 83 ?? ?? F7 ?? ?? ?? ?? ?? 0F 84 }
- $block_93 = { 83 ?? ?? 8D ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 82 }
- $block_94 = { 8B ?? ?? 8B ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_95 = { 80 8? ?? ?? ?? ?? ?? F8 2A ?? ?? 8B ?? ?? 85 ?? 74 }
- $block_96 = { 0F B6 ?? 03 ?? 3B ?? 89 ?? ?? 0F 96 ?? 84 ?? 74 }
- $block_97 = { A1 ?? ?? ?? ?? FF 4? ?? C1 ?? ?? 39 ?? ?? 0F 8C }
- $block_98 = { 68 ?? ?? ?? ?? 1E 0E C4 ?? 18 ?? ?? 85 ?? 0F 84 }
- $block_99 = { 5? D5 ?? 10 ?? 81 F? ?? ?? ?? ?? 08 ?? ?? 1F 01 }
-
- condition:
- hash.sha256(0, filesize) == "c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665" or
- hash.sha256(0, filesize) == "41d63d293a6e2722fcf82f8bf67b8f566bd4d3f669ede146ccc286f0228d8f62" or
- hash.sha256(0, filesize) == "7c14761d20617ab7f408d6c63367f16026377d7c13f3e3c67525e034fc0c6d7c" or
- hash.sha256(0, filesize) == "9ce93f04dbb6a3b833f1146a54dadfdc224fdf24e3cca1f8a1eb4e902d597ff6" or
- hash.sha256(0, filesize) == "5ef73d904cf5dcbec5919fba0b640168d6feb8f7021507568297e3da1a7e47a5" or
- hash.sha256(0, filesize) == "831267e0977becf098b5064aac6fd39b5f8e6fd975c06d4b8540cea71d402317" or
- hash.sha256(0, filesize) == "182ab7eb1dce2827a05aff0d83a13dd8346bd3b8ab2dfb681817a0d3aab05b15" or
- hash.sha256(0, filesize) == "246543cc4a538472bed0626c159715a963e39dfc69d79f60c3ab227c62277016" or
- hash.sha256(0, filesize) == "51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163" or
- hash.sha256(0, filesize) == "3c5d2fcacafc21d9f43c595ddf03bec801ccb958b8641018612c21bc741800d0" or
- hash.sha256(0, filesize) == "4bc8280a99d07165055fabed11049d8da275f27f5d8cffc4ed10a68be2d0cb84" or
- hash.sha256(0, filesize) == "92172ff7bfeee332409a145bc626bebf732225d006877168f35c046368e5118c" or
- hash.sha256(0, filesize) == "5b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637" or
- hash.sha256(0, filesize) == "29585bb17b28e8b15b2a250be9516f416fa7cac84cc24aa4e004f6987323147e" or
- hash.sha256(0, filesize) == "f21794d0b0938643e2aabe9f2ed762528e631a2ebda76020d0b59ce91fb51e41" or
- hash.sha256(0, filesize) == "2c480399bff7d05736caa1858fd43d9223df3fd531ae574dc3c9eb06cc3579ef" or
- hash.sha256(0, filesize) == "75e8567e7667eb02eec661134ecc07a7970d9448fc5b7dc021b5bcb039953a47" or
- hash.sha256(0, filesize) == "2e8aa9dac584a51c7d960baccf76747c858175573f5c013b7c44328f0871da04" or
- hash.sha256(0, filesize) == "6322e8bbb5a7cc542a7da0fb33a60fc7443bcbd8601b828c9c7f138c71cce090" or
- hash.sha256(0, filesize) == "008beba8635e24baa50beee2e98654f73c04476a06fdcb893655f0a8201932d2" or
- hash.sha256(0, filesize) == "d5f1d8d2629b91744fe812207cb3f0bebfd1aec9937b7744a263d1a4e3421063" or
- hash.sha256(0, filesize) == "1590bdbaff2c178387e924b689b030057b4cbd2865e9c4dd3886a8791ac8e4ee" or
- hash.sha256(0, filesize) == "68355d29ce79a5177084fe6292f0f8b9daa2018c571b552fff9f4a0815b432ce" or
- hash.sha256(0, filesize) == "1005b40f977b92cbc01b7a66558ff0621cbaf36f7b4b2ab2ca3c3a267891bc8d" or
- hash.sha256(0, filesize) == "aecb468db5cebcfa25deadeb3b12fbc48b05a485b44deb500b4002521bc3e685" or
- hash.sha256(0, filesize) == "027c9da59c77e83b42535a0c965c4994a144715e796453fc2a5b189f0036c4b4" or
- hash.sha256(0, filesize) == "4f9b6a88245f782d81e9eec9315b9444c83d68941f9fc23641e3909c8da9db9d" or
- hash.sha256(0, filesize) == "334ed05005ce829224d0dd4cc5baab6b837cf02ac0e321c8f97d11b3ba1c77a7" or
- hash.sha256(0, filesize) == "73aac0b568f83746c9a54a2a6fdd2984c3e6f8d0c77a681c219abb9480859197" or
- hash.sha256(0, filesize) == "bd4928921ddadb44f9f573da61dac034533bf14fe38acd5754f3ccec1d566300" or
- hash.sha256(0, filesize) == "3d37e753812687fb7287cf8644d13fe2673ea7c3b540637c1ce1c6819f1c521b" or
- hash.sha256(0, filesize) == "1c86bcc74684c2533026a8b4d9463ad4b5a1f30f6915ca19197b41e0cb893b77" or
- hash.sha256(0, filesize) == "38c0252f75b1c6b3980e40bb69cb932773a6e0b189fc8a80efc2dcb455209eab" or
- hash.sha256(0, filesize) == "a8200a476f72ef77f4cd6bd71ebae9f473e923b140600b9da0bbaf1f22e1cecb" or
- hash.sha256(0, filesize) == "70a7248b90573ba2edde5d9e8f0acd478235054480d98b0531d85725555f3a5c" or
- hash.sha256(0, filesize) == "a1176b60ca96cfeb37dde61bde935f645a64fabd8e300f072fc355434b711dcf" or
- hash.sha256(0, filesize) == "2146da9bc0e27d7eb10983b7dd89f250fa0015ce284dde8f0bb6a79626d34a2a" or
- hash.sha256(0, filesize) == "fe5bc1248fc79fc15663ef169f0a269c1abe847d00b01e9571fe5c0d760d68f0" or
- hash.sha256(0, filesize) == "0a013787f9c1731213059f2d8e1a7514f610783aaaea8fa5736063ab7793c0d7" or
- hash.sha256(0, filesize) == "64e3a2bba82027dd6ff631fa5890a7ba8331b62a0a4c0b1ca24d143c2b61c323" or
- hash.sha256(0, filesize) == "2eafc64769c500d635b7225c9b1411db8f50db8618e4d5807e1640b641a2f5ee" or
- hash.sha256(0, filesize) == "16870c6b572934f5a106d5f632b6d41bb23924c12ddf172be24c6dfca25226b1" or
- hash.sha256(0, filesize) == "3e889cd495e008760fd12751d6d45cadf8a7280c4545f2ebe469f84b9b77c835" or
- hash.sha256(0, filesize) == "7c2bb277e3a982e9e2f76da2c96119514dde4f3e36b16eca5994be5f28bd0029" or
- hash.sha256(0, filesize) == "9c2562e05eb940ae8d73c9baa7cfe85cb3ec619689227f65e4fbeeb3fec598ad" or
- hash.sha256(0, filesize) == "ec49400e70c02a884a5df74ca99690886ec2d528e200c42dbdf057fd9b7f87f8" or
- hash.sha256(0, filesize) == "43bcee4067c067d9063ddfc101fc8b5a6e8d42184ef8b0fdd9bb14102cb9973d" or
- hash.sha256(0, filesize) == "f61cdc7f68f47d23c4571b517ab4cdcfd984cf3f6f8f91dec99dfd7dc5a2dcff" or
- hash.sha256(0, filesize) == "cae1277446cb62f1ed3674e7ea87063a28b9d364e3638fa779fe8e3d6e1fb15f" or
- hash.sha256(0, filesize) == "187b1cc7264c04c3158f835546cad0be74e6411bb50cb8899179a71018f0b4b9" or
- hash.sha256(0, filesize) == "f6c62f9f846b3d100d60b1f2ae57a71c91dd8dc215dce652e2c85dff60c0197f" or
- hash.sha256(0, filesize) == "7e371cd323898e403df7a80add34d791e160e443bcd2d02f27ddc0c04ba1bdab" or
- hash.sha256(0, filesize) == "04819cde7e928e6ff376daeb73b894959f672a85b363753c227416fc0f4a8acd" or
- hash.sha256(0, filesize) == "0314ed09890d5aa2dba659fe1343be93d48c3875a89e261484967fea7ea6c7eb" or
- hash.sha256(0, filesize) == "05637ef950feaeb0944d9fccca38eeff38e366c24a137ef08c9f1442aeb6afb7" or
- hash.sha256(0, filesize) == "910a016a7b6e0a76bc7ddf12f9135090e0b23d00c382d70084b46bea4bbbcae7" or
- hash.sha256(0, filesize) == "82670519b8d63d36967c611bc94659e5bff867837129ac93bcffe7589af46384" or
- hash.sha256(0, filesize) == "bf012045464ba2aadc1547940eb3ce262d0e023c2198c134dee658c859ecd8ab" or
- hash.sha256(0, filesize) == "dad4c4aea24f2bd3e2f4b93bf782ebef70e8fdf930aff25a3e1b85a717314aa0" or
- hash.sha256(0, filesize) == "30b24935c8537c51ce56a69510019d8481ac78e6c5ccdbe792c625c69c5358f9" or
- 12 of them
-}
-
-rule CloudDuke {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? ?? 5? 83 ?? ?? ?? 5? 0F 84 }
- $block_1 = { 6A ?? 68 ?? ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_2 = { 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 85 }
- $block_3 = { 8B ?? ?? 03 ?? 33 ?? 0F B7 ?? ?? 83 ?? ?? 03 ?? 0F B7 ?? ?? 5? 89 ?? ?? 85 ?? 74 }
- $block_4 = { 6A ?? 68 ?? ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { FF 7? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 75 }
- $block_6 = { 8B ?? ?? ?? 2B ?? ?? ?? 33 ?? 4? 03 ?? ?? ?? 99 13 ?? ?? ?? 3B ?? 0F 82 }
- $block_7 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 45 ?? ?? ?? ?? ?? 89 }
- $block_8 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_9 = { 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? 66 ?? ?? ?? 74 }
- $block_10 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_11 = { 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 }
- $block_13 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_14 = { 8B ?? 33 ?? 89 ?? 4? 83 ?? ?? 83 ?? ?? 3B ?? ?? 0F 8C }
- $block_15 = { 8B ?? ?? 03 ?? 89 ?? ?? 81 3? ?? ?? ?? ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "c3ea57eea9f522cfc70ef8c3b614f7e44903293a2e8354359b99efbf4cd436df" or
- hash.sha256(0, filesize) == "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e" or
- hash.sha256(0, filesize) == "0f7d64f514e99a2abdc10dc85e7e6f57c210a0f35472f7b897a19b73be36bece" or
- hash.sha256(0, filesize) == "ecd0ce1973500c27bb5d70f326d115fba84c0b1680a726a041ed57b42063e7b1" or
- hash.sha256(0, filesize) == "d4d79be85dc98f74088d6393a8fdf2b5d947ae4f279909af2aed0221dcecfe94" or
- hash.sha256(0, filesize) == "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46" or
- hash.sha256(0, filesize) == "85c5ba695992ed59269ea7f7a58f3453f6047729d1f68a444d450439bbccc1f4" or
- hash.sha256(0, filesize) == "6c8eb3365b7fb7683b9b465817e5cb87574026e306c700f3d103eba056777720" or
- hash.sha256(0, filesize) == "d3d503934c0dfe75e386d0fb8da2e32238d93739624b6c5a929fe5b722b35d36" or
- hash.sha256(0, filesize) == "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145" or
- hash.sha256(0, filesize) == "c1ee4232d1b6504fc7f93cb0478e90049a71992498ed2d701925d852e91cfcc3" or
- hash.sha256(0, filesize) == "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7" or
- hash.sha256(0, filesize) == "e1490d6e5ce4c2cddef0815c55bf8946cb830ce0ac7f586cf1ae16ef66f1bd8b" or
- hash.sha256(0, filesize) == "6c7e768e48b9b225b7b9f84528c53c2e6f9b639ce2e7919fe0dff9aad07ea4f5" or
- hash.sha256(0, filesize) == "bfc1bafd9b01178037226fa55546d7ed7e9203c13e1b66419e887fee704d5196" or
- hash.sha256(0, filesize) == "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004" or
- hash.sha256(0, filesize) == "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f" or
- hash.sha256(0, filesize) == "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7" or
- hash.sha256(0, filesize) == "12f58639a883b0fcfe3d2e8bcb0330b978731975c9dfa2f8e583adbafc4d534e" or
- 12 of them
-}
-
-rule PinchDuke {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { FF 7? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? FF 4? ?? 8A ?? ?? ?? ?? ?? 4? 83 ?? ?? 88 ?? 7C }
- $block_1 = { 5? 5? FF 1? ?? ?? ?? ?? 5? 8B ?? 5? 5? 6A ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 84 }
- $block_2 = { 5? 8B ?? ?? ?? ?? ?? 5? FF D? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_3 = { 5? 5? 5? 5? 8D ?? ?? 5? FF 7? ?? 89 ?? ?? FF 7? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_4 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8B ?? C1 ?? ?? 25 ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 88 ?? ?? 79 }
- $block_5 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? 5? 5? C9 C3 }
- $block_6 = { 8A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8B ?? ?? 0F B6 ?? 8D ?? ?? 33 ?? 85 ?? 89 ?? ?? 7E }
- $block_7 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? C1 ?? ?? 0F AF ?? ?? C1 ?? ?? 01 ?? ?? EB }
- $block_8 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 85 }
- $block_9 = { 8B ?? 2B ?? ?? 33 ?? F7 ?? 8B ?? D1 ?? 0F AF ?? 03 ?? ?? 5? FF 7? ?? FF 5? ?? 85 ?? 5? 5? 7E }
- $block_10 = { FF 7? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? FF 4? ?? 8A ?? ?? ?? ?? ?? 4? 3B ?? 88 ?? 7C }
- $block_11 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_12 = { FF 4? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8B ?? ?? 6A ?? 03 ?? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 6A ?? 5? 39 ?? ?? 89 ?? ?? 89 ?? ?? 0F 82 }
- $block_14 = { 0F B6 ?? ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 83 ?? ?? 7C }
- $block_15 = { FF 4? ?? 8D ?? ?? 5? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_16 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 01 ?? ?? 8B ?? ?? 2B ?? ?? FF 4? ?? 39 ?? ?? 7C }
- $block_17 = { 0F B6 ?? ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C }
- $block_18 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_19 = { 0F B6 ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C }
- $block_20 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 8A ?? ?? 5? 8A ?? ?? 5? 8B ?? 0F 8E }
- $block_21 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 25 ?? ?? ?? ?? 79 }
- $block_22 = { 0F B6 ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C }
- $block_23 = { 0F B6 ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C }
- $block_24 = { 8B ?? 2B ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? 2B ?? B8 ?? ?? ?? ?? 3B ?? 0F 87 }
- $block_25 = { 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? ?? 7C }
- $block_26 = { 8D ?? ?? 5? 8B ?? ?? 68 ?? ?? ?? ?? FF 7? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_27 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 7C }
- $block_28 = { 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_29 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 99 2B ?? D1 ?? 6A ?? 89 ?? ?? 8B ?? ?? 5? 3B ?? 7E }
- $block_30 = { 5? 5? 5? 5? 5? 5? 5? 8D ?? ?? 5? 5? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_31 = { 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 84 }
- $block_32 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 0F 84 }
- $block_33 = { FF 7? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C3 }
- $block_34 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 83 ?? ?? ?? 0F 8F }
- $block_35 = { 8D ?? ?? 5? FF 7? ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_36 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? C1 ?? ?? 03 ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C3 }
- $block_37 = { 8D ?? ?? 5? 6A ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_38 = { 8D ?? ?? ?? 0F B6 ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 83 ?? ?? 5? 5? 88 ?? 7C }
- $block_39 = { 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 4? 0F AF ?? 03 ?? 85 ?? 89 ?? ?? 75 }
- $block_40 = { 5? 33 ?? 4? 5? 8D ?? ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_41 = { 6A ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_42 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_43 = { 99 BB ?? ?? ?? ?? F7 ?? 8B ?? ?? 80 C? ?? 30 ?? ?? ?? 4? 3B ?? ?? 89 ?? ?? 7C }
- $block_44 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_45 = { 8D ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_46 = { 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_47 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8B ?? E8 ?? ?? ?? ?? 4? 83 ?? ?? 7C }
- $block_48 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8B ?? E8 ?? ?? ?? ?? 4? 3B ?? ?? 7C }
- $block_49 = { 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 80 C? ?? 30 ?? ?? ?? 4? 3B ?? 89 ?? ?? 7C }
- $block_50 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_51 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 5? 5? 5? C9 C3 }
- $block_52 = { 5? 8B ?? 81 E? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 8F }
- $block_53 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 4? 79 }
- $block_54 = { 8B ?? ?? 6B ?? ?? 8D ?? ?? ?? 4? 89 ?? ?? 0F B6 ?? 8D ?? ?? 83 ?? ?? 72 }
- $block_55 = { FF 7? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? 5? C9 C3 }
- $block_56 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_57 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 4? E8 ?? ?? ?? ?? 3B ?? 0F 8C }
- $block_58 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C6 ?? ?? ?? 33 ?? 8D ?? ?? AB AB AA 83 }
- $block_59 = { 0F B6 ?? 8B ?? ?? E8 ?? ?? ?? ?? 4? 8A ?? 33 ?? 4? 84 ?? 89 ?? ?? 75 }
- $block_60 = { 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_61 = { 33 ?? 83 ?? ?? 0F 94 ?? 89 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? EB }
- $block_62 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 84 }
- $block_63 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? FF 4? ?? 0F 85 }
- $block_64 = { 0F B6 ?? ?? 8B ?? ?? 83 ?? ?? ?? D3 ?? 09 ?? ?? 4? 83 ?? ?? ?? 7C }
- $block_65 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C3 }
- $block_66 = { FF 4? ?? E8 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 39 ?? ?? 0F 8F }
- $block_67 = { 33 ?? F7 ?? 8B ?? D1 ?? 0F AF ?? 03 ?? FF 5? ?? 85 ?? 5? 5? 7E }
- $block_68 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C2 }
- $block_69 = { 5? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_70 = { 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? ?? FF 0? 4? 3B ?? 72 }
- $block_71 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_72 = { 83 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 5? 5? 0F 85 }
- $block_73 = { FF 1? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? ?? 0F 85 }
- $block_74 = { 5? 8B ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 82 }
- $block_75 = { 8B ?? ?? 6A ?? C1 ?? ?? 5? 3B ?? 89 ?? ?? 89 ?? ?? 0F 86 }
- $block_76 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 5? 5? 0F 84 }
- $block_77 = { 8B ?? ?? 0F B6 ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C }
- $block_78 = { 8D ?? ?? 5? 5? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_79 = { 0F B6 ?? ?? 8B ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 73 }
- $block_80 = { 8B ?? ?? 8B ?? 83 ?? ?? ?? 33 ?? 89 ?? ?? 4? 3B ?? 0F 8C }
- $block_81 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 5? 5? 0F 84 }
- $block_82 = { 5? 5? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 84 }
- $block_83 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 33 ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_84 = { 0F B6 ?? 8B ?? 83 ?? ?? C1 ?? ?? 4? 0B ?? 4? 84 ?? 78 }
- $block_85 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 0F 84 }
- $block_86 = { 0F B6 ?? 8A ?? ?? 30 ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 7C }
- $block_87 = { 8B ?? ?? 3B ?? A3 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 0F 86 }
- $block_88 = { C7 ?? ?? ?? ?? ?? ?? 33 ?? 8D ?? ?? AB 66 ?? B3 ?? BF }
- $block_89 = { 0F B6 ?? 8D ?? ?? 0F B6 ?? 03 ?? 25 ?? ?? ?? ?? 79 }
- $block_90 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 5? 0F 86 }
- $block_91 = { 4? 0F B6 ?? 8D ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 73 }
- $block_92 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3B ?? 5? 5? 0F 84 }
- $block_93 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 5? 5? 0F 85 }
- $block_94 = { FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 5? 8A ?? 5? C9 C3 }
- $block_95 = { 6A ?? 8B ?? 5? 99 F7 ?? 8D ?? ?? 80 C? ?? 5? E8 }
- $block_96 = { 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 83 ?? ?? C9 C3 }
- $block_97 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C3 }
- $block_98 = { 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 8B ?? 2B ?? 0F 84 }
- $block_99 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C3 }
-
- condition:
- hash.sha256(0, filesize) == "35f911365d14ff533acce7367c2ab74167a9beb7b4e8fd487f25b9db4d68f627" or
- hash.sha256(0, filesize) == "7abf424fd57e49756307cc07e05627470a0d1f000a3c8fcc422ea4391981f6a2" or
- hash.sha256(0, filesize) == "0ce3bfa972ced61884ae7c1d77c7d4c45e17c7d767e669610cf2ef72b636b464" or
- hash.sha256(0, filesize) == "dd29a6b5c62d8726a3073b6f7d20e6f34d00616de61fc55d04bda9e7824cd598" or
- hash.sha256(0, filesize) == "b2417de25ad9e6bed08229561eb96d4f2e83ab63b4407c7601a0113ed193fe84" or
- hash.sha256(0, filesize) == "51eda4521b3ee9d6917832e4e04a4f58891867b8f7b0ade61725fd124ba40f82" or
- hash.sha256(0, filesize) == "4e31304e1ea66c267b5882f9335a2384eea18a6617a49308846ce624b68e7489" or
- hash.sha256(0, filesize) == "8b7427620d6537aa905727af48f7dec1e003a8b7c74d417f0a5ded7926a7d590" or
- hash.sha256(0, filesize) == "98cd87a544ca06ae249e4f3c9790efbd63d8954e0ff695d2404e92f2383871bf" or
- hash.sha256(0, filesize) == "49bc860fb8856436e1d540754732843f1a534901ecdd031870702bacab58ae54" or
- hash.sha256(0, filesize) == "d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d" or
- hash.sha256(0, filesize) == "28b56f4245bd2081a8d0885bcd0cad7b384ee4a927d87ce8532c5650ac532916" or
- hash.sha256(0, filesize) == "ded70a8fc7074ea0ceb7f489b2ebb1198154a2507538fc73cbb74712d5fc6d19" or
- hash.sha256(0, filesize) == "d88bd6947eef00bd3baadc55ff1c55b3cdcff5ba8fd145d5b5bf8894c42a7fd3" or
- hash.sha256(0, filesize) == "56f87c2b24a502fbda0ae9cee8f21615b1ba39737d70d2f4f4011fa6fdd174a1" or
- hash.sha256(0, filesize) == "7a3b78feba1670850602b7c33cb0968b4d89db609d98c81744b43cae23d563f5" or
- 12 of them
-}
-
-rule MiniDuke {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? BE ?? ?? ?? ?? EB }
- $block_1 = { FF 0? ?? ?? ?? ?? 0F B6 ?? ?? 5? 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 }
- $block_2 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? EB }
- $block_3 = { 2B ?? 2B ?? 8D ?? ?? ?? 8D ?? ?? 8B ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 4? C1 ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 8B ?? ?? FE ?? 83 ?? ?? 88 ?? FF 4? }
- $block_5 = { 8B ?? ?? BB ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_6 = { BF ?? ?? ?? ?? 3B ?? 8B ?? ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_7 = { BE ?? ?? ?? ?? 3B ?? ?? 8B ?? ?? 1B ?? F7 ?? 03 ?? 03 ?? ?? 89 ?? ?? 3B ?? ?? 0F 87 }
- $block_8 = { 33 ?? 66 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 }
- $block_9 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_10 = { 8B ?? ?? BA ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_11 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_12 = { 8B ?? ?? BE ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_13 = { C7 ?? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 5? 89 ?? ?? 5? 8B ?? 5? C3 }
- $block_14 = { 5? 8B ?? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 2B ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 86 }
- $block_15 = { FF 0? ?? ?? ?? ?? 5? 5? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 87 }
- $block_16 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_17 = { BE ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_18 = { BA ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_19 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_20 = { 8B ?? ?? BE ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_21 = { BA ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_22 = { 8B ?? ?? 8B ?? ?? 89 ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? 72 }
- $block_23 = { 5? 5? 8B ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_24 = { 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_25 = { 5? 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 }
- $block_26 = { 8B ?? ?? 83 ?? ?? 85 ?? 83 ?? ?? 83 ?? ?? ?? 01 ?? ?? 85 ?? 0F 81 }
- $block_27 = { BB ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 03 ?? ?? 3B ?? ?? 0F 87 }
- $block_28 = { BE ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 03 ?? ?? 3B ?? ?? 0F 87 }
- $block_29 = { BE ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 03 ?? 3B ?? ?? 0F 87 }
- $block_30 = { 8B ?? ?? 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 4? 83 ?? ?? 0F 84 }
- $block_31 = { 0F B7 ?? 5? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 74 }
- $block_32 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? 6A ?? 5? FF D? 85 ?? 0F 84 }
- $block_33 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 5? 89 ?? ?? 5? 8B ?? 5? C3 }
- $block_34 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_35 = { 0F B6 ?? ?? 8D ?? ?? C6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 87 }
- $block_36 = { 0F B6 ?? ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 4? 4? E9 }
- $block_37 = { 0F B6 ?? ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 4? 4? EB }
- $block_38 = { 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? ?? 8B }
- $block_39 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 8D }
- $block_40 = { 0F B6 ?? ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 4? 83 ?? ?? EB }
- $block_41 = { 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 4? 83 ?? ?? 0F 84 }
- $block_42 = { 8B ?? C1 ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? ?? 3B ?? 0F 83 }
- $block_43 = { 8B ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8D ?? ?? 3B ?? 0F 83 }
- $block_44 = { 5? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 09 ?? ?? 85 ?? 0F 81 }
- $block_45 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 87 }
- $block_46 = { 33 ?? 66 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? EB }
- $block_47 = { 8B ?? C1 ?? ?? 83 ?? ?? 8D ?? ?? 3B ?? ?? 0F 83 }
-
- condition:
- hash.sha256(0, filesize) == "6a95d2895362fc8657bc90d73d77e32f09b86699eb625905ddeb45ccd6b13c71" or
- hash.sha256(0, filesize) == "bf210e54c65ea69ebda418f701c2c6b8aff840f31c1072d641a726cef8c7b5ad" or
- hash.sha256(0, filesize) == "8e28dcf7fd7ce1ad9a65c186e09a7843ee31af924509148f085958cadfdda8fb" or
- hash.sha256(0, filesize) == "5b96b07528f762dfcb9d6936995ed4e358d29542ae756f6e5547fa3b5b7797b6" or
- hash.sha256(0, filesize) == "a1015f0b99106ae2852d740f366e15c1d5c711f57680a2f04be0283e8310f69e" or
- hash.sha256(0, filesize) == "1db9187b7b0e5bc97aca233f29b96295c0bc4058fdcff50df543c1f044e58836" or
- hash.sha256(0, filesize) == "f2ede48413704b3efc4d629d3db1a1331352a0afb0d91683640dc4b4af2921d1" or
- hash.sha256(0, filesize) == "7889fbd40f65cfe21d0c7486b29eb4c5042abff4ac660c12c7936831445cfd6e" or
- hash.sha256(0, filesize) == "2f9834f7b7fe09d98ef7b27d3828691ed4b361d1ccbbf8e10703f9ec03b05259" or
- hash.sha256(0, filesize) == "5569b85532adb1e637f83c997910924345f10aa9c2948b3d26be13eec6cbeb8b" or
- hash.sha256(0, filesize) == "f4b01a3a299b09d2b4418cb66e80c34e3ec04016ed27199c472515cf95a023d0" or
- hash.sha256(0, filesize) == "12a057ca7c92cda3cd0e09efc5bff2ebd3f7d2991e999038c7f31a6ac6a95c3d" or
- hash.sha256(0, filesize) == "b1584a6f1059ad1c24bde2a9a8ae83ffc6679eb531d30f3f1c69f81e3a3819dc" or
- hash.sha256(0, filesize) == "f151f5a656d43a76a07fa03166906d51f9683b27b0e9b86464e3a68e9dba1fac" or
- hash.sha256(0, filesize) == "35c08566dc38ad65e906b3683ace98e5beef855aeedc611a0317a72eee193539" or
- hash.sha256(0, filesize) == "62a2df9d001d3e0f222d77b6781eb279761f1354570773ef1929a86557a11454" or
- hash.sha256(0, filesize) == "55265193d63d56553e8e135e9a60d7d7c13cbf9d82ac25f84306ec98d74725b0" or
- hash.sha256(0, filesize) == "e961202d84aad7fa9faaeb63651735416612d25c611a7a025e2eaab67c79e272" or
- hash.sha256(0, filesize) == "29ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50" or
- hash.sha256(0, filesize) == "abfffd23c81b6301675567622ccee08cf578ce91f372fce68cff8fc1dbc3053d" or
- hash.sha256(0, filesize) == "56dfc5905e7dfc67912ed164dc68c0806fdd3d7cd151415aaffcc1b7ab2f1a84" or
- hash.sha256(0, filesize) == "b55e6e10a7f46c97cd247028287ea664bacf7ec7e500a4bf4f53c9dea7625426" or
- hash.sha256(0, filesize) == "13a50942322977d6471f71debc6d3db38807d88778366bae6cfcae45823a17f8" or
- hash.sha256(0, filesize) == "de8184c6850d17f90e861309828af1f7b7e3b1695ebe5d303d3d4b6ef4ba1218" or
- hash.sha256(0, filesize) == "a6e2852f2e6701656da74adb412cd0850b0d27750803613223be3eb5ac5cc26c" or
- hash.sha256(0, filesize) == "764f8c8f8832954c99fb0c2ac5ac5d89506dc5dc50310c9112318b75e9f9e2bf" or
- hash.sha256(0, filesize) == "1f19bd932336fa721e739b32c07b67c01ea4bd0ebc70e92a70f41e51f4668a0a" or
- hash.sha256(0, filesize) == "acd886fa7b9117807f1e11f0f38b9fad1afce51aa9cfbe3810a39d883d0ca663" or
- hash.sha256(0, filesize) == "94d39845ec228ff1c84668207c4591ae0e2b6605bdf11e84916534ab09744736" or
- hash.sha256(0, filesize) == "05e4224d4dd4e5fbd381ed33edb5bf847fbc138fbe9f57cb7d1f8fc9fa9a382d" or
- hash.sha256(0, filesize) == "19580f275b82ee091bdc3028e6e5018fdcc915fe7853d4151b44f3d7e101e531" or
- hash.sha256(0, filesize) == "55129d34050b2c028de564e3166611e1d148c26de0972cbe047caf530f118468" or
- hash.sha256(0, filesize) == "ecc5e2526ca32a447c862612b71c1db5675a759897e680573fa143ac0a8e662a" or
- hash.sha256(0, filesize) == "830ee990a6d4aaf00bb051704c93b468792561e8dd6a6ed4662f6032d38dd37a" or
- hash.sha256(0, filesize) == "7815e5275ea849a9ed1f193abd8781ff7ae6b88ef6282f6a0900175a4bb59131" or
- hash.sha256(0, filesize) == "c13794601c5bdec3d5d76de9571e6c0e0b022b9fc62907018566895e3b949982" or
- hash.sha256(0, filesize) == "6e57c69963562d28a3a9da9f9103c199c909d0baa185a5d21e1b200a5a14ab72" or
- hash.sha256(0, filesize) == "2ae4cc6834e3679e99fc93d2f5fba02167a31cf5b68a5a9ca7aa1a4b9f7cb4ae" or
- hash.sha256(0, filesize) == "3d0b1f970eaeeabf9372ffc1ad7e61226632904cf0311ea8f872ddbfd34a3a2a" or
- hash.sha256(0, filesize) == "f0d822926f4e6aec2cf2bd7701d67e8399ccc05bc028377a275a90e06620a109" or
- hash.sha256(0, filesize) == "23486eedb5fe8a026f602507f490b4df4721e8befa65007b84c4f5b1ed95e1bd" or
- hash.sha256(0, filesize) == "4809c2c7fa19acfa011f97946205f979afb54ac2c166f48ab35a20cd9d53a2ca" or
- hash.sha256(0, filesize) == "c60621e82f58b5ea5b36cde40889a076cb2c7f1612144998b1d388200bc7e295" or
- hash.sha256(0, filesize) == "fe2672737205351df003e1969ef1ef0df9e13a9a31bf77f844236857ed0b0bf5" or
- hash.sha256(0, filesize) == "91b97f3b8ef8ebc8bbd06e06927e7b38090c026f8fca77e209e69c056b042cb7" or
- hash.sha256(0, filesize) == "dfe146fffd2ae59172f52048f7e7d231807e0d732e19bdb443820a8305165741" or
- hash.sha256(0, filesize) == "354786c5df71cd090c96d1328b4e31cd28b8ddc77904863d100b6c35ad235b69" or
- hash.sha256(0, filesize) == "8d457e4189017712917c5c8f900bb9072c5910c9f975c50337115f952d885635" or
- hash.sha256(0, filesize) == "6c2409d415e66faebf0a031350b44d5a014ab4f62f2c1a3115982d452b7f97b9" or
- hash.sha256(0, filesize) == "cc6ad212f50e0a7a708bb1b63a01d8932f471618cdda69b2e12106ae112b2415" or
- hash.sha256(0, filesize) == "7f5d3a8dfa13ba8e2142a3b1d644f107cc89c7e90cda2a5543df5787f8bfde1e" or
- hash.sha256(0, filesize) == "15101f74f974e3e80cc37805ebe5cc2efed77bb5745d82e1b44b1da4f0c83691" or
- hash.sha256(0, filesize) == "a962ea9027514712ba3949dc3ca54559d1d42e116837dda5f9809d6523a41255" or
- hash.sha256(0, filesize) == "9c13a32033bc7dd06016651b0f21a2bed9be1dc40c6879f925c71e05f4f1c8f7" or
- hash.sha256(0, filesize) == "415f88765b88dd90e5b0502e4fa1408e06ac9552c7c8974a510e6e23a9756a45" or
- 12 of them
-}
-
-rule CozyDuke {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_1 = { 8D ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 3B ?? ?? 0F 84 }
- $block_2 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_3 = { 5? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 95 ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 72 }
- $block_4 = { 8B ?? 33 ?? 39 ?? ?? 8B ?? 0F 95 ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? FF D? 5? 5? 33 ?? 5? 8B ?? 5? C2 }
- $block_5 = { 0F BE ?? ?? 33 ?? 81 F? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 4? 83 ?? ?? 72 }
- $block_6 = { 8B ?? ?? 0F B6 ?? 0F A4 ?? ?? 25 ?? ?? ?? ?? 99 C1 ?? ?? 0B ?? 4? 0B ?? 89 ?? ?? 3B ?? ?? 7C }
- $block_7 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 85 ?? 0F 88 }
- $block_8 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 0F 84 }
- $block_9 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8B ?? ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_10 = { 0F BE ?? ?? 66 ?? ?? 48 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 72 }
- $block_11 = { 5? 5? 5? 8D ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_12 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8B ?? 33 ?? 39 ?? ?? 8B ?? 0F 95 ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? FF D? 5? 33 ?? 5? 8B ?? 5? C2 }
- $block_14 = { 8B ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 0F 84 }
- $block_15 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 0F A4 ?? ?? 99 C1 ?? ?? 0B ?? 4? 0B ?? 89 ?? ?? 3B ?? ?? 7C }
- $block_16 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_17 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_18 = { 2B ?? D1 ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? 0F 83 }
- $block_19 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_20 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 }
- $block_21 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8C }
- $block_22 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 5? 5? 5? 33 ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_23 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_24 = { 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 }
- $block_25 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? ?? 0F 84 }
- $block_26 = { 8B ?? ?? 5? BA ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_27 = { 8B ?? ?? ?? ?? ?? 8B ?? 5? 8B ?? ?? FF D? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 82 }
- $block_28 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 5? 3B ?? 0F 84 }
- $block_29 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_30 = { 8B ?? ?? 8B ?? ?? 5? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 94 ?? 39 ?? ?? 72 }
- $block_31 = { 5? 5? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_32 = { 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_33 = { 33 ?? 5? 8D ?? ?? 5? 5? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_34 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_35 = { 0F BE ?? ?? 33 ?? 81 F? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 83 ?? ?? 72 }
- $block_36 = { 0F BE ?? ?? 33 ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 4? 83 ?? ?? 72 }
- $block_37 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_38 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 8B ?? 5? 8B ?? ?? 5? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_39 = { 83 ?? ?? 8B ?? 03 ?? ?? 5? FF 3? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_40 = { 8D ?? ?? 5? 5? 5? 5? 5? 5? 5? 5? 5? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_41 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? 33 ?? 3B ?? 0F 84 }
- $block_42 = { 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_43 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_44 = { 0F BE ?? ?? 66 ?? ?? 48 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? 72 }
- $block_45 = { 8D ?? ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_46 = { 0F AF ?? 5? 03 ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 83 ?? ?? 77 }
- $block_47 = { 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_48 = { 6A ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_49 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 5? C6 ?? ?? ?? FF D? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_50 = { FF 7? ?? 8B ?? ?? ?? ?? ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_51 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_52 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 85 }
- $block_53 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_54 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_55 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? 33 ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_56 = { 0F BE ?? ?? 33 ?? 81 F? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 3B ?? 72 }
- $block_57 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 8C }
- $block_58 = { 8D ?? ?? 5? 33 ?? 81 C? ?? ?? ?? ?? 5? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_59 = { 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? 0F 1F }
- $block_60 = { 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_61 = { 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 86 }
- $block_62 = { 33 ?? 5? 5? 5? 5? 5? E8 ?? ?? ?? ?? CC 8B ?? 5? 8B ?? 5? 5? 5? 8B ?? ?? 85 ?? 75 }
- $block_63 = { 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 85 }
- $block_64 = { 8B ?? 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_65 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 80 C? ?? 88 ?? ?? ?? ?? ?? ?? 3B ?? 72 }
- $block_66 = { 8B ?? 8D ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_67 = { 8B ?? ?? 8B ?? ?? 6A ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_68 = { 8D ?? ?? 33 ?? 5? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_69 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? 83 ?? ?? 3B ?? ?? 0F 85 }
- $block_70 = { 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_71 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? A1 ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_72 = { 8B ?? ?? 8B ?? ?? 8B ?? 5? 5? 8B ?? ?? ?? ?? ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 }
- $block_73 = { 0F B6 ?? ?? 34 ?? 66 ?? ?? 48 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? 72 }
- $block_74 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 8B ?? 5? 8B ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_75 = { 0F BE ?? ?? 33 ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 03 ?? 83 ?? ?? 72 }
- $block_76 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_77 = { 0F BE ?? ?? 33 ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 83 ?? ?? 72 }
- $block_78 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 3B ?? 0F 85 }
- $block_79 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 5? 5? FF D? 3B ?? 0F 85 }
- $block_80 = { 5? 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 5? C6 ?? ?? ?? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_81 = { 8B ?? 83 ?? ?? 5? FF 3? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_82 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_83 = { 33 ?? 83 ?? ?? 0F 95 ?? 8B ?? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_84 = { 0F BE ?? ?? F7 ?? 33 ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 83 ?? ?? 72 }
- $block_85 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_86 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_87 = { 42 ?? ?? ?? ?? 32 ?? FE ?? 34 ?? 88 ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? 72 }
- $block_88 = { 8A ?? ?? 32 ?? 80 F? ?? FE ?? 88 ?? ?? ?? 0F B6 ?? 83 ?? ?? 72 }
- $block_89 = { 8B ?? 33 ?? 0F BE ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_90 = { 89 ?? ?? ?? ?? ?? C6 ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_91 = { 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_92 = { 8A ?? 80 E? ?? 0F BE ?? F7 ?? 1B ?? 81 E? ?? ?? ?? ?? 81 C? }
- $block_93 = { 8B ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 84 }
- $block_94 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 }
- $block_95 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 5? C3 }
- $block_96 = { 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? 49 ?? ?? 0F 1F }
- $block_97 = { 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_98 = { 0F BE ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_99 = { 83 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "3dea35172449f0b9a86dff9af3b4480cc4c37a30e8cb54963ff91c4c1ffe7b0d" or
- hash.sha256(0, filesize) == "262dbadca239e5259161130ac9f0f5ef50691fd9dc3e3490b6c0d7b76e7ee34e" or
- hash.sha256(0, filesize) == "9891b5586cede16aa1e1b87380621f68e8956b991cf7675bbe18d2ec61a7522f" or
- hash.sha256(0, filesize) == "01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9" or
- hash.sha256(0, filesize) == "8a5d8d103cb175d7dc41932ef9a890997e25dbe15f94ecd2105835fe49779354" or
- hash.sha256(0, filesize) == "7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522" or
- hash.sha256(0, filesize) == "4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99" or
- hash.sha256(0, filesize) == "c1b19af1e354f13c90163780be6ad50f02d5bf8bac1c9cc1eab1377a159de1be" or
- hash.sha256(0, filesize) == "fdd7e8582ef8d7a23f269653435582cfe924ca9b2db34af63af5e57d1f3e09c2" or
- hash.sha256(0, filesize) == "ac4ffc7a2ba8840a20f6b07aa44328f1802b79ced6a56b3ac7e78fa1178ba65a" or
- hash.sha256(0, filesize) == "4464c945c88ac9a4a22e86f0922f18c164e87f26c3f3fa054eb488fdd7d4bfc8" or
- hash.sha256(0, filesize) == "bc7bcb663477238508ce8ad366cc9a77811c7f5eabaec47175858fe972639f40" or
- hash.sha256(0, filesize) == "036c5c0075d67f67fee546321f5b9c4f00d37aa9249ffe1627e71946bad4a3d1" or
- hash.sha256(0, filesize) == "a5373b33ac970dedeb52528b123959145bf51c95b159a30a7823ad8018ac4b41" or
- hash.sha256(0, filesize) == "30c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73" or
- hash.sha256(0, filesize) == "f6d52c5608931cdf66d71502fcf012b6781edde64ba1f956c1868f7e36d8c8d2" or
- hash.sha256(0, filesize) == "dc70d3046b59785b2b9b7091e26f2484ba7a488dba420a8a05be388a337c399e" or
- hash.sha256(0, filesize) == "d469000ca9e6af92876334e3a460ea4ac8a61c1a6ee819eefbfd0c79ea4fb315" or
- hash.sha256(0, filesize) == "1233cca912fb61873c7388f299a4a1b78054e681941beb31f0a48f8c6d7a182b" or
- hash.sha256(0, filesize) == "12e1139ef422c2c0884fb5b1786a8489c1769a96880a30406e4a28b76ea4a73a" or
- hash.sha256(0, filesize) == "f722677df4fb7eb4ac986a944d4f6630b91ac22b31f8d39ec9bf941376d5d4db" or
- hash.sha256(0, filesize) == "1a7239c006a3adf893bdb5c2300b2964ed8bb454e1b622853e4460707dc63c16" or
- hash.sha256(0, filesize) == "418a21d49fe5bca8a3e050f039a0e2aa03db6d2de0fb49e3ff9d987f31b22dda" or
- hash.sha256(0, filesize) == "65fa52f632e4e83ff83120c7df6b90291025a76d5daeb183e814ec0b3bd2bd4e" or
- hash.sha256(0, filesize) == "b9ea2cc39808780ade1fe51287072e958448be7e3a7b32bfd48438453592018c" or
- hash.sha256(0, filesize) == "89996b66d5a339939b2072d29675ec3ca6d793f42a5d335a8ea7dab8773321ef" or
- hash.sha256(0, filesize) == "6eeffe540693418a107db3e7d2d9b72a54b2354aa6886b571272aa41f8cc8e0c" or
- hash.sha256(0, filesize) == "5f827730c7bd155997121f023ca9775077a37a58111738fcb3213757170bd860" or
- hash.sha256(0, filesize) == "637cabc343e3ed5b447dccb13aa7caf4d3a3eb3cd617d360167f270ec34596ea" or
- hash.sha256(0, filesize) == "70ae2363191e8b20d1773ecc73afc2b9a5dd8247c7b97eecfd1378f3e7aabf92" or
- hash.sha256(0, filesize) == "b9c996b06e0db273a4edede3fd6fda2b40b2e0201eba3e8ac581d802fc610a4a" or
- hash.sha256(0, filesize) == "18c0b02776487babbf6219cdaf97cbf2b534e0cf87a527228dda2d4a468a257f" or
- hash.sha256(0, filesize) == "7ed2d1aceab5f54df4acca63b5d269842d49521e13bab5e652237667c7eef261" or
- hash.sha256(0, filesize) == "86056f462d5783604b7f050047db210ecf698e72f3664b27d58265663ff5b324" or
- 12 of them
-}
-
-rule BlackEnergyPluginMalwareUpdate {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? 2B ?? 89 ?? ?? 3B ?? ?? 0F 83 }
- $block_1 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 5? FF 7? ?? FF D? 85 ?? 0F 84 }
- $block_2 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 7? ?? FF D? 85 ?? 0F 84 }
- $block_3 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 5? 8B ?? 83 ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_5 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_6 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? FF D? 3D ?? ?? ?? ?? 0F 85 }
- $block_7 = { FF 7? ?? 8B ?? ?? FF 3? 33 ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_8 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? FF D? 3D ?? ?? ?? ?? 0F 85 }
- $block_9 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? FF D? 83 ?? ?? 0F 85 }
- $block_10 = { 5? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "e1fc973641508fa98ad4c338122484f6c3aee64488b0c91f7eccf6453927fdf8" or
- 11 of them
-}
-
-rule BlackEnergyDropper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8D ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_1 = { E8 ?? ?? ?? ?? 8A ?? ?? 5? D5 ?? F1 8D ?? ?? 5? F7 ?? B9 ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? E9 }
- $block_2 = { 83 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? 83 ?? ?? ?? B8 ?? ?? ?? ?? 8D ?? 8B ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_3 = { 4? 9? CD ?? 25 ?? ?? ?? ?? 0D ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4? FC 04 ?? 72 }
- $block_4 = { 4? 3C ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? F8 89 ?? B8 ?? ?? ?? ?? F3 ?? 8D ?? ?? F7 ?? E9 }
- $block_5 = { 89 ?? 8B ?? ?? B9 ?? ?? ?? ?? 0F B7 ?? ?? 2B ?? 8D ?? ?? ?? 2B ?? 66 ?? ?? ?? 0F 82 }
- $block_6 = { 6E F7 ?? 03 ?? BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? BF ?? ?? ?? ?? 8D ?? E9 }
- $block_7 = { 5? 8B ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 6A ?? FF D? 8B ?? 85 ?? 0F 84 }
- $block_8 = { 28 ?? ?? ?? C9 89 ?? F7 ?? 0A ?? 8D ?? ?? BA ?? ?? ?? ?? 33 ?? 8A ?? F7 ?? E9 }
- $block_9 = { 8E ?? 16 B3 ?? 65 ?? 80 3? ?? ?? ?? ?? ?? 5? F7 ?? BA ?? ?? ?? ?? 5? 89 ?? E9 }
- $block_10 = { 37 81 4? ?? ?? ?? ?? ?? F6 ?? 2A ?? ?? B2 ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_11 = { 0B ?? BB ?? ?? ?? ?? F7 ?? 5? 5? B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 03 ?? 0F 85 }
- $block_12 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? 8B ?? 2B ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 }
- $block_13 = { 8B ?? ?? 68 ?? ?? ?? ?? 6A ?? 03 ?? E8 ?? ?? ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_14 = { 01 ?? EF AA 3C ?? AD 26 ?? ?? ?? ?? ?? F7 ?? 8B ?? 03 ?? D1 ?? 83 ?? ?? E9 }
- $block_15 = { 8B ?? ?? F7 ?? 8D ?? ?? F7 ?? 8B ?? 2B ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 0F 86 }
- $block_16 = { D7 C8 ?? ?? ?? AD 8D ?? ?? 8B ?? ?? ?? 8B ?? 2B ?? D3 ?? 2B ?? 03 ?? 0F 84 }
- $block_17 = { 89 ?? BA ?? ?? ?? ?? 5? BA ?? ?? ?? ?? 0F B6 ?? 89 ?? BA ?? ?? ?? ?? E9 }
- $block_18 = { 0F C9 89 ?? F7 ?? 0A ?? 8D ?? ?? BA ?? ?? ?? ?? 33 ?? 8A ?? F7 ?? E9 }
- $block_19 = { 32 ?? ?? 4? 8E ?? ?? 1C ?? 9? BF ?? ?? ?? ?? D6 89 ?? 8B ?? ?? ?? E9 }
- $block_20 = { 60 30 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? F7 ?? E9 }
- $block_21 = { 86 ?? 3F 9A ?? ?? ?? ?? ?? ?? 5? 18 ?? D6 8B ?? ?? ?? 89 ?? ?? E9 }
- $block_22 = { 5? CD ?? FF 5? ?? 01 ?? 4? 05 ?? ?? ?? ?? D0 ?? ?? ?? ?? ?? EF 75 }
- $block_23 = { 9A ?? ?? ?? ?? ?? ?? 0A ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_24 = { BF ?? ?? ?? ?? 89 ?? 5? 5? 5? FF D? 80 B? ?? ?? ?? ?? ?? 0F 85 }
- $block_25 = { 5? 5? 03 ?? 33 ?? F7 ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 83 }
- $block_26 = { 1A ?? B0 ?? AF AB 9? 4? 4? 89 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 82 }
- $block_27 = { 8B ?? ?? B9 ?? ?? ?? ?? 89 ?? 8D ?? 2B ?? 0F B7 ?? ?? 2B ?? E9 }
- $block_28 = { 0F AC ?? ?? 2E ?? ?? E5 ?? D6 05 ?? ?? ?? ?? FF D? 85 ?? 0F 85 }
- $block_29 = { F9 AC BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? F7 ?? F7 ?? E9 }
- $block_30 = { BB ?? ?? ?? ?? D7 2A ?? 5? A5 5? FF D? 5? 5? 85 ?? 0F 85 }
- $block_31 = { 89 ?? 8B ?? ?? 89 ?? B9 ?? ?? ?? ?? 0F B7 ?? ?? E9 }
- $block_32 = { 33 ?? ?? 4? 4? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_33 = { 89 ?? 5? 5? 5? FF D? 80 B? ?? ?? ?? ?? ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "e052ea4fbc3aeed1e46df6966bb60c29c6e706ba8fd737fd9ab414fc29189345" or
- hash.sha256(0, filesize) == "23f9272cb2f08dfe5c847ba7764d003310d26585b22ebd1d8d77935907474235" or
- hash.sha256(0, filesize) == "07a76c1d09a9792c348bb56572692fcc4ea5c96a77a2cddf23c0117d03a0dfad" or
- hash.sha256(0, filesize) == "6d4d0715b274bd8331e67b064416e0806d1c0941930ba9ee6e4bac0eb360f7e6" or
- 12 of them
-}
-
-rule BlackEnergyDriver {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F BF ?? ?? BA ?? ?? ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? BA ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E9 }
- $block_1 = { E8 ?? ?? ?? ?? 48 ?? ?? FF D? BA ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_2 = { 89 ?? ?? 8D ?? ?? 89 ?? 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 }
- $block_3 = { 03 ?? ?? 8D ?? 8D ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 89 ?? 8B ?? ?? 83 ?? ?? 0F 84 }
- $block_4 = { E8 ?? ?? ?? ?? 4? E4 ?? D1 ?? 65 ?? ?? 00 ?? ?? EE 9? 1F D8 ?? ?? 0E 27 13 ?? ?? 9? 07 1E 7F }
- $block_5 = { 4? 06 60 6A ?? 4? 8B ?? ?? 81 E? ?? ?? ?? ?? FF 0? 8B ?? ?? ?? ?? ?? 8D ?? ?? F7 ?? F7 ?? E9 }
- $block_6 = { 4? 14 ?? 39 ?? A2 ?? ?? ?? ?? 0D ?? ?? ?? ?? 5? 0C ?? 06 8B ?? ?? 8B ?? 5? 5? 5? 89 ?? ?? E9 }
- $block_7 = { 89 ?? 89 ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 }
- $block_8 = { 8B ?? ?? F7 ?? 8B ?? ?? 89 ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 0F 84 }
- $block_9 = { 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 5? F7 ?? F7 ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 5? E9 }
- $block_10 = { BA ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 33 ?? FF D? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_11 = { BA ?? ?? ?? ?? 41 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? 33 ?? FF D? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_12 = { 8B ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? F7 ?? 0F B6 ?? ?? 89 ?? B9 ?? ?? ?? ?? 89 ?? E9 }
- $block_13 = { 1E DF ?? ?? ?? ?? ?? 5? 36 ?? ?? D2 ?? D2 ?? 27 BF ?? ?? ?? ?? 1D ?? ?? ?? ?? 9? 04 ?? 73 }
- $block_14 = { 8B ?? ?? B9 ?? ?? ?? ?? 89 ?? 8D ?? ?? 0F B7 ?? ?? B8 ?? ?? ?? ?? 8D ?? BA ?? ?? ?? ?? E9 }
- $block_15 = { F7 ?? BA ?? ?? ?? ?? 89 ?? B8 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? F7 ?? B9 ?? ?? ?? ?? E9 }
- $block_16 = { 4? D7 3E ?? ?? ?? ?? ?? B1 ?? B8 ?? ?? ?? ?? 8B ?? 89 ?? F7 ?? 8B ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_17 = { B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? 33 ?? BF ?? ?? ?? ?? F7 ?? 89 ?? 8B ?? 3B ?? 0F 82 }
- $block_18 = { F7 ?? 03 ?? ?? F7 ?? F7 ?? 89 ?? ?? 89 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_19 = { BA ?? ?? ?? ?? 41 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? 33 ?? FF D? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_20 = { 44 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? ?? 45 ?? ?? 66 ?? ?? ?? ?? 73 }
- $block_21 = { 8D ?? 8B ?? ?? 0F B7 ?? ?? ?? 89 ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 85 }
- $block_22 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? 89 ?? 8B ?? ?? 3B ?? 0F 85 }
- $block_23 = { F3 ?? ?? ?? 9E E7 ?? 10 ?? D1 ?? ?? ?? ?? ?? 4? FC 8D ?? 89 ?? 8B ?? ?? 3B ?? ?? 0F 8C }
- $block_24 = { B7 ?? 4? 39 ?? EC F7 ?? 89 ?? F7 ?? C7 ?? ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? 3B ?? ?? 0F 87 }
- $block_25 = { C5 ?? AC AF 9F 5? 8A ?? FF B? ?? ?? ?? ?? 0E F9 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E9 }
- $block_26 = { 03 ?? ?? F7 ?? B9 ?? ?? ?? ?? 8B ?? ?? 89 ?? 89 ?? 8D ?? ?? 8B ?? ?? 39 ?? ?? 0F 82 }
- $block_27 = { 9D 1F BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E9 }
- $block_28 = { 8D ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? B9 ?? ?? ?? ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 0F 85 }
- $block_29 = { 6E EA ?? ?? ?? ?? ?? ?? 0C ?? 8B ?? ?? 89 ?? B8 ?? ?? ?? ?? 03 ?? ?? F7 ?? 8D ?? E9 }
- $block_30 = { 4? 8C ?? 89 ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? F7 ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 82 }
- $block_31 = { DA ?? ?? 5? 0C ?? 07 03 ?? ?? 89 ?? 0F B6 ?? 89 ?? 33 ?? 8D ?? ?? 8D ?? ?? ?? E9 }
- $block_32 = { 8B ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 03 ?? ?? F7 ?? 8D ?? ?? 0F B6 ?? E9 }
- $block_33 = { 6E AC 8D ?? ?? ?? ?? ?? C1 ?? ?? 8D ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? C1 ?? ?? E9 }
- $block_34 = { F7 ?? 8B ?? ?? B9 ?? ?? ?? ?? 8D ?? F7 ?? 8B ?? ?? 0F B7 ?? ?? B8 ?? ?? ?? ?? E9 }
- $block_35 = { 69 ?? ?? ?? ?? ?? ?? 86 ?? ?? ?? ?? ?? 67 ?? 5? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 }
- $block_36 = { 8B ?? ?? B8 ?? ?? ?? ?? F7 ?? 8B ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? 0F BF ?? ?? E9 }
- $block_37 = { 85 ?? ?? 83 ?? ?? ?? AE 5? 05 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 3B ?? 0F 82 }
- $block_38 = { 8B ?? ?? 0F B7 ?? ?? F7 ?? 25 ?? ?? ?? ?? F7 ?? 8D ?? 8D ?? 8B ?? ?? 03 ?? E9 }
- $block_39 = { 9? 1A ?? 26 ?? 66 ?? ?? ?? 5? D3 ?? 06 10 ?? ?? ?? ?? ?? 19 ?? ?? 1A ?? ?? 78 }
- $block_40 = { AF 88 ?? ?? ?? ?? ?? 65 ?? 0C ?? FF 5? ?? 5? E4 ?? FF 8? ?? ?? ?? ?? B6 ?? E9 }
- $block_41 = { 8B ?? ?? 8D ?? 03 ?? ?? 89 ?? 0F B6 ?? 89 ?? 33 ?? 8D ?? ?? 8D ?? ?? ?? E9 }
- $block_42 = { C4 ?? ?? ?? 20 ?? 5? 9B 6D 14 ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_43 = { CC 15 ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 65 ?? 5? B6 ?? D3 ?? ?? ?? ?? ?? 9D E9 }
- $block_44 = { 27 99 6B ?? ?? ?? 8A ?? AA F1 89 ?? 8B ?? ?? F7 ?? 89 ?? F7 ?? 5? 8D ?? E9 }
- $block_45 = { F1 18 ?? 1A ?? ?? A8 ?? 5? B5 ?? 23 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? E9 }
- $block_46 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? E9 }
- $block_47 = { 80 1? ?? 8C ?? ?? ?? ?? ?? 0C ?? 89 ?? 89 ?? 88 ?? ?? 89 ?? 0F B6 ?? ?? E9 }
- $block_48 = { 8B ?? ?? 89 ?? BA ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? 0F 84 }
- $block_49 = { D0 ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? 89 ?? 8D ?? ?? 8B ?? ?? 39 ?? ?? 0F 82 }
- $block_50 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? 8B ?? ?? 83 ?? ?? 0F 84 }
- $block_51 = { EF F7 ?? 5? B9 ?? ?? ?? ?? F7 ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? E9 }
- $block_52 = { 8B ?? ?? F7 ?? 8D ?? ?? 8D ?? ?? 03 ?? ?? 8D ?? ?? ?? ?? ?? 0F B6 ?? E9 }
- $block_53 = { F7 ?? B8 ?? ?? ?? ?? 89 ?? 8B ?? ?? F7 ?? F7 ?? 8B ?? 03 ?? 85 ?? 0F 85 }
- $block_54 = { 8B ?? ?? BE ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_55 = { B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 88 ?? ?? F7 ?? 0F B6 ?? ?? 89 ?? E9 }
- $block_56 = { 8B ?? ?? F7 ?? B9 ?? ?? ?? ?? 8B ?? ?? 8D ?? 0F B7 ?? ?? F7 ?? 89 ?? E9 }
- $block_57 = { 8D ?? ?? 33 ?? 44 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_58 = { 0F BE ?? ?? 8D ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? 0F BE ?? ?? E9 }
- $block_59 = { F7 ?? 89 ?? F7 ?? C7 ?? ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? 3B ?? ?? 0F 87 }
- $block_60 = { 8B ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_61 = { 5? B4 ?? E5 ?? 38 ?? ?? ?? ?? ?? 07 2E ?? ?? F8 B4 ?? 3A ?? 5? EB }
- $block_62 = { 8D ?? ?? 8B ?? ?? 2B ?? 8B ?? ?? B9 ?? ?? ?? ?? F7 ?? 85 ?? 0F 84 }
- $block_63 = { D5 ?? 35 ?? ?? ?? ?? 5? 5? 4? 4? AE 10 ?? ?? ?? ?? ?? 89 ?? ?? E9 }
- $block_64 = { E8 ?? ?? ?? ?? 61 DF ?? 4? 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? E9 }
- $block_65 = { BA ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_66 = { 89 ?? 89 ?? 8B ?? ?? 89 ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 0F 85 }
- $block_67 = { 2C ?? 28 ?? ?? ?? ?? ?? 4? F7 ?? F7 ?? 8B ?? ?? 3B ?? ?? 0F 8D }
- $block_68 = { 27 2A ?? ?? ?? ?? ?? EC 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_69 = { D1 ?? ?? ?? ?? ?? EC 0C ?? 04 ?? 00 ?? 00 ?? 61 D7 0A ?? 4? 76 }
- $block_70 = { D1 ?? 89 ?? 88 ?? ?? F7 ?? BA ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? E9 }
- $block_71 = { BF ?? ?? ?? ?? F7 ?? 89 ?? 8D ?? ?? ?? F7 ?? 8B ?? 3B ?? 0F 82 }
- $block_72 = { 06 1A ?? ?? ?? ?? ?? 1B ?? ?? ?? ?? ?? F7 ?? 89 ?? 8B ?? ?? E9 }
- $block_73 = { 8B ?? ?? F7 ?? 89 ?? 03 ?? ?? 0F B6 ?? F7 ?? 89 ?? 89 ?? E9 }
- $block_74 = { 8B ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_75 = { 1E 4? 9B 36 ?? 8B ?? ?? ?? B7 ?? 5? C1 ?? ?? 83 ?? ?? 0F 84 }
- $block_76 = { B8 ?? ?? ?? ?? 8B ?? 89 ?? F7 ?? 8B ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_77 = { 16 85 ?? ?? B6 ?? 4? 5? F4 62 ?? ?? 89 ?? 83 ?? ?? F7 ?? E9 }
- $block_78 = { F7 ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 0F 8C }
- $block_79 = { 85 ?? ?? ?? ?? ?? A6 89 ?? ?? 89 ?? 89 ?? ?? 89 ?? 89 ?? E9 }
- $block_80 = { 15 ?? ?? ?? ?? 5? F4 F7 ?? 8D ?? 0F B6 ?? ?? 85 ?? 0F 85 }
- $block_81 = { 89 ?? 88 ?? ?? F7 ?? BA ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? E9 }
- $block_82 = { 4? B7 ?? 64 ?? ?? AD B3 ?? 8A ?? ?? ?? ?? ?? 5? F7 ?? E9 }
- $block_83 = { 2B ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 86 }
- $block_84 = { 8D ?? ?? ?? ?? ?? 0F B6 ?? 5? E8 ?? ?? ?? ?? 88 ?? ?? E9 }
- $block_85 = { F7 ?? 8D ?? ?? 8B ?? ?? F7 ?? 89 ?? 0F BE ?? 85 ?? 0F 84 }
- $block_86 = { 8B ?? ?? 8D ?? 8D ?? ?? 89 ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_87 = { 0F BE ?? ?? F7 ?? 89 ?? 89 ?? 0F BE ?? ?? 3B ?? 0F 85 }
- $block_88 = { F7 ?? ?? 3B ?? 4? 89 ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 8C }
- $block_89 = { F4 1B ?? F7 ?? EE E8 ?? ?? ?? ?? 4? 06 39 ?? ?? 0F 82 }
- $block_90 = { 8B ?? ?? F7 ?? F7 ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_91 = { 5? ED 0C ?? 9C 4? AF 9? 82 E? ?? 35 ?? ?? ?? ?? 73 }
- $block_92 = { 0F BE ?? ?? 89 ?? 8D ?? ?? 0F BE ?? ?? 3B ?? 0F 85 }
- $block_93 = { 8B ?? ?? 0F BE ?? ?? 03 ?? 33 ?? BE ?? ?? ?? ?? E9 }
- $block_94 = { 8B ?? ?? 89 ?? B8 ?? ?? ?? ?? 8B ?? ?? 3B ?? 0F 84 }
- $block_95 = { 5? 6A ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_96 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_97 = { BA ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 0F 85 }
- $block_98 = { 5? A4 8B ?? ?? B8 ?? ?? ?? ?? F7 ?? 89 ?? ?? E9 }
- $block_99 = { 6A ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68" or
- hash.sha256(0, filesize) == "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281" or
- hash.sha256(0, filesize) == "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614" or
- hash.sha256(0, filesize) == "4d31a81515ea04765b488dadc49acac4a2b81ca16eee1993ccd97b51a75510d5" or
- hash.sha256(0, filesize) == "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5" or
- hash.sha256(0, filesize) == "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094" or
- hash.sha256(0, filesize) == "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc" or
- hash.sha256(0, filesize) == "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988" or
- hash.sha256(0, filesize) == "cfb20e7516b42486d11c59021a8be8a457ee1fa0d0be6d5d958e80b3cfeb04ae" or
- hash.sha256(0, filesize) == "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2" or
- hash.sha256(0, filesize) == "2aade7381aa87f55b7d7a5284d22be5472fd8cd966d216fd4445ca3a8bbb3ff3" or
- hash.sha256(0, filesize) == "166ba02539d3ea8cd1298d916fad1264a815f55798df5477698b7d775542b696" or
- hash.sha256(0, filesize) == "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5" or
- hash.sha256(0, filesize) == "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1" or
- hash.sha256(0, filesize) == "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c" or
- hash.sha256(0, filesize) == "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291" or
- hash.sha256(0, filesize) == "ca7a8180996a98e718f427837f9d52453b78d0a307e06e1866db4d4ce969d525" or
- hash.sha256(0, filesize) == "ed080c2635180f27c8d288e96c1105d0914dc1bb55917d2f5f2538fc32974aa2" or
- hash.sha256(0, filesize) == "43ce710a83c99fb4c0bac2ea93727a9d5dda6e82e30b5fe861f9e3e0acddaa1c" or
- hash.sha256(0, filesize) == "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf" or
- hash.sha256(0, filesize) == "81125a5eb555dc898a5af966cf5ac8380e6c8e64a1c7f7981e8db8c9dbb37394" or
- hash.sha256(0, filesize) == "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc" or
- hash.sha256(0, filesize) == "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a" or
- 12 of them
-}
-
-rule BlackEnergyPluginNetworkDiscovery {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? 2B ?? 89 ?? ?? 3B ?? ?? 0F 83 }
- $block_1 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF D? 85 ?? 0F 84 }
- $block_2 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? ?? 5? 6A ?? FF D? 89 ?? ?? 3B ?? 0F 84 }
- $block_3 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_4 = { 5? 8B ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 6A ?? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_5 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 7? ?? FF D? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 5? 6A ?? FF D? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_7 = { FF 4? ?? 6A ?? 8D ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_8 = { 03 ?? 0F B6 ?? C1 ?? ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 3B ?? 0F BE ?? 75 }
- $block_9 = { 5? 5? 5? 8D ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_10 = { FF 7? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_11 = { 8B ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_12 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_14 = { 8B ?? ?? C1 ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 3B ?? 0F 86 }
- $block_15 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "325db53fdeb928597531ee1d20f7528f687c2c5611e3fa408f41a654e73b0f1b" or
- 12 of them
-}
-
-rule VPNFilterStage1 {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { B8 ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_1 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FC C1 ?? ?? F3 ?? F6 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 74 }
- $block_2 = { 31 ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_3 = { BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_4 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 31 ?? 83 ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_5 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_6 = { 5? B9 ?? ?? ?? ?? 89 ?? 31 ?? 5? 5? 5? FC 8D ?? ?? 83 ?? ?? 89 ?? F3 ?? 66 ?? ?? ?? ?? 31 ?? 9? }
- $block_7 = { 8B ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? FF 5? ?? 85 ?? 0F 85 }
- $block_8 = { FF 8? ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8F }
- $block_9 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_10 = { B1 ?? 89 ?? 8B ?? ?? ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 8D ?? ?? 88 ?? 04 ?? 88 }
- $block_11 = { 89 ?? C1 ?? ?? F6 ?? ?? 0F 95 ?? 0F B6 ?? 01 ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 75 }
- $block_13 = { 8B ?? ?? 89 ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_14 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_15 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_16 = { 8B ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? BE ?? ?? ?? ?? 01 ?? 89 ?? ?? 0F B6 ?? 8B ?? ?? 29 }
- $block_17 = { B9 ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_18 = { 01 ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 39 ?? 0F 87 }
- $block_19 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 89 ?? ?? 0F 87 }
- $block_20 = { BE ?? ?? ?? ?? B9 ?? ?? ?? ?? FC F3 ?? A1 ?? ?? ?? ?? 66 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 5? C3 }
- $block_21 = { 8B ?? ?? 0F B6 ?? 01 ?? 4? 0F B6 ?? 83 ?? ?? 30 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 74 }
- $block_22 = { B9 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 0F 85 }
- $block_23 = { 83 ?? ?? 89 ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 85 }
- $block_24 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 29 ?? 8D ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 86 }
- $block_25 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_26 = { 4? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_27 = { 89 ?? B3 ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 88 ?? 04 ?? 3C ?? 88 ?? ?? ?? 74 }
- $block_28 = { 8B ?? ?? 8B ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_29 = { 0F B6 ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? 09 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 4? 3D ?? ?? ?? ?? 77 }
- $block_30 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_31 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_32 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? 0F 86 }
- $block_33 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 85 }
- $block_34 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_35 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_36 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_37 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? 01 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_38 = { 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_39 = { C7 ?? ?? ?? ?? ?? ?? 29 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_40 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 0F B6 ?? ?? ?? 0F B6 ?? 39 ?? 74 }
- $block_41 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_42 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 89 ?? 0F 8E }
- $block_43 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 8D ?? ?? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 76 }
- $block_44 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_45 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 89 ?? 0F 84 }
- $block_46 = { 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_47 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_48 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_49 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? ?? ?? ?? C6 ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 }
- $block_50 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_51 = { 80 F? ?? 0F B6 ?? ?? 0F B6 ?? ?? 19 ?? 83 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_52 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 89 ?? 0F 84 }
- $block_53 = { 0F B6 ?? ?? 8B ?? ?? ?? ?? ?? 80 E? ?? 80 F? ?? 19 ?? 83 ?? ?? 83 ?? ?? 39 ?? 89 ?? ?? 74 }
- $block_54 = { C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_55 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? 29 ?? 83 ?? ?? 89 ?? EB }
- $block_56 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? 4? 83 ?? ?? 32 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 0F 84 }
- $block_57 = { FC 31 ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 8B ?? ?? FF 5? ?? BA ?? ?? ?? ?? 85 ?? 89 ?? ?? 74 }
- $block_58 = { 8D ?? ?? 4? 8D ?? ?? 89 ?? 89 ?? 0F B6 ?? ?? 8D ?? ?? ?? 89 ?? 89 ?? 8B ?? ?? 89 ?? 75 }
- $block_59 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_60 = { 8B ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_61 = { 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_62 = { 8B ?? ?? 89 ?? 03 ?? ?? 0F B7 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 0B ?? ?? 74 }
- $block_63 = { B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_64 = { 01 ?? 89 ?? ?? ?? ?? ?? 31 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_65 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_66 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 89 ?? ?? 0F 82 }
- $block_67 = { 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 }
- $block_68 = { 0F B6 ?? ?? BA ?? ?? ?? ?? 4? 89 ?? 31 ?? C6 ?? ?? ?? ?? 8D ?? ?? F7 ?? 88 ?? 04 ?? 88 }
- $block_69 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 }
- $block_70 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 }
- $block_71 = { 8B ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_72 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_73 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 29 ?? 0F 84 }
- $block_74 = { 8B ?? ?? ?? ?? ?? 01 ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_75 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? 8D ?? ?? 29 ?? ?? 39 ?? 89 ?? ?? 89 ?? 0F 87 }
- $block_76 = { 8B ?? ?? C1 ?? ?? 0F B6 ?? ?? 4? 09 ?? 31 ?? 39 ?? 0F 97 ?? 4? F7 ?? 21 ?? 83 ?? ?? 75 }
- $block_77 = { 8B ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 93 ?? 4? 0F B6 ?? 83 ?? ?? F7 ?? 21 ?? 39 ?? 75 }
- $block_78 = { 5? B8 ?? ?? ?? ?? 89 ?? 5? 5? 5? 83 ?? ?? F6 ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F 85 }
- $block_79 = { 80 B? ?? ?? ?? ?? ?? ?? 0F 95 ?? 08 ?? 0F 94 ?? 4? 0F B6 ?? 01 ?? 3B ?? ?? ?? ?? ?? 75 }
- $block_80 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_81 = { 8B ?? ?? 39 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 87 }
- $block_82 = { 89 ?? 89 ?? C1 ?? ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 39 ?? 0F 82 }
- $block_83 = { 89 ?? 8B ?? ?? ?? ?? ?? 89 ?? C1 ?? ?? F6 ?? ?? FC F3 ?? 89 ?? 89 ?? ?? ?? ?? ?? 74 }
- $block_84 = { 31 ?? 89 ?? ?? ?? ?? ?? 8B ?? 0F B6 ?? ?? ?? ?? ?? 80 E? ?? 88 ?? ?? ?? ?? ?? 0F 84 }
- $block_85 = { 0A ?? ?? ?? 4? 88 ?? F6 ?? 08 ?? C0 ?? ?? 34 ?? 0F B6 ?? 01 ?? ?? ?? ?? ?? 39 ?? 75 }
- $block_86 = { 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_87 = { 0F B6 ?? ?? ?? 89 ?? 0F B6 ?? 29 ?? 84 ?? 89 ?? 0F 94 ?? 39 ?? 0F 92 ?? 08 ?? 4? 74 }
- $block_88 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 81 C? ?? ?? ?? ?? 39 ?? 0F 87 }
- $block_89 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_90 = { 8B ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_91 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_92 = { 5? 89 ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_93 = { 5? 89 ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_94 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_95 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_96 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 8F }
- $block_97 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? A9 ?? ?? ?? ?? 0F 84 }
- $block_98 = { 5? 89 ?? 83 ?? ?? 83 ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_99 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92" or
- hash.sha256(0, filesize) == "51e92ba8dac0f93fc755cb98979d066234260eafc7654088c5be320f431a34fa" or
- 12 of them
-}
-
-rule VPNFilterStage3PluginTor {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 31 ?? 83 ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? F7 ?? 21 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 39 ?? 76 }
- $block_1 = { 5? 8D ?? ?? 6A ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_2 = { 83 ?? ?? B9 ?? ?? ?? ?? FC 89 ?? ?? ?? ?? ?? 89 ?? BF ?? ?? ?? ?? F3 ?? 74 }
- $block_3 = { 6B ?? ?? DB ?? ?? ?? ?? ?? D9 ?? DE ?? D9 ?? D9 ?? DD ?? DF ?? DD ?? 9E 72 }
- $block_4 = { DD ?? DD ?? DD ?? D9 ?? D9 ?? ?? ?? ?? ?? D9 ?? DD ?? DF ?? DD ?? 9E 72 }
- $block_5 = { 5? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 88 }
- $block_6 = { 89 ?? BD ?? ?? ?? ?? 99 F7 ?? 4? 83 ?? ?? 4? 88 ?? 83 ?? ?? 89 ?? 7E }
- $block_7 = { D9 ?? D8 ?? D9 ?? C7 ?? ?? ?? ?? ?? ?? ?? DD ?? DF ?? DD ?? 9E 0F 86 }
- $block_8 = { 83 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_9 = { 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_10 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_11 = { 8D ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_12 = { 8D ?? ?? B9 ?? ?? ?? ?? FC 89 ?? BF ?? ?? ?? ?? F3 ?? 74 }
- $block_13 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_14 = { 6B ?? ?? DB ?? ?? ?? ?? ?? D8 ?? D9 ?? DD ?? DF ?? 9E 76 }
- $block_15 = { 8D ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 4? 0F 84 }
- $block_16 = { D9 ?? ?? ?? ?? ?? D8 ?? D9 ?? DD ?? DF ?? DD ?? 9E 75 }
- $block_17 = { 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? C9 C3 }
- $block_18 = { 5? B8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719" or
- hash.sha256(0, filesize) == "acf32f21ec3955d6116973b3f1a85f19f237880a80cdf584e29f08bd12666999" or
- 12 of them
-}
-
-rule VPNFilterStage3PluginPacketSniffer {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? ?? ?? 31 ?? 31 ?? 8A ?? ?? 8A ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_1 = { 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 6A ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_2 = { 8B ?? ?? 8B ?? ?? 01 ?? 25 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 39 ?? ?? 0F 86 }
- $block_3 = { 31 ?? 83 ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? F7 ?? 21 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 39 ?? 76 }
- $block_4 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 89 ?? 8B ?? ?? 80 7? ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_5 = { 8B ?? ?? 5? 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_6 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_7 = { 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_8 = { 8D ?? ?? ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 05 ?? ?? ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_10 = { 8D ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? FF 9? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_11 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 29 ?? 8D ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 86 }
- $block_12 = { 8B ?? ?? 83 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_13 = { 89 ?? 89 ?? FC C1 ?? ?? 31 ?? F3 ?? 8B ?? ?? 89 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? 5? 5? 5? 5? C3 }
- $block_14 = { 8B ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_15 = { 8D ?? ?? 29 ?? 89 ?? ?? 5? 5? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_16 = { 8B ?? ?? 5? 4? 5? 89 ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_17 = { 8B ?? ?? FC 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? 89 ?? C1 ?? ?? 8D ?? ?? F3 ?? F6 ?? ?? 89 ?? 74 }
- $block_18 = { B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? 8B ?? ?? F3 ?? 0F 97 ?? 0F 92 ?? BF ?? ?? ?? ?? 38 ?? 74 }
- $block_19 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? C1 ?? ?? 85 ?? 0F 84 }
- $block_20 = { 8B ?? ?? C6 ?? ?? 5? 8B ?? ?? 5? 89 ?? 4? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_21 = { B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? 8B ?? ?? F3 ?? 0F 97 ?? 0F 92 ?? BF ?? ?? ?? ?? 38 ?? 75 }
- $block_22 = { 8B ?? ?? ?? ?? ?? 09 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? ?? ?? ?? ?? 0F 87 }
- $block_23 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_24 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? 0F 86 }
- $block_25 = { 8D ?? ?? ?? 89 ?? 31 ?? F7 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 80 B? ?? ?? ?? ?? ?? 0F 84 }
- $block_26 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 83 ?? ?? ?? 0F 84 }
- $block_27 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? C1 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_28 = { 88 ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 80 F? ?? 19 ?? 83 ?? ?? 83 ?? ?? 3B ?? ?? 0F 85 }
- $block_29 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_30 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_31 = { 83 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_32 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_33 = { 8B ?? ?? 8B ?? ?? FC 89 ?? ?? 89 ?? ?? BA ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? 89 ?? F3 ?? 75 }
- $block_34 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 31 ?? 8A ?? ?? 88 ?? 8D ?? ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 }
- $block_35 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_36 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? 0F 82 }
- $block_37 = { 66 ?? ?? ?? 89 ?? 8B ?? ?? 25 ?? ?? ?? ?? 83 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 66 ?? ?? 0F 84 }
- $block_38 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_39 = { 8B ?? ?? 89 ?? 85 ?? 0F 94 ?? 25 ?? ?? ?? ?? 31 ?? 5? 89 ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 }
- $block_40 = { 8B ?? ?? 8D ?? ?? 5? 83 ?? ?? 8B ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_41 = { 83 ?? ?? 8B ?? ?? 5? 5? 5? 8B ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_42 = { 66 ?? ?? ?? 31 ?? ?? F9 9B 4? 6A ?? C1 ?? ?? ?? ?? ?? ?? A2 ?? ?? ?? ?? 28 ?? ?? EF 77 }
- $block_43 = { 83 ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_44 = { 8B ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_45 = { 5? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 83 ?? ?? 0F 84 }
- $block_46 = { 8B ?? ?? 8B ?? ?? 01 ?? 5? 8B ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 39 ?? 0F 84 }
- $block_47 = { 8B ?? 8B ?? ?? 01 ?? 89 ?? 3B ?? ?? 0F 92 ?? 25 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 75 }
- $block_48 = { 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_49 = { 83 ?? ?? 8D ?? ?? 8D ?? ?? 5? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_50 = { 5? 5? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_51 = { 8B ?? ?? 89 ?? 03 ?? ?? 0F B7 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 0B ?? ?? 74 }
- $block_52 = { 8A ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_53 = { FC 31 ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 8B ?? ?? FF 5? ?? BA ?? ?? ?? ?? 89 ?? ?? 85 ?? 74 }
- $block_54 = { 5? 5? 8B ?? 5? 8B ?? ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_55 = { 83 ?? ?? BB ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_56 = { 83 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_57 = { 8A ?? ?? ?? 31 ?? 88 ?? 89 ?? 29 ?? 84 ?? 89 ?? 0F 94 ?? 39 ?? 0F 92 ?? 09 ?? 4? 74 }
- $block_58 = { 5? 5? 6A ?? 8B ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_59 = { 8B ?? ?? 8B ?? 5? 8B ?? ?? 83 ?? ?? 5? 5? 8B ?? ?? 5? FF 5? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_60 = { 8B ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_61 = { 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 88 }
- $block_62 = { 8D ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_63 = { 5? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_64 = { 8B ?? ?? B9 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_65 = { 8B ?? 83 ?? ?? 89 ?? 8D ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_66 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_67 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_68 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 39 ?? 0F 87 }
- $block_69 = { 8B ?? ?? 8B ?? ?? 5? 5? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_70 = { 0F B6 ?? 5? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 8D ?? ?? ?? ?? ?? 74 }
- $block_71 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 01 ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 8E }
- $block_72 = { 89 ?? 31 ?? 8A ?? 31 ?? C1 ?? ?? 8A ?? ?? 09 ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 }
- $block_73 = { 80 B? ?? ?? ?? ?? ?? ?? 0F 95 ?? 08 ?? 0F 94 ?? 25 ?? ?? ?? ?? 4? 01 ?? 39 ?? 75 }
- $block_74 = { 8B ?? ?? 8D ?? ?? 83 ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_75 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 5? 89 ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 85 ?? 0F 85 }
- $block_76 = { 8B ?? ?? 89 ?? 89 ?? C1 ?? ?? 83 ?? ?? 0F A3 ?? ?? ?? ?? ?? ?? 0F 92 ?? 84 ?? 74 }
- $block_77 = { 8D ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? 31 ?? FC 8B ?? ?? F3 ?? 8B ?? ?? 3B ?? ?? 0F 8F }
- $block_78 = { 05 ?? ?? ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_79 = { 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_80 = { 5? 5? 68 ?? ?? ?? ?? A1 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_81 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? 89 ?? 0F AF ?? 85 ?? 7E }
- $block_82 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? 89 ?? 0F AF ?? 85 ?? 78 }
- $block_83 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_84 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? C1 ?? ?? 8B ?? ?? 39 ?? 0F 87 }
- $block_85 = { 66 ?? ?? ?? 8D ?? ?? 89 ?? 81 E? ?? ?? ?? ?? FC 89 ?? C1 ?? ?? F3 ?? F6 ?? ?? 74 }
- $block_86 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 89 ?? ?? 0F 85 }
- $block_87 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 }
- $block_88 = { 05 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_89 = { 66 ?? ?? ?? 8D ?? ?? 89 ?? 81 E? ?? ?? ?? ?? FC 89 ?? C1 ?? ?? F3 ?? F6 ?? ?? 75 }
- $block_90 = { 83 ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_91 = { 31 ?? 8D ?? ?? ?? ?? ?? ?? 8A ?? ?? 4? D3 ?? 8B ?? 09 ?? 89 ?? 39 ?? ?? 0F 86 }
- $block_92 = { 31 ?? 8A ?? 89 ?? 8D ?? ?? 6A ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_93 = { 8B ?? ?? 66 ?? ?? ?? 89 ?? 81 E? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_94 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 }
- $block_95 = { 5? 6A ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_96 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 87 }
- $block_97 = { 8D ?? ?? 31 ?? 8A ?? ?? 8A ?? ?? C1 ?? ?? 25 ?? ?? ?? ?? 09 ?? 83 ?? ?? 0F 86 }
- $block_98 = { E8 ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 31 ?? 88 ?? 4? 81 E? ?? ?? ?? ?? 83 ?? ?? E9 }
- $block_99 = { 5? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? BA ?? ?? ?? ?? 83 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "3df17f01c4850b96b00e90c880fdfabbd11c64a8707d24488485dd12fae8ec85" or
- 12 of them
-}
-
-rule VPNFilterStage2 {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 85 }
- $block_1 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 31 ?? 83 ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_2 = { 8B ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? FF 5? ?? 85 ?? 0F 85 }
- $block_3 = { 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 75 }
- $block_4 = { B8 ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_5 = { 8B ?? ?? 31 ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_6 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_7 = { FF 8? ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8F }
- $block_8 = { 8B ?? ?? 89 ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_9 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_10 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 }
- $block_11 = { 89 ?? C1 ?? ?? F6 ?? ?? 0F 95 ?? 0F B6 ?? 01 ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { B1 ?? 89 ?? 8B ?? ?? ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 8D ?? ?? 88 ?? 04 ?? 88 }
- $block_13 = { D0 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? D3 ?? 85 ?? 0F 85 }
- $block_14 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? 0F 86 }
- $block_15 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? C1 ?? ?? 85 ?? 0F 84 }
- $block_16 = { 89 ?? BA ?? ?? ?? ?? FC C1 ?? ?? F3 ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 75 }
- $block_17 = { 5? 89 ?? 5? 89 ?? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_18 = { 8B ?? ?? B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? F3 ?? BF ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 74 }
- $block_19 = { 8B ?? ?? B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? F3 ?? BF ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 75 }
- $block_20 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_21 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_22 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_23 = { 8B ?? ?? 8B ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_24 = { B9 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_25 = { 8D ?? ?? ?? 89 ?? 31 ?? F7 ?? 80 B? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_26 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_27 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_28 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_29 = { 8B ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? BE ?? ?? ?? ?? 01 ?? 89 ?? ?? 0F B6 ?? 8B ?? ?? 29 }
- $block_30 = { BF ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_31 = { C7 ?? ?? ?? ?? ?? ?? 29 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_32 = { B9 ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_33 = { 89 ?? B3 ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 88 ?? 04 ?? 3C ?? 88 ?? ?? ?? 74 }
- $block_34 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? 01 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_35 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_36 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_37 = { 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_38 = { 8B ?? ?? 0F B6 ?? 01 ?? 4? 0F B6 ?? 83 ?? ?? 30 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 74 }
- $block_39 = { 0F B6 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FE ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 75 }
- $block_40 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_41 = { B9 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 0F 85 }
- $block_42 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_43 = { 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_44 = { 8B ?? 8D ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_45 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_46 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_47 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 89 ?? 0F 84 }
- $block_48 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? 29 ?? 83 ?? ?? 89 ?? EB }
- $block_49 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 8D ?? ?? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 76 }
- $block_50 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_51 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_52 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 89 ?? 0F 84 }
- $block_53 = { 8D ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_54 = { 8B ?? ?? 89 ?? ?? 89 ?? ?? 01 ?? 89 ?? ?? 8D ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_55 = { 8B ?? 83 ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_56 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_57 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? 4? 83 ?? ?? 32 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 0F 84 }
- $block_58 = { C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_59 = { 8B ?? ?? 89 ?? 03 ?? ?? 0F B7 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 0B ?? ?? 74 }
- $block_60 = { 66 ?? ?? ?? 31 ?? ?? F9 9B 4? 6A ?? C1 ?? ?? ?? ?? ?? ?? A2 ?? ?? ?? ?? 28 ?? ?? EF 77 }
- $block_61 = { E8 ?? ?? ?? ?? 4? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 39 ?? 0F 8F }
- $block_62 = { 8B ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_63 = { 8B ?? ?? ?? ?? ?? 01 ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_64 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_65 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_66 = { B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_67 = { 80 F? ?? 0F B6 ?? 0F B6 ?? ?? 19 ?? C1 ?? ?? 83 ?? ?? 09 ?? 8D ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_68 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 29 ?? 0F 84 }
- $block_69 = { 8B ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_70 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_71 = { FC 31 ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 8B ?? ?? FF 5? ?? BA ?? ?? ?? ?? 85 ?? 89 ?? ?? 74 }
- $block_72 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? 8D ?? ?? 29 ?? ?? 39 ?? 89 ?? ?? 89 ?? 0F 87 }
- $block_73 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 3B ?? ?? 0F 87 }
- $block_74 = { 0F B6 ?? ?? BA ?? ?? ?? ?? 4? 89 ?? 31 ?? C6 ?? ?? ?? ?? 8D ?? ?? F7 ?? 88 ?? 04 ?? 88 }
- $block_75 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_76 = { 8B ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_77 = { 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_78 = { 5? B8 ?? ?? ?? ?? 89 ?? 5? 5? 5? 83 ?? ?? F6 ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F 85 }
- $block_79 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_80 = { 0A ?? ?? ?? 4? 88 ?? F6 ?? 08 ?? C0 ?? ?? 34 ?? 0F B6 ?? 01 ?? ?? ?? ?? ?? 39 ?? 75 }
- $block_81 = { 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_82 = { 8B ?? ?? 0F B6 ?? 83 ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_83 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_84 = { 8B ?? ?? 89 ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_85 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 81 C? ?? ?? ?? ?? 39 ?? 0F 87 }
- $block_86 = { 5? 89 ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_87 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_88 = { 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_89 = { 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_90 = { 8B ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_91 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_92 = { 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_93 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_94 = { 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_95 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 }
- $block_96 = { 8B ?? ?? 83 ?? ?? 89 ?? C1 ?? ?? F6 ?? ?? 8D ?? ?? 89 ?? ?? 8D ?? ?? FC F3 ?? 0F 84 }
- $block_97 = { 0F B6 ?? ?? ?? 89 ?? 0F B6 ?? 29 ?? 84 ?? 89 ?? 0F 94 ?? 39 ?? 0F 92 ?? 08 ?? 4? 74 }
- $block_98 = { 89 ?? 83 ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 0F 8E }
- $block_99 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "9e854d40f22675a0f1534f7c31626fd3b67d5799f8eea4bd2e2d4be187d9e1c7" or
- hash.sha256(0, filesize) == "8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1" or
- hash.sha256(0, filesize) == "d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e" or
- hash.sha256(0, filesize) == "9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17" or
- hash.sha256(0, filesize) == "f30a0fe494a871bd7d117d41025e8d2e17cd545131e6f27d59b5e65e7ab50d92" or
- 12 of them
-}
-
-rule CloudAtlasPayload {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 0F B7 ?? ?? 8B ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? EB }
- $block_1 = { 6A ?? 8B ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_2 = { 8D ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_3 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_4 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_5 = { 8B ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? 81 C? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_7 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_8 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? 8B ?? ?? 03 ?? ?? 3B ?? 0F 83 }
- $block_9 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_10 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_11 = { 0F B7 ?? ?? 0F B7 ?? ?? 8B ?? ?? 03 ?? ?? 3B ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "34905d840bbfbbc555dfd280b383e2c00d4c7987be71067ad7152b26f06d2cd0" or
- 12 of them
-}
-
-rule CloudAtlasLoader {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? F3 ?? A4 C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F AF ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_1 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 }
- $block_2 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 6B ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 7E }
- $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 5? 0F B6 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 }
- $block_4 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8D ?? ?? 5? 0F B7 ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 33 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB }
- $block_5 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 }
- $block_6 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? C6 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 2D ?? ?? ?? ?? 89 }
- $block_7 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 }
- $block_8 = { 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 0F B6 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 6B ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 35 ?? ?? ?? ?? 89 }
- $block_9 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB }
-
- condition:
- hash.sha256(0, filesize) == "85ec69f1a08b30db4d30202d3a584bd33ea412ba46336b1b51fae7260e29f844" or
- 10 of them
-}
-
-rule RedOctoberPluginNetScan {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_1 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 87 }
- $block_2 = { 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_3 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 0F B7 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_4 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_5 = { 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_6 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_7 = { C6 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_8 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 86 }
- $block_9 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 0F 8F }
- $block_10 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C }
- $block_11 = { 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_13 = { 8B ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? 0F B7 ?? 5? 8B ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? EB }
- $block_14 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 85 }
- $block_15 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 3D ?? ?? ?? ?? 74 }
- $block_16 = { 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_17 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 }
- $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_19 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 33 ?? 83 ?? ?? ?? 0F 94 ?? 88 }
- $block_20 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_21 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_22 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_23 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 0F BE ?? ?? 0F BE ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_24 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_25 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3D ?? ?? ?? ?? 0F 86 }
- $block_26 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 74 }
- $block_27 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 73 }
- $block_28 = { 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 73 }
- $block_29 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 85 }
- $block_30 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 83 ?? ?? ?? 0F 84 }
- $block_31 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 84 }
- $block_32 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_33 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 86 }
- $block_34 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 75 }
- $block_35 = { A1 ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 85 }
- $block_36 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_37 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 0F BE ?? 0F BE ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_38 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_39 = { A1 ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 75 }
- $block_40 = { 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_41 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_42 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_43 = { E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 0F 84 }
- $block_44 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_45 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_46 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_47 = { 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 73 }
- $block_48 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_49 = { 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 82 }
- $block_50 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 83 }
- $block_51 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_52 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_53 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_54 = { 0F B7 ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_55 = { 8D ?? ?? E8 ?? ?? ?? ?? 0F BF ?? 0F BF ?? ?? 3B ?? 75 }
- $block_56 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_57 = { 8B ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 8E }
- $block_58 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 85 }
- $block_59 = { 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 81 F? ?? ?? ?? ?? 0F 8D }
- $block_60 = { 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 74 }
- $block_61 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C2 }
- $block_62 = { 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_63 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_64 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 0F 87 }
- $block_65 = { 8B ?? ?? 8B ?? ?? 8B ?? 3B ?? ?? ?? ?? ?? 0F 85 }
- $block_66 = { 8B ?? ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_67 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
- $block_68 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 85 ?? 75 }
- $block_69 = { 8B ?? ?? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_70 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_71 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "4240d4239a0bdc43581dc73e875b03653ad40d1380fa12e0359305b38c13b474" or
- 12 of them
-}
-
-rule RedOctoberPluginDASvcInstall {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C }
- $block_1 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_3 = { 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F BE ?? 83 ?? ?? 74 }
- $block_4 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_5 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_6 = { 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_7 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E }
- $block_8 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_9 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_10 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_11 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_12 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_13 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_14 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_15 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_16 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_17 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_18 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_19 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C }
- $block_20 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 }
- $block_21 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 }
- $block_22 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_23 = { 8B ?? ?? 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_24 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_25 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
- $block_26 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 }
- $block_27 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_28 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "ae5bd9750738afef22568a3400a876e5bfefb4fe1d24e8badef97c756c9056ca" or
- 12 of them
-}
-
-rule RedOctoberPluginAdobeBDInstaller {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_1 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_2 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_3 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_4 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_7 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_8 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_9 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_10 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_11 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 }
- $block_12 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 }
- $block_13 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_14 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
- $block_15 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_16 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "feb0166bf33745d7d065d4815022b5d76ff6a5b999181aa719bf5e72f8328f23" or
- 12 of them
-}
-
-rule RedOctoberPluginFrogbackdoor {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C }
- $block_1 = { 5? 8D ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_2 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_3 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_4 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E }
- $block_5 = { 6A ?? 5? 5? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_6 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_7 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_8 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_9 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_10 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_11 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_12 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_13 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_14 = { 8B ?? ?? ?? ?? ?? 5? FF D? 4? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 84 }
- $block_15 = { 0F B7 ?? ?? 83 ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? 8D ?? ?? ?? 85 ?? 7E }
- $block_16 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_17 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_18 = { 5? 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_19 = { 5? 5? 5? 6A ?? 6A ?? 8D ?? ?? 5? FF D? 89 ?? ?? 83 ?? ?? 0F 85 }
- $block_20 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C }
- $block_21 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 }
- $block_22 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 }
- $block_23 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_24 = { 8B ?? ?? 8A ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_25 = { 8B ?? ?? 33 ?? 5? 33 ?? 4? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_26 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_27 = { 8B ?? ?? 5? 33 ?? 32 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
-
- condition:
- hash.sha256(0, filesize) == "79cf65316806b8e30ef0baaa14bf891720fd17578e9789f199084ff5f522014b" or
- 12 of them
-}
-
-rule RedOctoberPluginCredentialStealing {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? 5? 5? 5? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? FF D? 8B ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 4? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 4? FF 0? ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 4? A1 ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 4? BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 03 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF D? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 4? 8B ?? FF 0? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 0B ?? 0F 84 }
- $block_1 = { 8B ?? 5? 5? 5? 03 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? 8B ?? 4? BF ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 8B ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 4? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0B ?? 0F 84 }
- $block_2 = { 8B ?? 5? 8B ?? 5? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BA ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? BB ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_3 = { 8B ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? BB ?? ?? ?? ?? 8A ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 32 ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? 4? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 0B ?? 0F 85 }
- $block_4 = { 8B ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 32 ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? 8B ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? C1 ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 8B ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 33 ?? BB ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 0F 85 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? A1 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_6 = { 83 ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? B9 ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_7 = { B8 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? 4? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 4? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_8 = { 4? 00 ?? ?? 4? 5? 33 ?? 2E ?? 4? 4? 00 ?? 01 ?? 03 ?? ?? ?? ?? ?? ?? 0A ?? 0C ?? 0E 0F 10 ?? 12 ?? 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 }
- $block_9 = { 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 }
-
- condition:
- hash.sha256(0, filesize) == "80f47c05bae10b97d298bf6aaacc0906c05fd0b77275543bc8c4f9bf8ff60a59" or
- hash.sha256(0, filesize) == "5e9de30527a893d114330b48b90c49bcc4c6e00bfbfd6a473a48f70c8ef6aa0b" or
- hash.sha256(0, filesize) == "5d6c6c542ca29d9c756b9f440863152f4c8c5f1ddb5732b0adbca82074a2a4c0" or
- hash.sha256(0, filesize) == "2378ad529852c05da10c15e4b3fda00c4a818bef463a20c03e6330150bd4df21" or
- 10 of them
-}
-
-rule RedOctoberPluginGetFileReg {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? 8A ?? 0F B6 ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_1 = { 0F B6 ?? ?? 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? D3 ?? 83 ?? ?? 89 ?? ?? ?? 0B ?? 8B ?? ?? ?? 3B ?? 7E }
- $block_2 = { 8B ?? 0F B6 ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? 03 ?? 33 ?? 81 C? ?? ?? ?? ?? 4? 89 ?? 80 3? ?? 75 }
- $block_3 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 8E }
- $block_4 = { 8B ?? ?? ?? 2B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 0F AF ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 }
- $block_5 = { 33 ?? 83 ?? ?? 0F 95 ?? 5? 83 ?? ?? 83 ?? ?? 03 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 8C }
- $block_6 = { 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_7 = { 8B ?? ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_8 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_9 = { 8B ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 83 ?? ?? D3 ?? 83 ?? ?? 0B ?? 3B ?? 7E }
- $block_10 = { 8B ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F B6 ?? F6 ?? ?? ?? 89 ?? ?? ?? 74 }
- $block_11 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 95 ?? 89 ?? 8B }
- $block_12 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_13 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_14 = { 8B ?? ?? ?? ?? ?? 33 ?? 4? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_15 = { 5? 8B ?? 5? 5? 83 ?? ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_16 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_17 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_18 = { 0F B6 ?? 8A ?? ?? 8B ?? ?? 30 ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 8C }
- $block_19 = { 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? 5? C9 C3 }
- $block_20 = { 8B ?? ?? ?? ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_21 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 }
- $block_22 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_23 = { 83 ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 0F 85 }
- $block_24 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? 83 ?? ?? 0F B6 }
- $block_25 = { 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_26 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? FF 2? }
- $block_27 = { 8B ?? ?? ?? 03 ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 89 }
- $block_28 = { 8D ?? ?? ?? ?? ?? ?? 9? 3B ?? ?? ?? BA ?? ?? ?? ?? 0F 83 }
- $block_29 = { 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_30 = { 8B ?? ?? 5? 33 ?? 5? 33 ?? 4? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_31 = { 5? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_32 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 84 }
- $block_33 = { 33 ?? 3C ?? 0F 94 ?? BB ?? ?? ?? ?? 89 ?? ?? ?? E9 }
- $block_34 = { 8B ?? ?? ?? ?? ?? 23 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_35 = { 39 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 0F B6 ?? 0F 84 }
- $block_36 = { 5? E8 ?? ?? ?? ?? 8D ?? ?? ?? 5? 66 ?? ?? 0F 85 }
- $block_37 = { 0F B6 ?? ?? 8D ?? ?? B1 ?? 84 ?? ?? ?? ?? ?? 74 }
- $block_38 = { 33 ?? 39 ?? ?? ?? 0F 9D ?? 03 ?? 3B ?? ?? ?? 76 }
- $block_39 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "6ce873a31d527fc123bed28841737cb201b0cb5f347e0e530dda34a7b62c1f5e" or
- 12 of them
-}
-
-rule RedOctoberPluginSystemInfo {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_1 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_2 = { 5? 83 ?? ?? ?? ?? 8B ?? ?? ?? 5? 5? 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? 0F 84 }
- $block_3 = { 5? 5? 8B ?? 5? 8B ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 8E }
- $block_4 = { 8B ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? B9 ?? ?? ?? ?? 33 ?? F3 ?? 0F 84 }
- $block_5 = { 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 2B ?? 85 ?? 89 ?? ?? ?? 0F 8F }
- $block_6 = { 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_7 = { 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? C1 ?? ?? 03 ?? 0B ?? 83 ?? ?? 0F B6 }
- $block_8 = { 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_9 = { 5? 8A ?? ?? 8D ?? ?? 0F B6 ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_10 = { 8B ?? ?? ?? 2B ?? 8B ?? 33 ?? 2B ?? 85 ?? 89 ?? ?? ?? 0F 8E }
- $block_11 = { 8B ?? ?? ?? 3B ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? 0F 84 }
- $block_12 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_13 = { 5? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_14 = { 5? 8B ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 0F B6 ?? 5? }
- $block_15 = { 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 85 ?? 0F 8F }
- $block_16 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "ad768f49895c295086ad289804f25d16710231446ffdd82b3b9e6e92c237825a" or
- 12 of them
-}
-
-rule RedOctoberPluginInternetConnectivity {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C6 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_1 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_2 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_3 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_4 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_7 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_8 = { 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_9 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_10 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_11 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_12 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_13 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_14 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
- $block_15 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "5a3684d67f5dd4bca879f376e086476dbd27689bd1c1daa6acbbde339fb6ccca" or
- 12 of them
-}
-
-rule RedOctoberPluginFileputexec {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C }
- $block_1 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_3 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E }
- $block_4 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_5 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_7 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_8 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_9 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_10 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_11 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_12 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_13 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_14 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_15 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_16 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C }
- $block_17 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 }
- $block_18 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 }
- $block_19 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_20 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_21 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
- $block_22 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 }
- $block_23 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_24 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_25 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 }
-
- condition:
- hash.sha256(0, filesize) == "b596d4e58b5af33fb4380d4663454f4e3196d86e18390edb8c6f77485be8e7be" or
- 12 of them
-}
-
-rule RedOctoberPluginFileInfo {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C }
- $block_2 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 8B ?? ?? 33 ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_3 = { 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_4 = { 8D ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_5 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_6 = { 8B ?? ?? C1 ?? ?? 6A ?? 83 ?? ?? 5? FF 7? ?? 8B ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_7 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E }
- $block_8 = { 8B ?? ?? 33 ?? 6A ?? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 74 }
- $block_9 = { 8D ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_10 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F AF ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? EB }
- $block_11 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? 7C }
- $block_12 = { 0F B6 ?? ?? 0F B6 ?? ?? 83 ?? ?? ?? C1 ?? ?? 0B ?? 33 ?? 80 F? ?? 0F 94 ?? 89 ?? ?? EB }
- $block_13 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_14 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 03 ?? 80 3? ?? 74 }
- $block_15 = { 8B ?? ?? 03 ?? ?? 89 ?? ?? 83 ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_16 = { 8B ?? ?? ?? ?? ?? 33 ?? 5? 33 ?? 4? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_17 = { 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 3B ?? ?? ?? ?? ?? 75 }
- $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_19 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_20 = { 8B ?? ?? 8D ?? ?? 8A ?? 88 ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? F6 ?? ?? ?? 75 }
- $block_21 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_22 = { 0F B6 ?? 8B ?? 33 ?? 83 ?? ?? 4? D3 ?? 8B ?? ?? C1 ?? ?? 8A ?? ?? 84 ?? 74 }
- $block_23 = { 0F B6 ?? 33 ?? 8B ?? 83 ?? ?? 4? D3 ?? 8B ?? ?? C1 ?? ?? 8A ?? ?? 84 ?? 75 }
- $block_24 = { 33 ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_25 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 03 ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 7D }
- $block_26 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 8B ?? 2B ?? 80 3? ?? 89 ?? ?? 72 }
- $block_27 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 2B ?? 89 ?? ?? B8 ?? ?? ?? ?? E9 }
- $block_28 = { 0F B6 ?? ?? 0F B6 ?? ?? 8B ?? ?? C1 ?? ?? 0B ?? 03 ?? 89 ?? ?? 3B ?? 75 }
- $block_29 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_30 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 8C }
- $block_31 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_32 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_33 = { 6A ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_34 = { 8B ?? ?? ?? ?? ?? 33 ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 }
- $block_35 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_36 = { 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 3B ?? 75 }
- $block_37 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? 5? 3B ?? ?? 0F 83 }
- $block_38 = { 5? 8B ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? ?? ?? ?? 5? 5? 5? 03 ?? E9 }
- $block_39 = { 8B ?? ?? 8D ?? ?? 8B ?? 99 2B ?? 33 ?? D1 ?? 4? 2B ?? 8D ?? ?? EB }
- $block_40 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 80 7? ?? ?? 89 ?? ?? 0F 85 }
- $block_41 = { 8B ?? ?? 0F B6 ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? 7C }
- $block_42 = { 8A ?? 83 ?? ?? ?? 83 ?? ?? ?? 0F B6 ?? 89 ?? ?? 83 ?? ?? 0F 87 }
- $block_43 = { 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 03 ?? 3B ?? ?? 7D }
- $block_44 = { 6A ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_45 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_46 = { 8B ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_47 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 86 }
- $block_48 = { 8B ?? ?? 8B ?? ?? 4? 89 ?? ?? 0F B6 ?? F6 ?? ?? ?? 89 ?? ?? 74 }
- $block_49 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_50 = { 6A ?? 6A ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 3B ?? ?? 0F 82 }
- $block_51 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_52 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 74 }
- $block_53 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C }
- $block_54 = { 8B ?? 8B ?? ?? BA ?? ?? ?? ?? 2B ?? 8D ?? ?? 3B ?? 0F 8C }
- $block_55 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 }
- $block_56 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 }
- $block_57 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_58 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_59 = { 8B ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C2 }
- $block_60 = { 6A ?? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_61 = { 8B ?? ?? 0F BE ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_62 = { 8B ?? 8B ?? 2B ?? ?? BE ?? ?? ?? ?? 2B ?? 3B ?? 0F 8C }
- $block_63 = { 8B ?? ?? FF 4? ?? 89 ?? ?? 8B ?? ?? 3B ?? ?? 0F 8D }
- $block_64 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 85 }
- $block_65 = { 8B ?? ?? 4? 89 ?? ?? 8A ?? 0F B6 ?? 83 ?? ?? 0F 8F }
- $block_66 = { 8B ?? ?? 33 ?? 89 ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_67 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 }
- $block_68 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? FF 0? 3B ?? ?? 0F 83 }
- $block_69 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 }
- $block_70 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 3B ?? ?? 74 }
-
- condition:
- hash.sha256(0, filesize) == "c870d08388e2786bf97667bf381d8a88c2fd9f94b64dc8c5ba4b715d2a2088ab" or
- 12 of them
-}
-
-rule RedOctoberPluginMetasploit {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C }
- $block_1 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_2 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F BE ?? 83 ?? ?? 74 }
- $block_4 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E }
- $block_5 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_6 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_7 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_8 = { 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 8B ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? 0F B7 ?? 5? 8B ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? EB }
- $block_10 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 }
- $block_11 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 33 ?? 83 ?? ?? ?? 0F 94 ?? 88 }
- $block_12 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_13 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_14 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_15 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 74 }
- $block_16 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_17 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_18 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_19 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_20 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_21 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_22 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_23 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C }
- $block_24 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_25 = { 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_26 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_27 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
- $block_28 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_29 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 }
- $block_30 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_31 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 }
-
- condition:
- hash.sha256(0, filesize) == "82095ecc6099be283f9e211780d7100b732fc216383e59605804b6f0734db9ba" or
- 12 of them
-}
-
-rule RedOctoberPluginOfficeBDInstaller {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_1 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_2 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_3 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 8B ?? ?? 5? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_4 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_5 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_7 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_8 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_9 = { 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_10 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_11 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_12 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_14 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 }
- $block_15 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 }
- $block_16 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_17 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_18 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_19 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
-
- condition:
- hash.sha256(0, filesize) == "19830a143595d6c6791da1abd4126cba59b6c71f2d535227ba36b7298d276250" or
- 12 of them
-}
-
-rule RedOctoberPluginPOP3Client {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? 5? 5? 5? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? A1 ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 4? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 03 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 0B ?? 0F 84 }
- $block_1 = { 8B ?? 5? 5? 5? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 4? 4? 8B ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? BE ?? ?? ?? ?? 4? 8B ?? 8B ?? A1 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? 8B ?? A1 ?? ?? ?? ?? BB ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF D? 8B ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 4? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 0B ?? 0F 84 }
- $block_2 = { 5? 8B ?? 5? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 4? 4? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BE ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? FF 0? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BA ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_3 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8A ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 32 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? 8B ?? 4? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0B ?? 0F 85 }
- $block_4 = { BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 32 ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? C1 ?? ?? FF 0? ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? BB ?? ?? ?? ?? 8B ?? 4? 4? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 33 ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 0F 85 }
- $block_5 = { 83 ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BB ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_6 = { BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B8 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_7 = { 8B ?? 4? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? A3 ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_8 = { 4? 00 ?? ?? 4? 5? 33 ?? 2E ?? 4? 4? 00 ?? 01 ?? 03 ?? ?? ?? ?? ?? ?? 0A ?? 0C ?? 0E 0F 10 ?? 12 ?? 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 }
- $block_9 = { 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 }
-
- condition:
- hash.sha256(0, filesize) == "1ac828db983ae799edf65e6b6bef81ceffd1e2079a6e1c5e6cf969a37f956698" or
- hash.sha256(0, filesize) == "c89b2bb62d13777aa6b1a4a22813e06907b26809d4745df963a760d365cc09cd" or
- 10 of them
-}
-
-rule RedOctoberPluginCollectInfo {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 6A ?? 8B ?? 99 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_1 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 }
- $block_2 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 4? 5? 68 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_3 = { 5? 5? 5? 33 ?? 8D ?? ?? ?? 5? 5? 5? 5? 5? 5? 8B ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_4 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_5 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_6 = { 8D ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_7 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_8 = { 8B ?? ?? ?? ?? ?? ?? 5? 5? 5? 0F B6 ?? 5? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C3 }
- $block_9 = { 8D ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_10 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_11 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_12 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_13 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_14 = { 8B ?? ?? 6A ?? 8D ?? ?? ?? 5? 8B ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_15 = { 8B ?? ?? 8B ?? C1 ?? ?? 5? E8 ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_16 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_17 = { 8B ?? 8B ?? ?? 8B ?? FF D? 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_18 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_19 = { 8D ?? ?? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? F6 ?? ?? ?? 89 ?? ?? 0F 84 }
- $block_20 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_21 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_22 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_23 = { 8D ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_24 = { FF 7? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 33 ?? 5? 89 ?? ?? 39 ?? ?? 0F 84 }
- $block_25 = { 8D ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_26 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_27 = { 8B ?? 8B ?? ?? FF D? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_28 = { 0F 95 ?? 8B ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? C2 }
- $block_29 = { 8B ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_30 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_31 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_32 = { 5? 8B ?? 5? 5? 5? 8B ?? ?? 8B ?? 0F B6 ?? ?? 33 ?? 3B ?? 0F 8E }
- $block_33 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? 8B ?? ?? FF D? 85 ?? 0F 85 }
- $block_34 = { 6A ?? 68 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_35 = { 8D ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_36 = { 5? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_37 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_38 = { 8B ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_39 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_40 = { 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_41 = { 5? 5? 5? 8B ?? ?? ?? 33 ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_42 = { 5? 5? 5? 8B ?? ?? ?? 32 ?? 8B ?? 88 ?? ?? ?? 85 ?? 0F 84 }
- $block_43 = { 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_44 = { 6A ?? 8B ?? 2B ?? ?? 5? 5? 89 ?? ?? 5? 89 ?? ?? 0F 88 }
- $block_45 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 33 ?? 5? 66 ?? ?? ?? 0F 85 }
- $block_46 = { 5? 8D ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_47 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_48 = { 8B ?? ?? 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_49 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_50 = { FF 7? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_51 = { 8B ?? ?? 80 7? ?? ?? 8B ?? ?? 0F 95 ?? 88 ?? ?? 8B }
- $block_52 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_53 = { 8B ?? ?? ?? 4? 89 ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 }
- $block_54 = { 0F B6 ?? 8B ?? ?? 8B ?? ?? 4? 3D ?? ?? ?? ?? 0F 87 }
- $block_55 = { 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_56 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_57 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_58 = { 8B ?? ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_59 = { 0F B7 ?? ?? 0F B6 ?? ?? 5? 8D ?? ?? 83 ?? ?? 7D }
- $block_60 = { 8B ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_61 = { 8B ?? ?? 80 7? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_62 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_63 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 }
- $block_64 = { 8B ?? ?? ?? 01 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 }
-
- condition:
- hash.sha256(0, filesize) == "cf8b014c410edf2116fd54803ef9325c45d26d44160fa0feefa361a576aa7980" or
- 24 of them
-}
-
-rule RedOctoberPluginDocBackdoor {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_1 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_2 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 03 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { 8B ?? ?? 5? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 6A ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 03 ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 }
- $block_4 = { 8B ?? ?? 2B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 03 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 }
- $block_6 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 33 ?? BA ?? ?? ?? ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? ?? ?? ?? ?? 74 }
- $block_7 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_8 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_9 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 }
-
- condition:
- hash.sha256(0, filesize) == "bef87ae1f54d63f88c59f38e1725735db723b729d0dbbda2411d5b9779649415" or
- 10 of them
-}
-
-rule KillDisk {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? 6A ?? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 8B ?? ?? ?? ?? ?? 5? FF D? 83 ?? ?? ?? 5? 0F 95 ?? ?? ?? FF 1? ?? ?? ?? ?? 80 7? ?? ?? ?? 0F 84 }
- $block_2 = { 5? FF 1? ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 75 }
- $block_3 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 03 ?? 03 ?? 01 ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 82 }
- $block_4 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 33 ?? 5? 5? 6A ?? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_5 = { 8B ?? ?? ?? ?? ?? ?? 85 ?? 0F 95 ?? 5? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C3 }
- $block_6 = { 8B ?? C1 ?? ?? 8B ?? F3 ?? 8B ?? 8B ?? ?? ?? 83 ?? ?? A9 ?? ?? ?? ?? F3 ?? 0F 85 }
- $block_7 = { 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_8 = { 8B ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 89 ?? ?? ?? 0F 84 }
- $block_9 = { 8B ?? C1 ?? ?? 8B ?? F3 ?? 8B ?? 83 ?? ?? F3 ?? FF 1? ?? ?? ?? ?? 3C ?? 0F 85 }
- $block_10 = { 68 ?? ?? ?? ?? FF D? 8B ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 86 }
- $block_11 = { 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_12 = { 8B ?? ?? ?? 2B ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 0F 84 }
- $block_13 = { 8B ?? ?? ?? 83 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? ?? ?? 89 ?? ?? ?? 0F 82 }
- $block_14 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 82 }
- $block_15 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_16 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_17 = { 8B ?? C1 ?? ?? 8B ?? F3 ?? 8B ?? 83 ?? ?? F6 ?? ?? ?? ?? F3 ?? 0F 84 }
- $block_18 = { 8B ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 }
- $block_19 = { 89 ?? ?? ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 }
- $block_20 = { 6A ?? 6A ?? 6A ?? 32 ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_21 = { 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_22 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 5? 5? 8B ?? ?? 85 ?? 5? 0F 84 }
- $block_23 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_24 = { 8B ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_25 = { 8B ?? C1 ?? ?? F3 ?? 8B ?? 83 ?? ?? 85 ?? F3 ?? 0F 84 }
- $block_26 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 0F 82 }
- $block_27 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 89 ?? ?? ?? 0F 84 }
- $block_28 = { 8B ?? ?? ?? 3B ?? 8B ?? ?? ?? C6 ?? ?? ?? ?? 0F 87 }
- $block_29 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 0F 84 }
- $block_30 = { 5? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_31 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_32 = { 0F B7 ?? 66 ?? ?? 83 ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_33 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 74 }
- $block_34 = { 83 ?? ?? ?? ?? 83 ?? ?? ?? ?? 8B ?? ?? ?? 0F 85 }
- $block_35 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e" or
- hash.sha256(0, filesize) == "8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d" or
- 12 of them
-}
-
-rule XData {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 3B ?? 0F 82 }
- $block_1 = { 5? 5? 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? 32 ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_2 = { 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 85 ?? 5? 0F 94 ?? 5? 8B ?? 5? C3 }
- $block_3 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 33 ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_4 = { 48 ?? ?? 48 ?? ?? ?? 0F 10 ?? ?? 0F 11 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 5? C3 }
- $block_5 = { BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 44 ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 74 }
- $block_6 = { 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? 85 ?? 0F 84 }
- $block_7 = { 48 ?? ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? 5? C3 }
- $block_8 = { 5? 8B ?? 5? 5? 5? 8B ?? 33 ?? 5? 33 ?? 33 ?? 0F B7 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? 73 }
- $block_9 = { 8D ?? ?? 89 ?? ?? 5? 6A ?? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? F7 ?? 5? 1B ?? 83 }
- $block_10 = { 6A ?? FF 3? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? 89 ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? 0F 85 }
- $block_11 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 4? 89 ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 89 }
- $block_12 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB }
- $block_13 = { 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 0F 1F }
- $block_14 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 6A ?? 5? 4? 6A ?? 89 ?? ?? 5? 3B ?? ?? 0F 82 }
- $block_15 = { 83 ?? ?? ?? 8D ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? 89 ?? ?? 83 ?? ?? 0F 8C }
- $block_16 = { A1 ?? ?? ?? ?? 8D ?? ?? 33 ?? ?? ?? ?? ?? 6A ?? 6A ?? 5? 6A ?? FF D? 83 ?? ?? 0F 84 }
- $block_17 = { 8B ?? ?? 8D ?? ?? 5? 33 ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_18 = { A1 ?? ?? ?? ?? 8B ?? 33 ?? ?? ?? ?? ?? 5? FF D? 66 ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 84 }
- $block_19 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 33 ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8A }
- $block_20 = { 8B ?? ?? 33 ?? 2B ?? 99 C7 ?? ?? ?? ?? ?? ?? F7 ?? ?? 5? 89 ?? ?? B3 ?? 85 ?? 74 }
- $block_21 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 33 ?? 5? 5? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 8A }
- $block_22 = { 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 82 }
- $block_23 = { 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_24 = { 48 ?? ?? ?? ?? 4D ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_25 = { A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 84 }
- $block_26 = { 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_27 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 84 ?? 75 }
- $block_28 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 8B ?? 89 ?? ?? 5? 8B ?? 66 ?? ?? ?? 0F 84 }
- $block_29 = { 8B ?? ?? 8B ?? ?? 8B ?? 85 ?? 8D ?? ?? 0F 45 ?? 8B ?? ?? 8D ?? ?? 85 ?? 74 }
- $block_30 = { 6A ?? 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_31 = { 81 E? ?? ?? ?? ?? 8B ?? 03 ?? 03 ?? 99 2B ?? ?? 83 ?? ?? 01 ?? 11 ?? ?? 8B }
- $block_32 = { 0F B6 ?? 8D ?? ?? 33 ?? C1 ?? ?? 0F B6 ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_33 = { A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_34 = { 4? 8D ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 33 ?? 0F 1F }
- $block_35 = { 48 ?? ?? ?? ?? 5? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? 49 ?? ?? ?? ?? 0F 82 }
- $block_36 = { 8B ?? ?? 2B ?? 8B ?? ?? 3B ?? 89 ?? ?? 0F 47 ?? 8B ?? F7 ?? 3B ?? 76 }
- $block_37 = { 5? 8D ?? ?? A5 A5 A5 A5 FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 33 ?? 8D }
- $block_38 = { 8B ?? ?? 33 ?? 6A ?? 5? 89 ?? ?? 8B ?? ?? 2B ?? 99 F7 ?? 85 ?? 0F 84 }
- $block_39 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_40 = { 8D ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_41 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_42 = { 6A ?? 5? 8D ?? ?? ?? ?? ?? F3 ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_43 = { 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 3B ?? 0F 82 }
- $block_44 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_45 = { 4? 83 ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 82 }
- $block_46 = { 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 2B ?? 0F 1F }
- $block_47 = { 6A ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 0F 1F }
- $block_48 = { FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 3D ?? ?? ?? ?? 0F 83 }
- $block_49 = { 8B ?? ?? 2B ?? 99 F7 ?? ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? 72 }
- $block_50 = { 83 ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 43 ?? ?? 83 ?? ?? ?? 72 }
- $block_51 = { A1 ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? FF D? 3B ?? ?? 0F 85 }
- $block_52 = { 48 ?? ?? ?? ?? 5? 48 ?? ?? ?? 49 ?? ?? 4D ?? ?? 0F 84 }
- $block_53 = { FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 84 }
- $block_54 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 }
- $block_55 = { 49 ?? ?? 48 ?? ?? 48 ?? ?? ?? BA ?? ?? ?? ?? 0F 1F }
- $block_56 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_57 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 0F 84 }
- $block_58 = { 48 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 ?? 8B }
- $block_59 = { 8B ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? 3B ?? 0F 47 }
- $block_60 = { 5? 5? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_61 = { 83 ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 }
-
- condition:
- hash.sha256(0, filesize) == "d174f0c6ded55eb315320750aaa3152fc241acbfaef662bf691ffd0080327ab9" or
- hash.sha256(0, filesize) == "92ad1b7965d65bfef751cf6e4e8ad4837699165626e25131409d4134f031a497" or
- hash.sha256(0, filesize) == "ff07c0b13d10db6f897526dd05041bf089b1b9b706833722480309b9b22e5040" or
- 12 of them
-}
-
-rule Exaramel {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 8B ?? ?? 33 ?? 5? 8B ?? ?? 33 ?? 03 ?? 5? 8B ?? 2B ?? 3B ?? 8B ?? ?? 0F 47 ?? 85 ?? 74 }
- $block_1 = { 8B ?? 8D ?? ?? 0F 10 ?? ?? 5? 83 ?? ?? 8B ?? 8B ?? 5? 0F 11 ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 78 }
- $block_2 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_3 = { 33 ?? 83 ?? ?? ?? 0F 94 ?? 89 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 33 ?? 5? 8B ?? 5? C3 }
- $block_4 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_5 = { FF 7? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? 83 ?? ?? 8D ?? ?? 83 ?? ?? 8D ?? ?? 89 ?? ?? 0F 1F }
- $block_7 = { 8B ?? ?? 83 ?? ?? 0F 10 ?? ?? 8B ?? 8B ?? 5? 0F 11 ?? 8B ?? ?? ?? ?? ?? FF D? }
- $block_8 = { FF 7? ?? FF D? 8B ?? 8B ?? 8B ?? ?? 33 ?? 8D ?? ?? 3B ?? 0F 47 ?? 85 ?? 74 }
- $block_9 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 6A ?? 6A ?? 85 ?? 0F 84 }
- $block_10 = { 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 44 }
- $block_11 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_12 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_13 = { 5? 8B ?? 8B ?? ?? 33 ?? 8B ?? ?? 66 ?? ?? 0F B7 ?? 83 ?? ?? 75 }
- $block_14 = { 8B ?? ?? 0F B7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_15 = { 83 ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? 0F B7 ?? 66 ?? ?? 0F 84 }
- $block_16 = { 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_17 = { 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_18 = { 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "2f12fd3fb35f8690eea80dd48de98660c55df7f5c26b49d0cc82aaf3635b0c7a" or
- 12 of them
-}
-
-rule TeleBotRust {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 86 }
- $block_1 = { 8A ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 75 }
- $block_2 = { 8D ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_3 = { 07 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? F8 06 00 ?? 3F 07 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? 3F 07 00 ?? 3F 07 00 ?? F8 06 00 ?? 3F 07 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? 3F 07 00 ?? 81 0? ?? ?? ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 81 0? ?? ?? ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? B7 ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? ?? ?? ?? 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 5? 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? ?? ?? ?? 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? B7 ?? 00 ?? 73 }
- $block_4 = { F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8A ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B7 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8A ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 8A ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_5 = { E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? 89 ?? 0B ?? ?? ?? 31 ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? 31 ?? 8B ?? ?? ?? 01 ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? 31 ?? 8B ?? ?? ?? 31 ?? 89 ?? ?? ?? 8B ?? ?? ?? 01 ?? 89 ?? ?? ?? 8B ?? ?? 11 ?? 89 ?? ?? ?? 89 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? 33 ?? ?? ?? 01 ?? 11 ?? 89 ?? ?? 89 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 33 ?? ?? 31 ?? 01 ?? ?? ?? 89 ?? ?? ?? 89 ?? 11 ?? 33 ?? ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? 33 ?? ?? ?? 31 ?? 35 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? 33 ?? ?? ?? 01 ?? 89 ?? ?? ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 31 ?? 8B ?? ?? ?? 89 ?? ?? 33 ?? ?? 01 ?? 89 ?? 11 ?? ?? ?? 89 ?? ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? 31 ?? 01 ?? ?? 89 ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 31 ?? 33 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? 01 ?? 11 ?? ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 31 ?? 8B ?? ?? ?? 31 ?? 01 ?? ?? 89 ?? 89 ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 31 ?? 33 ?? ?? 01 ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? 8B ?? ?? ?? 89 ?? 11 ?? 0F A4 ?? ?? 89 ?? ?? ?? 0F A4 ?? ?? 31 ?? 8B ?? ?? ?? 31 ?? 89 ?? 01 ?? 11 ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? ?? ?? 33 ?? ?? 31 ?? 8B ?? ?? ?? 01 ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? 11 ?? 0F A4 ?? ?? 89 ?? ?? ?? 0F A4 ?? ?? 31 ?? 8B ?? ?? ?? 31 ?? 89 ?? 01 ?? 11 ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? 8B ?? ?? ?? 31 ?? 33 ?? ?? 01 ?? ?? ?? 89 ?? 11 ?? 03 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 11 ?? 8B ?? ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_6 = { 5? 8B ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 85 ?? BF ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 0F 45 ?? 0F 44 ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 0B ?? ?? ?? 0B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 75 }
- $block_7 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 89 ?? 5? 5? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 4? 31 ?? 89 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 5? 6A ?? 6A ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 0F 1F ?? 8C ?? 00 ?? B6 ?? 00 ?? 9E 1F 00 ?? A3 ?? ?? ?? ?? 1F 00 ?? 9A ?? ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? 5? 21 ?? 00 ?? ?? 00 ?? EE 21 ?? 00 ?? ?? ?? ?? ?? 21 ?? 00 ?? 21 ?? 00 ?? 22 ?? 00 ?? ?? 00 }
- $block_8 = { 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 0F 10 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? 0F B7 ?? 31 ?? 0F 11 ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 0F 45 ?? 0F 94 ?? 8D ?? ?? ?? ?? ?? ?? 09 ?? 89 ?? 8B ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? F3 ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF 5? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_9 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 6A ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 89 ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 66 ?? A6 03 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? ?? ?? ?? ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? ?? ?? ?? ?? 03 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 01 ?? 00 ?? ?? 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 7E }
-
- condition:
- hash.sha256(0, filesize) == "1672b944cf80cc2b3f837a78988a335072e197104acb5bb8148834c37ce72c85" or
- 10 of them
-}
-
-rule CredRaptor {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 99 03 ?? 89 ?? ?? ?? ?? ?? 13 ?? 85 ?? 74 }
- $block_1 = { 33 ?? C6 ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 82 }
- $block_2 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 7F }
- $block_3 = { 8D ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? 5? 6A ?? 03 ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_4 = { 5? 8B ?? 5? 8B ?? ?? 0F B7 ?? ?? 8B ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 5? 4? 5? 5? 83 ?? ?? 0F 87 }
- $block_5 = { 5? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_6 = { 0F B7 ?? ?? 8B ?? ?? ?? ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_7 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_8 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? 0F 8E }
- $block_9 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 99 0F 57 ?? 66 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 89 }
- $block_10 = { 85 ?? 0F 95 ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C2 }
- $block_11 = { 8B ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_12 = { 8B ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 0F BF ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 39 ?? ?? 7F }
- $block_13 = { 5? 8B ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 5? 8B ?? F7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 0F 84 }
- $block_14 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_15 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? DD ?? ?? ?? ?? ?? 8B ?? ?? DD ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_16 = { 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? 0F 84 }
- $block_17 = { 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_18 = { 8B ?? ?? ?? ?? ?? C1 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_19 = { 6A ?? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 85 ?? 0F 45 ?? 80 3? ?? 75 }
- $block_20 = { 85 ?? 0F B6 ?? 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 5? 0F 44 ?? FF 1? ?? ?? ?? ?? FF 7? ?? FF 1? }
- $block_21 = { 8D ?? ?? BA ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_22 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_23 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? F6 ?? ?? ?? 89 ?? ?? 89 ?? ?? 74 }
- $block_24 = { 5? 8B ?? 8B ?? ?? 5? 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 4? 83 ?? ?? 0F 87 }
- $block_25 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 8B ?? 33 ?? 5? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 38 ?? ?? 0F 85 }
- $block_26 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_27 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C }
- $block_28 = { 8B ?? ?? 8B ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 8D ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 84 ?? 79 }
- $block_29 = { 5? 8B ?? 8B ?? ?? 5? 5? 0F B7 ?? ?? 03 ?? ?? 8B ?? 0F B7 ?? ?? 8B ?? ?? 03 ?? 3B ?? 77 }
- $block_30 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_31 = { 8B ?? 5? 0F BF ?? ?? 89 ?? ?? 5? 8B ?? ?? 4? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 74 }
- $block_32 = { 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 0F 94 ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_33 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? E9 }
- $block_34 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 80 B? ?? ?? ?? ?? ?? 0F 84 }
- $block_35 = { 33 ?? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_36 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? 5? 6A ?? FF B? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_37 = { 03 ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 85 ?? 0F 84 }
- $block_38 = { 8B ?? ?? 0F BF ?? ?? 8B ?? ?? 03 ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_39 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 8B ?? ?? 03 ?? ?? 5? 8B ?? ?? 89 ?? ?? 0F 84 }
- $block_40 = { 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_41 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 0F BF ?? ?? 33 ?? 89 ?? ?? 85 ?? 7E }
- $block_42 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_43 = { 0F B6 ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 89 ?? 39 ?? ?? ?? ?? ?? 73 }
- $block_44 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_45 = { 8B ?? ?? 33 ?? B9 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_46 = { 68 ?? ?? ?? ?? 6A ?? 5? 8B ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_47 = { 0F B6 ?? ?? ?? ?? ?? 84 ?? B9 ?? ?? ?? ?? 0F 45 ?? A2 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_48 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 95 ?? 84 ?? 74 }
- $block_49 = { 6A ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 8B ?? 89 ?? ?? 0B ?? 0F 84 }
- $block_50 = { 8B ?? ?? 5? 5? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_51 = { 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 84 ?? 0F 95 ?? 8B ?? 85 ?? 74 }
- $block_52 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_53 = { 8B ?? ?? 8B ?? 0F B7 ?? ?? 8B ?? ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_54 = { 33 ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 8E }
- $block_55 = { 5? 8B ?? 0F BE ?? ?? 83 ?? ?? 83 ?? ?? 5? 5? 5? 8B ?? 8B ?? 83 ?? ?? 0F 87 }
- $block_56 = { 8D ?? ?? 89 ?? ?? 0F AF ?? C1 ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 75 }
- $block_57 = { 0F B7 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_58 = { 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 75 }
- $block_59 = { 8A ?? ?? 2C ?? 4? 0F B6 ?? 8B ?? 8D ?? ?? 8D ?? ?? 89 ?? 8B ?? 8D ?? ?? 66 }
- $block_60 = { 5? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 8D }
- $block_61 = { 8B ?? ?? 8B ?? 8B ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 85 }
- $block_62 = { 8B ?? ?? 8B ?? ?? 33 ?? 85 ?? 0F 95 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 }
- $block_63 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 80 7? ?? ?? 74 }
- $block_64 = { 8B ?? ?? 0F BF ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 74 }
- $block_65 = { 6A ?? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_66 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 4? 89 ?? ?? 3B ?? ?? 0F 8C }
- $block_67 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_68 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 8E }
- $block_69 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_70 = { 8B ?? ?? 8B ?? ?? B9 ?? ?? ?? ?? 01 ?? ?? 01 ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_71 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_72 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 89 ?? ?? ?? ?? ?? 8A ?? 3C ?? 0F 84 }
- $block_73 = { 6A ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 0B ?? 89 ?? ?? 0F 84 }
- $block_74 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 83 }
- $block_75 = { 0F B7 ?? ?? 33 ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 1F }
- $block_76 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_77 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? 3B ?? C7 ?? ?? ?? ?? ?? 0F 94 ?? 84 ?? 75 }
- $block_78 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_79 = { 5? 8B ?? ?? 5? 0F B6 ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? 0F 83 }
- $block_80 = { 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_81 = { E8 ?? ?? ?? ?? 0F B7 ?? B9 ?? ?? ?? ?? 66 ?? ?? 0F 94 ?? 84 ?? 75 }
- $block_82 = { B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B ?? 0F 44 ?? 89 ?? ?? ?? ?? ?? EB }
- $block_83 = { 8B ?? 0F BF ?? ?? 8B ?? ?? ?? 01 ?? ?? ?? ?? ?? F6 ?? ?? ?? ?? 74 }
- $block_84 = { 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 8D }
- $block_85 = { 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_86 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 83 ?? ?? 0F 43 ?? 80 7? ?? ?? 74 }
- $block_87 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 8B ?? 83 ?? ?? 3B ?? ?? 74 }
- $block_88 = { 66 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? 72 }
- $block_89 = { 8B ?? ?? 33 ?? 38 ?? ?? 8B ?? ?? ?? 0F 94 ?? 3B ?? 0F 84 }
- $block_90 = { FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 }
- $block_91 = { 4? 89 ?? 8B ?? ?? 8B ?? 8D ?? ?? 89 ?? 88 ?? 0F B6 ?? EB }
- $block_92 = { 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_93 = { 5? 8B ?? 83 ?? ?? 80 B? ?? ?? ?? ?? ?? 5? 5? 5? 0F 85 }
- $block_94 = { 8B ?? ?? ?? 8A ?? ?? 8B ?? 89 ?? ?? ?? F6 ?? ?? 0F 85 }
- $block_95 = { E8 ?? ?? ?? ?? 0F B7 ?? 66 ?? ?? 0F 94 ?? 84 ?? 75 }
- $block_96 = { 8B ?? ?? 8B ?? 2B ?? ?? F6 ?? ?? ?? 89 ?? ?? 0F 84 }
- $block_97 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? 0F 1F }
- $block_98 = { FE ?? 88 ?? ?? 0F B6 ?? 8B ?? ?? ?? 89 ?? ?? EB }
- $block_99 = { 4? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 8F }
-
- condition:
- hash.sha256(0, filesize) == "b0df1c855db31dd29a1e9b40f8360e5036e848e023741e05114d46b7359ff6f6" or
- hash.sha256(0, filesize) == "50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26" or
- 12 of them
-}
-
-rule Keylogger {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 40 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? F3 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B7 ?? 85 ?? 75 }
- $block_2 = { 88 ?? ?? ?? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 0F B6 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_3 = { 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 5? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_4 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 87 }
- $block_5 = { 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 48 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 }
- $block_6 = { 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 48 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB }
- $block_7 = { 88 ?? ?? ?? 5? 48 ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_8 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 83 ?? ?? 74 }
- $block_9 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e" or
- 10 of them
-}
-
-rule Telebot_Downloader {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? 8A ?? ?? ?? 0F B7 ?? ?? ?? C1 ?? ?? 83 ?? ?? ?? ?? 88 ?? ?? ?? 66 ?? ?? ?? ?? 0F 85 }
- $block_1 = { BB ?? ?? ?? ?? 89 ?? 29 ?? 89 ?? ?? ?? 89 ?? 83 ?? ?? 29 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? 0F 83 }
- $block_2 = { 0F B6 ?? 8B ?? ?? ?? 4? 89 ?? ?? ?? 8A ?? ?? ?? ?? ?? 85 ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 74 }
- $block_3 = { 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 94 ?? 39 ?? 0F 94 ?? 08 ?? 80 F? ?? 88 ?? ?? ?? 74 }
- $block_4 = { 0F 1F ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 89 ?? F7 ?? 89 ?? 0F 80 }
- $block_5 = { 8B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? 0F 85 }
- $block_6 = { 8D ?? ?? ?? 89 ?? 6A ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_7 = { 8B ?? ?? 0F AF ?? ?? 89 ?? 8B ?? ?? 01 ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 }
- $block_8 = { 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 80 F? ?? 75 }
- $block_9 = { 8B ?? ?? 0F AF ?? ?? 89 ?? 8B ?? ?? 01 ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? FF D? 85 ?? 7E }
- $block_10 = { 8B ?? ?? ?? 89 ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_11 = { 8B ?? ?? 89 ?? C1 ?? ?? 01 ?? C1 ?? ?? 89 ?? 8B ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? 3C ?? 75 }
- $block_12 = { 8D ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_13 = { 87 ?? 8D ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? 83 ?? ?? 89 ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_14 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_15 = { 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_16 = { 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? F2 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_17 = { 0F B6 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 83 ?? ?? C1 ?? ?? 09 ?? 39 ?? 0F 83 }
- $block_18 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_19 = { 89 ?? E8 ?? ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 89 ?? 85 ?? 0F 88 }
- $block_20 = { C7 ?? ?? ?? ?? ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_21 = { 8B ?? ?? 8B ?? ?? ?? 8D ?? ?? 8B ?? ?? ?? 89 ?? 8D ?? ?? 83 ?? ?? 89 ?? ?? ?? 8D ?? ?? 0F 82 }
- $block_22 = { 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_23 = { 83 ?? ?? 31 ?? 0F 57 ?? 89 ?? 0F 29 ?? ?? ?? 0F 29 ?? ?? ?? 0F 29 ?? ?? ?? 0F 29 ?? ?? ?? 9? }
- $block_24 = { 8B ?? ?? 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? FF D? 83 ?? ?? 83 ?? ?? ?? ?? 0F 84 }
- $block_25 = { 8B ?? ?? 35 ?? ?? ?? ?? 89 ?? 8B ?? ?? 80 F? ?? 89 ?? 89 ?? 09 ?? 85 ?? 0F 94 ?? 0F B6 ?? EB }
- $block_26 = { 0F 1F ?? ?? 5? 5? FF 7? ?? ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 0F 85 }
- $block_27 = { 0F BD ?? ?? ?? 0F BD ?? 83 ?? ?? 83 ?? ?? 29 ?? 8D ?? ?? 89 ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_28 = { 89 ?? ?? 89 ?? ?? ?? 8D ?? ?? 31 ?? 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 0F 1F ?? 66 ?? ?? 75 }
- $block_29 = { 66 ?? 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 80 7? ?? ?? 0F 85 }
- $block_30 = { 8D ?? ?? ?? 89 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 84 ?? 0F 85 }
- $block_31 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 1F }
- $block_32 = { BE ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 29 ?? 39 ?? 89 ?? 0F 43 ?? 83 ?? ?? 72 }
- $block_33 = { 8D ?? ?? 31 ?? 89 ?? 89 ?? 89 ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? ?? 0F B6 ?? 8D ?? ?? 84 ?? 78 }
- $block_34 = { 83 ?? ?? 0F B6 ?? 89 ?? 8D ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? 83 ?? ?? 8B }
- $block_35 = { 0D ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? 8B ?? ?? 21 ?? 89 ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_36 = { 89 ?? 89 ?? E8 ?? ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? 89 ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_37 = { 8B ?? ?? ?? 8B ?? ?? ?? BD ?? ?? ?? ?? BB ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 39 ?? 0F 84 }
- $block_38 = { 89 ?? ?? ?? 8B ?? ?? ?? 4? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? 8B ?? ?? ?? 0F B6 ?? 83 ?? ?? 89 }
- $block_39 = { 89 ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 84 ?? 89 ?? ?? ?? C6 ?? ?? ?? ?? 0F 85 }
- $block_40 = { 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_41 = { 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_42 = { 0F B6 ?? ?? 89 ?? 0F B6 ?? ?? ?? ?? ?? 4? 0F B6 ?? ?? ?? ?? ?? 3A ?? ?? ?? ?? ?? 89 ?? 74 }
- $block_43 = { 8B ?? ?? BD ?? ?? ?? ?? 0F B6 ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 24 ?? 3C ?? 89 ?? 75 }
- $block_44 = { 5? 5? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? 89 ?? ?? B1 ?? 89 ?? ?? ?? 80 7? ?? ?? 0F 85 }
- $block_45 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? 7F }
- $block_46 = { 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 85 ?? 89 ?? ?? ?? 0F 44 ?? 8D ?? ?? ?? 89 ?? 85 ?? 74 }
- $block_47 = { 89 ?? ?? ?? 31 ?? 85 ?? 89 ?? BF ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_48 = { E8 ?? ?? ?? ?? FF 7? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_49 = { 0F 1F ?? ?? E8 ?? ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 39 ?? 75 }
- $block_50 = { 80 7? ?? ?? ?? 0F 97 ?? 80 F? ?? 0F 97 ?? 3A ?? ?? ?? 18 ?? 80 C? ?? 20 ?? 20 ?? 0F B6 }
- $block_51 = { 8B ?? ?? 0F B6 ?? 0F B6 ?? C1 ?? ?? 89 ?? 8B ?? ?? 83 ?? ?? 0F B6 ?? 0F B6 ?? 09 ?? EB }
- $block_52 = { 89 ?? 83 ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 0F 42 ?? 8D ?? ?? 81 F? ?? ?? ?? ?? 0F 83 }
- $block_53 = { 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 0F B6 ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 84 ?? 0F 88 }
- $block_54 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_55 = { 0F 1F ?? ?? ?? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 8B ?? ?? 80 3? ?? 75 }
- $block_56 = { 8D ?? ?? ?? FF 7? ?? ?? FF 7? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? ?? 3C ?? 75 }
- $block_57 = { 89 ?? BE ?? ?? ?? ?? 83 ?? ?? 0F 42 ?? 8D ?? ?? 89 ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 83 }
- $block_58 = { 8A ?? ?? ?? 88 ?? ?? ?? 0F B7 ?? ?? ?? 66 ?? ?? ?? ?? 8B ?? ?? 8B ?? F0 ?? ?? 0F 8E }
- $block_59 = { C6 ?? ?? BB ?? ?? ?? ?? 8A ?? ?? ?? 88 ?? ?? 0F B7 ?? ?? ?? 66 ?? ?? ?? 89 ?? ?? C7 }
- $block_60 = { 89 ?? ?? B1 ?? 86 ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_61 = { 8B ?? ?? ?? 8B ?? ?? 8D ?? ?? 89 ?? 0F B6 ?? C1 ?? ?? 09 ?? 83 ?? ?? 66 ?? ?? ?? 73 }
- $block_62 = { 8B ?? ?? ?? C1 ?? ?? 66 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 09 ?? 31 ?? 89 ?? E9 }
- $block_63 = { 8B ?? ?? 89 ?? 31 ?? 29 ?? 89 ?? 01 ?? 89 ?? ?? 39 ?? ?? 8B ?? ?? ?? 8B ?? ?? 0F 95 }
- $block_64 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? 89 ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_65 = { 31 ?? B0 ?? F0 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? C1 ?? ?? 0F B7 ?? 3D ?? ?? ?? ?? 0F 82 }
- $block_66 = { 89 ?? 89 ?? C1 ?? ?? C1 ?? ?? C1 ?? ?? C1 ?? ?? 0F B6 ?? 0F B7 ?? 09 ?? 09 ?? 0F 85 }
- $block_67 = { 89 ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? 29 ?? 89 ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_68 = { 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_69 = { 0F 1F ?? E8 ?? ?? ?? ?? FF 7? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 87 }
- $block_70 = { 8B ?? ?? ?? BF ?? ?? ?? ?? BA ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? 39 ?? 0F 84 }
- $block_71 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? ?? 0F 87 }
- $block_72 = { 0F 1F ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 4? 85 ?? 0F 84 }
- $block_73 = { 8B ?? ?? ?? 83 ?? ?? ?? 0F 94 ?? 80 7? ?? ?? BE ?? ?? ?? ?? 18 ?? 20 ?? 0F B6 ?? EB }
- $block_74 = { 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0B ?? ?? 0F 85 }
- $block_75 = { 89 ?? B8 ?? ?? ?? ?? 83 ?? ?? 0F 42 ?? 8B ?? ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 0F 83 }
- $block_76 = { 0F B6 ?? ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 0F B6 ?? ?? 4? 3A ?? ?? ?? ?? ?? 74 }
- $block_77 = { 31 ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? 89 ?? 29 ?? 29 ?? 89 ?? ?? ?? 0F 84 }
- $block_78 = { 4? BF ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 44 ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 }
- $block_79 = { 0F B6 ?? ?? 89 ?? 89 ?? 89 ?? ?? 8B ?? ?? ?? 24 ?? 3C ?? 89 ?? BE ?? ?? ?? ?? 75 }
- $block_80 = { 0F 1F ?? ?? 5? 89 ?? 83 ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8A ?? 80 F? ?? 74 }
- $block_81 = { 8B ?? ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? C1 ?? ?? 09 ?? EB }
- $block_82 = { 8B ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 29 ?? 89 ?? ?? ?? 89 ?? 0F 1F }
- $block_83 = { 8B ?? ?? ?? 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? ?? 81 F? ?? ?? ?? ?? 76 }
- $block_84 = { 89 ?? E8 ?? ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? ?? 5? 5? 5? 5? 89 ?? 8B ?? ?? 85 ?? 74 }
- $block_85 = { 0F 1F ?? ?? ?? 8A ?? ?? ?? 81 E? ?? ?? ?? ?? 88 ?? 09 ?? 8A ?? ?? ?? 84 ?? 0F 85 }
- $block_86 = { 8B ?? ?? 83 ?? ?? 5? 5? FF 7? ?? FF 5? ?? 83 ?? ?? 4? 83 ?? ?? 84 ?? B0 ?? 0F 84 }
- $block_87 = { 8B ?? ?? ?? 8D ?? ?? 8B ?? 0F B6 ?? ?? 89 ?? ?? 66 ?? ?? ?? 89 ?? 04 ?? 3C ?? 72 }
- $block_88 = { 8B ?? ?? 83 ?? ?? 0F B6 ?? 0F B6 ?? C1 ?? ?? 89 ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? 09 }
- $block_89 = { 8B ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 47 ?? 4? 39 ?? 0F 87 }
- $block_90 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 83 ?? ?? 31 ?? 83 ?? ?? ?? 89 ?? 89 ?? ?? ?? 0F 84 }
- $block_91 = { 89 ?? 83 ?? ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? 89 ?? ?? ?? 0F 1F }
- $block_92 = { 66 ?? ?? ?? ?? 0F 10 ?? 83 ?? ?? 66 ?? ?? ?? ?? 0F 11 ?? 83 ?? ?? 83 ?? ?? 75 }
- $block_93 = { 89 ?? 83 ?? ?? 31 ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 0F 1F }
- $block_94 = { 8B ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_95 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? 83 ?? ?? 01 ?? 8D ?? ?? 8D ?? ?? 0F 1F }
- $block_96 = { 31 ?? 85 ?? 89 ?? ?? ?? 0F 95 ?? ?? ?? 0F 95 ?? 80 7? ?? ?? 88 ?? ?? ?? 0F 85 }
- $block_97 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? 3C ?? 74 }
- $block_98 = { 3B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 0F 85 }
- $block_99 = { 8B ?? ?? ?? 85 ?? 0F 94 ?? 89 ?? 29 ?? 0F 94 ?? 08 ?? 80 F? ?? 88 ?? ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2" or
- 12 of them
-}
-
-rule Zebrocy {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 0F B6 ?? E8 ?? ?? ?? ?? 84 ?? 74 }
- $block_1 = { 33 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 }
- $block_2 = { 36 ?? 38 ?? 61 62 ?? ?? 65 ?? ?? ?? 38 ?? ?? 38 ?? ?? ?? ?? ?? 31 ?? ?? ?? ?? ?? 20 ?? ?? 6C 75 }
- $block_3 = { 67 ?? ?? ?? ?? ?? ?? ?? 20 ?? ?? 6C 6C 65 ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 20 ?? 20 ?? ?? ?? 70 }
- $block_4 = { 4? 2D ?? ?? ?? ?? 61 6C 69 ?? ?? ?? ?? ?? ?? ?? 6B ?? ?? ?? 65 ?? 33 ?? 2E ?? ?? 6C 00 ?? ?? 79 }
- $block_5 = { 69 ?? ?? ?? ?? ?? ?? 6E 67 ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? ?? 65 ?? ?? 62 ?? ?? 20 ?? ?? 6D 6F 72 }
- $block_6 = { 65 ?? ?? 4? 00 ?? ?? 00 ?? 4? 00 ?? FF 0? 00 ?? 00 ?? 00 ?? 80 0? ?? 00 ?? 08 ?? 06 4? 61 73 }
- $block_7 = { 5? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_8 = { 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 8C }
- $block_9 = { 4? 6F 64 ?? ?? ?? ?? ?? ?? 65 ?? ?? ?? 3D ?? ?? ?? ?? 32 ?? 34 ?? 36 ?? 38 ?? 61 62 ?? ?? 65 }
- $block_10 = { 6C 69 ?? ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 2F 68 ?? ?? ?? ?? 20 ?? ?? 65 ?? ?? ?? ?? 74 }
- $block_11 = { 61 20 ?? ?? 6E 63 ?? ?? ?? 6E 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 4? 4? 4? 4? 4? 4? 30 ?? 32 ?? 34 }
- $block_12 = { 6F 2F 63 ?? ?? 68 ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 63 ?? ?? ?? 4? 4? 20 ?? ?? ?? 20 ?? ?? 7A }
- $block_13 = { 35 ?? ?? ?? ?? 32 ?? 33 ?? 32 ?? ?? ?? ?? ?? 61 69 ?? ?? ?? ?? ?? ?? 20 ?? ?? 61 6E 64 ?? 72 }
- $block_14 = { 69 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 3A ?? 2F 31 ?? 30 ?? 39 ?? 2E ?? ?? 37 2E ?? ?? 36 ?? 70 }
- $block_15 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_16 = { 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 83 ?? ?? 39 ?? 0F 87 }
- $block_17 = { 66 ?? ?? ?? ?? 89 ?? ?? ?? 0F B7 ?? ?? ?? 09 ?? 66 ?? ?? ?? ?? 0F B6 ?? ?? ?? 84 ?? 0F 84 }
- $block_18 = { 9? 4? 00 ?? ?? 00 ?? 08 ?? 4? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 5? 6F 70 }
- $block_19 = { 8B ?? ?? 0F BE ?? ?? 83 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 72 }
- $block_20 = { 20 ?? ?? 61 3D ?? ?? ?? ?? 20 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6D 61 78 }
- $block_21 = { 20 ?? ?? ?? ?? ?? 20 ?? 20 ?? 6D 3D ?? ?? ?? ?? 32 ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 73 }
- $block_22 = { 61 63 ?? ?? 3D ?? ?? ?? ?? 6C 6F 63 ?? ?? 67 ?? ?? ?? ?? ?? 63 ?? ?? ?? 6B ?? ?? ?? 70 }
- $block_23 = { 38 ?? 38 ?? 30 ?? 32 ?? ?? ?? ?? ?? 33 ?? 34 ?? 33 ?? 32 ?? ?? ?? ?? ?? 5? 4? 6F 6E 74 }
- $block_24 = { 9E 02 ?? 9C 9E 02 ?? 03 ?? 00 ?? 04 ?? 00 ?? C0 ?? ?? ?? ?? ?? ?? 00 ?? 9E 02 ?? 5? E3 }
- $block_25 = { 36 ?? ?? 39 ?? 36 ?? ?? ?? ?? ?? ?? 61 6C 69 ?? ?? ?? ?? ?? ?? ?? 63 ?? ?? ?? 61 6C 75 }
- $block_26 = { 00 ?? FF 0? 00 ?? 00 ?? 00 ?? 80 F? ?? FF 1? 02 ?? 0A ?? ?? 65 ?? 64 ?? 6F 6C 6F 72 }
- $block_27 = { 8D ?? ?? A1 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F 84 }
- $block_28 = { 5? 5? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_29 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? 8B ?? ?? 88 ?? ?? ?? FF 4? ?? FF 4? ?? 75 }
- $block_30 = { 65 ?? ?? ?? ?? ?? 65 ?? ?? ?? 6C 65 ?? ?? ?? ?? 68 ?? ?? ?? ?? 65 ?? ?? 20 ?? ?? 76 }
- $block_31 = { 4? 5? 5? 5? 5? 5? 5? 4? 4? 4? 5? 4? 4? 4? 5? 4? 4? 5? 69 ?? ?? ?? ?? ?? ?? 6E 6C 6F }
- $block_32 = { 69 ?? ?? ?? ?? ?? ?? 6F 3A ?? 69 ?? ?? ?? ?? ?? ?? 20 ?? ?? 65 ?? ?? ?? 20 ?? ?? 72 }
- $block_33 = { 61 63 ?? ?? ?? 65 ?? ?? ?? 6E 3C ?? 63 ?? ?? ?? 65 ?? ?? ?? ?? 6B ?? ?? ?? 6F 6D 61 }
- $block_34 = { 3D ?? ?? ?? ?? 6E 3D ?? ?? ?? ?? 29 ?? 28 ?? 6D 3A ?? ?? 28 ?? 6D 3A ?? ?? 28 ?? 73 }
- $block_35 = { CE BC ?? ?? ?? ?? 20 ?? 3D ?? ?? ?? ?? 20 ?? 3C ?? 3D ?? ?? ?? ?? 20 ?? ?? 20 ?? 66 }
- $block_36 = { 07 0A ?? ?? ?? 61 67 ?? ?? 69 ?? ?? ?? ?? ?? ?? 8C ?? 4? 00 ?? ?? 08 ?? ?? 6E 74 }
- $block_37 = { 8B ?? ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_38 = { 69 ?? ?? ?? ?? ?? ?? 6E 6B ?? ?? ?? 6E 28 ?? ?? 61 69 ?? ?? ?? ?? ?? ?? 66 ?? 72 }
- $block_39 = { 61 6E 5? 4? 6C 62 ?? ?? 69 ?? ?? ?? ?? ?? ?? 61 6E 64 ?? 69 ?? ?? ?? ?? ?? ?? 67 }
- $block_40 = { 20 ?? ?? 61 3D ?? ?? ?? ?? 3D ?? ?? ?? ?? 3D ?? ?? ?? ?? 3D ?? ?? ?? ?? 20 ?? 73 }
- $block_41 = { 29 ?? 28 ?? ?? 61 6E 20 ?? 28 ?? ?? 61 6E 29 ?? 4? 4? 20 ?? ?? 20 ?? 5? 61 6C 75 }
- $block_42 = { 62 ?? ?? 64 ?? ?? ?? 31 ?? ?? 69 ?? ?? ?? ?? ?? 63 ?? ?? 6C 63 ?? ?? 20 ?? ?? 73 }
- $block_43 = { 63 ?? ?? ?? ?? ?? 4? 6F 64 ?? ?? ?? ?? ?? ?? 63 ?? ?? 69 ?? ?? ?? ?? ?? ?? ?? 70 }
- $block_44 = { 5? 4? 4? 4? 5? 4? 4? 4? 5? 4? 4? 5? 69 ?? ?? ?? ?? ?? ?? 6E 6C 6F 63 ?? ?? 4? 4? }
- $block_45 = { 6E 66 ?? ?? 6E 20 ?? ?? ?? ?? ?? 62 ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? 2E }
- $block_46 = { 5? 5? 5? 88 ?? ?? 8B ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 85 ?? 0F 84 }
- $block_47 = { 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? FF 4? ?? 0F 85 }
- $block_48 = { 35 ?? ?? ?? ?? 33 ?? 39 ?? 35 ?? ?? ?? ?? 37 32 ?? 35 ?? ?? ?? ?? 4? 4? 5? 4? }
- $block_49 = { 20 ?? ?? ?? 65 ?? ?? ?? 6E 65 ?? ?? 31 ?? ?? 6D 6F 61 20 ?? ?? 61 6E 64 ?? 72 }
- $block_50 = { 69 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? 2D ?? ?? ?? ?? 6E 6B ?? ?? ?? 6E 20 ?? ?? 74 }
- $block_51 = { 65 ?? ?? ?? ?? ?? 6C 6F 63 ?? ?? 67 ?? ?? ?? ?? ?? 63 ?? ?? ?? 6B ?? ?? ?? 70 }
- $block_52 = { 8B ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_53 = { 4? 4? 00 ?? 00 ?? 00 ?? 00 ?? 80 F? ?? FF 1? 03 ?? 07 4? 6B ?? ?? ?? 6F 72 }
- $block_54 = { 0F B6 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? C6 ?? ?? ?? 3B ?? 74 }
- $block_55 = { 67 ?? 6D 61 67 ?? ?? 69 ?? ?? ?? ?? ?? ?? 88 ?? 4? 00 ?? 00 ?? 4? 6F 6E 74 }
- $block_56 = { 6E 67 ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? ?? 65 ?? ?? 62 ?? ?? 20 ?? ?? 6D 6F 72 }
- $block_57 = { 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 3B ?? ?? 0F 86 }
- $block_58 = { 6D 65 ?? ?? 62 ?? ?? 20 ?? ?? 2D ?? ?? ?? ?? 6E 6B ?? ?? ?? 6E 20 ?? ?? 74 }
- $block_59 = { 4? 24 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_60 = { 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 88 ?? ?? C7 ?? ?? ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_61 = { 32 ?? 35 ?? ?? ?? ?? 32 ?? 35 ?? ?? ?? ?? 39 ?? 36 ?? ?? ?? ?? ?? 6D 65 }
- $block_62 = { 69 ?? ?? ?? ?? ?? ?? 5? 61 6B ?? ?? ?? 61 6D 69 ?? ?? ?? ?? ?? ?? ?? 72 }
- $block_63 = { 20 ?? ?? 6C 6C 6F 63 ?? ?? 67 ?? ?? ?? ?? ?? 63 ?? ?? ?? 6B ?? ?? ?? 70 }
- $block_64 = { 63 ?? 6B ?? ?? ?? 6F 66 ?? ?? ?? ?? 65 ?? ?? ?? ?? ?? ?? 20 ?? ?? 6E 79 }
- $block_65 = { 68 ?? ?? ?? ?? 6C 6C 65 ?? ?? 6C 20 ?? ?? 65 ?? ?? ?? 20 ?? ?? 6C 6F 77 }
- $block_66 = { 32 ?? ?? ?? ?? ?? 34 ?? 34 ?? 37 37 35 ?? ?? ?? ?? 32 ?? ?? ?? ?? ?? 73 }
- $block_67 = { 5? 61 69 ?? ?? ?? ?? ?? ?? 61 69 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 61 79 }
- $block_68 = { 4? 4? 5? 4? 5? 4? 5? 5? 5? 32 ?? ?? 4? 5? 4? 5? 5? 4? 4? 4? 5? 4? 61 74 }
- $block_69 = { 8B ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 8C }
- $block_70 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 83 ?? ?? 2B ?? 83 ?? ?? 83 ?? ?? 0F 86 }
- $block_71 = { A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8E }
- $block_72 = { 61 6E 4? 68 ?? ?? ?? ?? 4? 6F 6D 6D 6F 6E 4? 6F 6F 6B ?? ?? ?? 6F 70 }
- $block_73 = { 64 ?? ?? 2D ?? ?? ?? ?? 20 ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? ?? 6F 6E 74 }
- $block_74 = { 6F 6F 4? 4? 20 ?? ?? 65 ?? ?? 4? 20 ?? ?? 69 ?? ?? ?? ?? ?? ?? ?? 74 }
- $block_75 = { 6A ?? 5? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 87 }
- $block_76 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 8B ?? 4? 85 ?? 0F 8C }
- $block_77 = { 64 ?? ?? ?? 61 6E 25 ?? ?? ?? ?? 28 ?? 62 ?? ?? 2E ?? 6C 6F 61 74 }
- $block_78 = { 65 ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 61 6C 69 ?? ?? ?? ?? ?? ?? ?? 66 }
- $block_79 = { 2A ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 34 ?? 26 ?? ?? 39 ?? 26 ?? 6D 70 }
- $block_80 = { 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 3B ?? ?? 0F 86 }
- $block_81 = { 62 ?? ?? 63 ?? ?? ?? 61 6B ?? ?? ?? 61 6E 20 ?? ?? 61 6E 64 ?? 72 }
- $block_82 = { 6E 67 ?? ?? ?? 6D 61 69 ?? ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 73 }
- $block_83 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8E }
- $block_84 = { 8D ?? ?? 8D ?? ?? 8B ?? ?? 0F B6 ?? E8 ?? ?? ?? ?? 84 ?? 74 }
- $block_85 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_86 = { 33 ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8E }
- $block_87 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 94 ?? 83 ?? ?? 75 }
- $block_88 = { 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_89 = { 8D ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 87 }
- $block_90 = { 33 ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_91 = { 69 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 00 ?? 4? 6F 6E 74 }
- $block_92 = { 69 ?? ?? ?? ?? ?? ?? BC ?? ?? ?? ?? 00 ?? 4? 6F 6E 74 }
- $block_93 = { 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? ?? ?? 75 }
- $block_94 = { FF 0? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_95 = { 5? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_96 = { BA ?? ?? ?? ?? 8B ?? D3 ?? 85 ?? ?? ?? ?? ?? 0F 84 }
- $block_97 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? E8 }
- $block_98 = { A1 ?? ?? ?? ?? 8B ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8C }
- $block_99 = { 0F B7 ?? ?? 5? 5? E8 ?? ?? ?? ?? 80 7? ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "dd7e69e14c88972ac173132b90b3f4bfb2d1faec15cca256a256dd3a12b6e75d" or
- hash.sha256(0, filesize) == "f5c28f2089c1ac3cdc9d1bc01297838f663dfb0f2a4a2686edb47cc64ea60bb4" or
- hash.sha256(0, filesize) == "f3f26c446fb3bf8453f434bbeed506ba78f40f510c4186cb7229e2473862c10f" or
- hash.sha256(0, filesize) == "074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426" or
- hash.sha256(0, filesize) == "b483b6f21601752ff800ba52092e358050e4b370117503a9309787fd57935926" or
- hash.sha256(0, filesize) == "e2f3caade127e855fdec68faf8eea845fed9ae98ea17cd74644e57de91fb6e11" or
- hash.sha256(0, filesize) == "ee9218a451c455fbca45460c0a27e1881833bd2a05325ed60f30bd4d14bb2fdc" or
- hash.sha256(0, filesize) == "15486216ab9c8b474fe8a773fc46bb37a19c6af47d5bd50f5670cd9950a7207c" or
- hash.sha256(0, filesize) == "044f8ab501090fd77ae6e9ebf57e7fba9041be7ab986ce58f38583f4839a5126" or
- hash.sha256(0, filesize) == "d7c12acb306b5100a5497586942b68a8f6d5deb353083da594caba2523c3171f" or
- hash.sha256(0, filesize) == "10a9a217d3b53a3e43ec03b81a026f7a70350a062b900d672353690090e1ade6" or
- hash.sha256(0, filesize) == "c8f39b13b5d6952c853c4b9fd63d1a1cc2acaf01fd97185761894d1634ba0a38" or
- hash.sha256(0, filesize) == "e5b3252692c3486339cf68799d3e19fe4ac530f3f09236167a6f01510a488e90" or
- hash.sha256(0, filesize) == "736dca8fdbe0a9cbf0982a5fd540d7b31eccb83ad1e63393a8c3ce6b379f6c9d" or
- hash.sha256(0, filesize) == "142287861c2322646c185b5092a1e7176a63a4d4909f03ae88446c7ff1fde105" or
- hash.sha256(0, filesize) == "25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8" or
- hash.sha256(0, filesize) == "b6d2b8a527b2d2dafbfca559086c391aefdceed788fc9578d15c50a20343ee50" or
- hash.sha256(0, filesize) == "5223a45d8b08eb14e87a87edaa4b71593b4f9d2bdb6de1a5b6f3e77869eeca8a" or
- 12 of them
-}
-
-rule XTunnel {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? 8B ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 69 ?? ?? ?? ?? ?? 89 }
- $block_1 = { 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? C7 }
- $block_2 = { 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 76 }
- $block_3 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_4 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 }
- $block_5 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 }
- $block_6 = { 0F B7 ?? ?? ?? ?? ?? 5? 5? 6A ?? 5? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_7 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F BF ?? ?? 83 ?? ?? 74 }
- $block_8 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 87 }
- $block_9 = { 0F B6 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? 0F 8D }
- $block_10 = { 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 75 }
- $block_11 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 83 }
- $block_12 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? 0F 44 ?? 89 }
- $block_13 = { 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 }
- $block_14 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 80 3? ?? 0F 85 }
- $block_15 = { 5? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_16 = { 5? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_17 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_18 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 }
- $block_19 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_20 = { 5? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 }
- $block_21 = { 5? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_22 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 }
- $block_23 = { 8B ?? ?? ?? ?? ?? 5? B9 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 8F }
- $block_24 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 8E }
- $block_25 = { 0F B6 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? 0F 8D }
- $block_26 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_27 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 87 }
- $block_28 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 23 ?? 8B ?? 85 ?? 0F 84 }
- $block_29 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? E9 }
- $block_30 = { 8B ?? ?? 8D ?? ?? 8B ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 5? ?? 85 ?? 0F 88 }
- $block_31 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 83 }
- $block_32 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? 0F 84 }
- $block_33 = { 2B ?? 8B ?? ?? 5? 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_34 = { 2B ?? 5? 8B ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_35 = { 8B ?? ?? 2B ?? 8B ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_36 = { 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 }
- $block_37 = { 80 B? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 0F 85 }
- $block_38 = { 8B ?? ?? 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 66 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? EB }
- $block_39 = { 8B ?? ?? 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 }
- $block_40 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 88 ?? ?? 8A ?? ?? A8 ?? 0F 85 }
- $block_41 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_42 = { 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? 48 ?? ?? ?? 2B ?? ?? 48 ?? ?? ?? 3B ?? ?? 0F 8E }
- $block_43 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_44 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_45 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 85 }
- $block_46 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_47 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 82 }
- $block_48 = { 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 87 }
- $block_49 = { 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? FF D? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 8E }
- $block_50 = { 8D ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? FF 1? 85 ?? 0F 88 }
- $block_51 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_52 = { 48 ?? ?? ?? ?? ?? ?? 0F BF ?? ?? 81 E? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_53 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_54 = { 48 ?? ?? ?? 8B ?? ?? 89 ?? 4C ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? 4C ?? ?? 0F 83 }
- $block_55 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 }
- $block_56 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 87 }
- $block_57 = { 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 80 3? ?? 0F 85 }
- $block_58 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_59 = { 8B ?? ?? 8B ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_60 = { 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 }
- $block_61 = { 0F B7 ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 }
- $block_62 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_63 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 87 }
- $block_64 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_65 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_66 = { 8B ?? ?? 8B ?? 5? 5? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_67 = { 8B ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_68 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_69 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 }
- $block_70 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 81 F? ?? ?? ?? ?? 41 ?? ?? ?? 44 }
- $block_71 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 80 3? ?? 0F 95 ?? 80 F? ?? F6 ?? ?? 0F 85 }
- $block_72 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_73 = { 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? E9 }
- $block_74 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_75 = { 6A ?? 6A ?? 5? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_76 = { 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 3B ?? 7D }
- $block_77 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F BF ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_78 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_79 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_80 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F BA ?? ?? 48 ?? ?? ?? ?? 89 }
- $block_81 = { 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_82 = { 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_83 = { 8B ?? ?? ?? ?? ?? 0F BF ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 66 }
- $block_84 = { BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8E }
- $block_85 = { 0F B7 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 66 ?? ?? ?? 75 }
- $block_86 = { 0F B6 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 3B ?? 7D }
- $block_87 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 }
- $block_88 = { 33 ?? B8 ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 39 ?? ?? 0F 86 }
- $block_89 = { 33 ?? BA ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 39 ?? ?? 0F 86 }
- $block_90 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 38 ?? ?? ?? ?? ?? 0F 85 }
- $block_91 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_92 = { 48 ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_93 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 83 ?? ?? 0F 85 }
- $block_94 = { 8B ?? ?? 8D ?? ?? 8B ?? 5? 5? FF 5? ?? 85 ?? 0F 88 }
- $block_95 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? 83 ?? ?? 0F 84 }
- $block_96 = { 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 39 ?? ?? 0F 83 }
- $block_97 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? 83 ?? ?? 0F 85 }
- $block_98 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 83 ?? ?? 74 }
- $block_99 = { 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 66 ?? ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "79f977c8f815c5910df382b920460fd6448103923f4dc128fc56fdf3867c47b1" or
- hash.sha256(0, filesize) == "c5f8236e578a2b877fe538b2ef6f4aeceeb1b9cb73bba4d02fd368a5eb85cfab" or
- hash.sha256(0, filesize) == "60ee6fdca66444bdc2e4b00dc67a1b0fdee5a3cd9979815e0aab9ce6435262c6" or
- hash.sha256(0, filesize) == "d2e947a39714478983764b270985d2529ff682ffec9ebac792158353caf90ed3" or
- hash.sha256(0, filesize) == "1c8869abf756e77e1b6d7d0ad5ca8f1cdce1a111315c3703e212fb3db174a6d5" or
- hash.sha256(0, filesize) == "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092" or
- hash.sha256(0, filesize) == "8c488b029188e3280ed3614346575a4a390e0dda002bca08c0335210a6202949" or
- hash.sha256(0, filesize) == "40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f" or
- hash.sha256(0, filesize) == "86356fa5be88673bcf6f75e9d80d5bfd1a4e8aa621c3565442997e7af3dbded6" or
- hash.sha256(0, filesize) == "a979c5094f75548043a22b174aa10e1f2025371bd9e1249679f052b168e194b3" or
- hash.sha256(0, filesize) == "c6a9db52a3855d980a7f383dbe2fb70300a12b7a3a4f0a995e2ebdef769eaaca" or
- hash.sha256(0, filesize) == "a2c9041ee1918523e67dbaf1c514f98609d4dbe451ba08657653bb41946fc89d" or
- hash.sha256(0, filesize) == "35a4ba765653f05de95f51cd2cc2898dafdb2a82d750f51dd892c160eaf7fcd9" or
- hash.sha256(0, filesize) == "a37eda810ca92486bfb0e1f1b27adb7c9df57aafab686c000ae1d6ec5d6f6180" or
- hash.sha256(0, filesize) == "688146426628260d32a6b4891d0900eab98c996e66018203d54270e2b76472b1" or
- hash.sha256(0, filesize) == "4dd8ab2471337a56b431433b7e8db2a659dc5d9dc5481b4209c4cddd07d6dc2b" or
- hash.sha256(0, filesize) == "730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a" or
- hash.sha256(0, filesize) == "d2a6064429754571682f475b6b67f36526f1573d846182aab3516c2637fa1e81" or
- hash.sha256(0, filesize) == "53262019782e1ede6c8b3a4cdfdfffed1fc9abb99a0a39ff193c585450fac044" or
- hash.sha256(0, filesize) == "cee41e51e82f5ea3cd318e6cb7e1e2218a7a86a2fbf8ffa566e4c5158bc6dd02" or
- hash.sha256(0, filesize) == "b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44" or
- hash.sha256(0, filesize) == "fc224a6cca956a59812a13e53ba08a279996ea2ee194fe20fb10170ca5c2db6a" or
- hash.sha256(0, filesize) == "1289ee3d29967f491542c0bdeff6974aad6b37932e91ff9c746fb220d5edb407" or
- hash.sha256(0, filesize) == "20bf23ec9f25639f0e41a844448ced8fc5eb74ca017ef7ea920bdf6123ef21bd" or
- hash.sha256(0, filesize) == "e46b038a1e735c4bf9aab5b8610ff38fa19670daf0bace985511acfc3a497459" or
- hash.sha256(0, filesize) == "854a522a113b6413ff4db5f0ba0aec98cba3c5ef386311660f6dabab26f6aa14" or
- hash.sha256(0, filesize) == "be2e58669dbdec916f7aaaf4d7c55d866c4f38ac290812b10d680d943bb5b757" or
- hash.sha256(0, filesize) == "e2a850aeffc9a466c77ca3e39fd3ee4f74d593583666aea5b014aa6c50ca7af8" or
- hash.sha256(0, filesize) == "4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976" or
- 12 of them
-}
-
-rule XAgent {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 0F B6 ?? ?? ?? ?? ?? 4B ?? ?? ?? 88 ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? 72 }
- $block_2 = { 69 ?? ?? ?? ?? ?? 8D ?? ?? 48 ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? 81 F? ?? ?? ?? ?? 0F 8E }
- $block_3 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 85 }
- $block_4 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? 8B ?? ?? 5? FF D? 84 ?? 0F 84 }
- $block_5 = { 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? 49 ?? ?? 83 ?? ?? 49 ?? ?? 49 ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 75 }
- $block_6 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_7 = { 0F 10 ?? ?? ?? ?? ?? 0F 29 ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? E8 ?? ?? ?? ?? EB }
- $block_8 = { 4C ?? ?? ?? ?? 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 0F 1F }
- $block_9 = { 0F B6 ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 33 ?? 0F B6 ?? ?? ?? C1 ?? ?? 33 ?? 83 ?? ?? 33 ?? C7 }
- $block_10 = { 5? 0F B6 ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? }
- $block_11 = { 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 49 ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 41 ?? ?? ?? 84 ?? 0F 84 }
- $block_12 = { 8B ?? 8B ?? ?? 8B ?? FF D? 66 ?? ?? ?? 8A ?? ?? 88 ?? ?? 0F B6 ?? 83 ?? ?? 83 ?? ?? 0F 87 }
- $block_13 = { 48 ?? ?? ?? ?? 5? 5? 41 ?? 48 ?? ?? ?? 49 ?? ?? 49 ?? ?? 48 ?? ?? 4C ?? ?? 49 ?? ?? 0F 84 }
- $block_14 = { 8B ?? ?? 8B ?? 83 ?? ?? 8A ?? ?? 30 ?? ?? ?? 8B ?? ?? FE ?? 0F B6 ?? 83 ?? ?? 3B ?? 72 }
- $block_15 = { 5? 8B ?? 83 ?? ?? 8B ?? 83 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? 0F 86 }
- $block_16 = { 8B ?? ?? 5? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_17 = { 6A ?? 68 ?? ?? ?? ?? 8B ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 83 ?? ?? 0F 87 }
- $block_18 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 8B ?? ?? 2B ?? ?? 5? C1 ?? ?? 5? C6 ?? ?? ?? 85 ?? 0F 84 }
- $block_19 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? 66 ?? ?? ?? 0F B6 ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_20 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 }
- $block_21 = { 2B ?? 8B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 83 ?? ?? 0F 87 }
- $block_22 = { 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_23 = { 0F B6 ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? ?? 4D ?? ?? 84 ?? 74 }
- $block_24 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9? 0F B7 ?? ?? ?? 66 ?? ?? 75 }
- $block_25 = { 8B ?? 8B ?? ?? 8D ?? ?? 5? 8B ?? FF D? 0F B6 ?? ?? 8D ?? ?? C6 ?? ?? ?? 39 ?? ?? 75 }
- $block_26 = { 2B ?? 8B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 83 ?? ?? 0F 85 }
- $block_27 = { 6A ?? 5? 8D ?? ?? 5? 8B ?? ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 4? 0F 84 }
- $block_28 = { 8A ?? ?? 8B ?? ?? 2B ?? ?? FE ?? 88 ?? ?? 0F B6 ?? C1 ?? ?? 89 ?? ?? 3B ?? 0F 82 }
- $block_29 = { 8D ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? ?? ?? FE ?? 8D ?? ?? ?? 01 ?? 0F B6 ?? 3B ?? 72 }
- $block_30 = { 5? 8B ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_31 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_32 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? 0F 85 }
- $block_33 = { 5? 5? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_34 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? 48 ?? ?? 74 }
- $block_35 = { 45 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_36 = { 33 ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_37 = { 48 ?? ?? 48 ?? ?? FF 5? ?? 40 ?? ?? ?? 40 ?? ?? ?? 83 ?? ?? 66 ?? ?? ?? 0F 84 }
- $block_38 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 84 ?? 0F 84 }
- $block_39 = { 8A ?? ?? 8B ?? ?? FE ?? 0F B6 ?? 88 ?? ?? 8B ?? ?? 2B ?? C1 ?? ?? 3B ?? 72 }
- $block_40 = { 66 ?? ?? 66 ?? ?? 0F B6 ?? ?? 88 ?? ?? 0F B6 ?? ?? 83 ?? ?? 88 ?? ?? 5? EB }
- $block_41 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_42 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 86 }
- $block_43 = { 5? 8B ?? ?? ?? ?? ?? 03 ?? 6A ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_44 = { 8B ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? 5? FF D? 5? FF D? 8B ?? ?? 85 ?? 0F 84 }
- $block_45 = { 8A ?? ?? 8B ?? ?? 2B ?? ?? FE ?? 88 ?? ?? 0F B6 ?? C1 ?? ?? 3B ?? 0F 82 }
- $block_46 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B7 ?? BF ?? ?? ?? ?? C1 ?? ?? 3B ?? 0F 86 }
- $block_47 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 83 ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 82 }
- $block_48 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_49 = { 41 ?? ?? 45 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? 0F 82 }
- $block_50 = { 33 ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? C6 ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 }
- $block_51 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? 5? FF D? 83 ?? ?? ?? 0F 82 }
- $block_52 = { 45 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_53 = { 8B ?? ?? FF D? 8B ?? ?? 03 ?? 8B ?? 0F AF ?? 89 ?? ?? 89 ?? ?? E9 }
- $block_54 = { 5? 8B ?? 8B ?? ?? 0F B7 ?? 5? 5? 5? 8B ?? 33 ?? 33 ?? 66 ?? ?? 74 }
- $block_55 = { 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_56 = { 0F B7 ?? 8B ?? 81 E? ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 66 ?? ?? ?? 74 }
- $block_57 = { 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 66 ?? ?? ?? ?? 40 ?? ?? 0F 84 }
- $block_58 = { 33 ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 66 ?? ?? ?? 39 ?? ?? 0F 82 }
- $block_59 = { 48 ?? ?? ?? 48 ?? ?? 83 ?? ?? 0F B6 ?? ?? 30 ?? ?? 48 ?? ?? 75 }
- $block_60 = { 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_61 = { 8D ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 }
- $block_62 = { 6A ?? 68 ?? ?? ?? ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_63 = { 40 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 83 }
- $block_64 = { 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_65 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 }
- $block_66 = { 41 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 83 }
- $block_67 = { 85 ?? 0F 94 ?? 84 ?? 0F 94 ?? 48 ?? ?? ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_68 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 8B ?? 8B ?? ?? FF D? 66 ?? ?? 75 }
- $block_69 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 0F B7 ?? 66 ?? ?? 74 }
- $block_70 = { 8B ?? ?? 5? 5? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_71 = { 48 ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? 0F 95 ?? 66 ?? ?? ?? 74 }
- $block_72 = { FE ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 8A ?? 88 ?? 88 ?? 75 }
- $block_73 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 2B ?? C1 ?? ?? 3B ?? 0F 83 }
- $block_74 = { 0F B6 ?? ?? 8B ?? 5? 5? 33 ?? 33 ?? 89 ?? ?? 89 ?? ?? 8B }
- $block_75 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_76 = { 2B ?? D1 ?? 5? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_77 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 0F 82 }
- $block_78 = { 0F B6 ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 03 ?? C1 ?? ?? EB }
- $block_79 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_80 = { 8B ?? 8B ?? ?? 66 ?? ?? ?? 0F 95 ?? 66 ?? ?? ?? ?? 74 }
- $block_81 = { 5? 8B ?? 5? 8B ?? ?? 0F B7 ?? 33 ?? 33 ?? 66 ?? ?? 74 }
- $block_82 = { 8D ?? ?? ?? ?? ?? ?? 8B ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_83 = { 0F B6 ?? ?? 8A ?? ?? FE ?? ?? 88 ?? ?? ?? ?? ?? ?? 75 }
- $block_84 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 86 }
- $block_85 = { 4F ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 0F 85 }
- $block_86 = { 48 ?? ?? ?? 4C ?? ?? 48 ?? ?? 41 ?? ?? ?? 84 ?? 0F 84 }
- $block_87 = { 5? 8B ?? 5? 8B ?? ?? 5? 33 ?? 89 ?? ?? 3B ?? 0F 86 }
- $block_88 = { 0F B7 ?? C1 ?? ?? 4? 03 ?? 0F B7 ?? ?? 66 ?? ?? 75 }
- $block_89 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_90 = { 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_91 = { 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_92 = { 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 0F 1F }
- $block_93 = { 8B ?? ?? ?? ?? ?? 6A ?? FF D? 83 ?? ?? ?? 0F 84 }
- $block_94 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 83 }
- $block_95 = { 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 95 ?? 3A ?? 0F 85 }
- $block_96 = { 0F BE ?? 0F B6 ?? FE ?? 4? 66 ?? ?? ?? 3C ?? 72 }
- $block_97 = { 49 ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_98 = { 8B ?? ?? 8B ?? ?? 5? 5? C6 ?? ?? ?? ?? 5? C9 C3 }
- $block_99 = { 48 ?? ?? ?? 4C ?? ?? 49 ?? ?? 41 ?? ?? ?? 0F 1F }
-
- condition:
- hash.sha256(0, filesize) == "6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82" or
- hash.sha256(0, filesize) == "e1b1143c0003c6905227df37d40aacbaecc2be8b9d86547650fe11bd47ca6989" or
- hash.sha256(0, filesize) == "bebe0be0cf8349706b2feb789572e035955209d5bf5d5fea0e5d29a7fbfdc7c4" or
- hash.sha256(0, filesize) == "9f06b3c694c8b398e2f47e98590a94d5daefbebfb5426fb3c99eb34aecb536b8" or
- hash.sha256(0, filesize) == "88a5377f829e45ed89767e2e4aaee853e587eb202528c963802893108b70fe3f" or
- hash.sha256(0, filesize) == "fa908ee3822dbda90d3b378ea3c4354eef8a27259ea3fe69a86f18e94f8742a2" or
- hash.sha256(0, filesize) == "68065abd6482405614d245537600ea60857c6ec9febac4870486b5227589d35c" or
- hash.sha256(0, filesize) == "0356f5fa9907ea060a7d6964e65f019896deb1c7e303b7ba04da1458dc73a842" or
- hash.sha256(0, filesize) == "a1c73ce193ffa5323aaef73fbabbc2a984e10900f09cf9fcb0cb11606a23c402" or
- hash.sha256(0, filesize) == "4096a8c13d6c492d9204cb11c294bb64b04a7636ca1e6257c2ae431d0c385cc2" or
- hash.sha256(0, filesize) == "261b0a5912965ea95b8ae02aae1e761a61f9ad3a9fb85ef781e62013d6a21368" or
- hash.sha256(0, filesize) == "1a09ce8a9210d2530d6ce1d59bfae2ac617ac89558cdcdcac15392d176e70c8d" or
- hash.sha256(0, filesize) == "8a80c2f8dbffa1f2763547aac332746afb85b47f977780485d17d7eb2ea187b7" or
- hash.sha256(0, filesize) == "280905558e848f5bb9ab923e6e44002480464a8bdeb50f00b6757e1fff8b46fb" or
- hash.sha256(0, filesize) == "1228e9066819f115e8b2a6c1b75352566a6a5dc002d9d36a8c5b47758c9f6a45" or
- hash.sha256(0, filesize) == "c19d266af9e33dae096e45e7624ab3a3f642c8de580e902fec9dac11bcb8d3fd" or
- hash.sha256(0, filesize) == "45a872495dae7805bb537bc7a37a9bd604bf48b26496dbe35f4e13e200bad6a2" or
- hash.sha256(0, filesize) == "dea4e560017b4da05e8fd0a03ba74239723349934ee8fbd201a79be1ecf1c32d" or
- hash.sha256(0, filesize) == "c488f4946612c13601a1bed48fce0733645ae3ab5fda03395383160d44bde964" or
- hash.sha256(0, filesize) == "b8fd23432d615c451b0845a7d7b9b17b371da06627d390f501ca1fd58f9d1ac2" or
- hash.sha256(0, filesize) == "8646a5330f516adce0c05ad019cf041cf79c1ca069048c3f8db94dcbdb00c408" or
- hash.sha256(0, filesize) == "7a5cb45a3efcebbf49e18c4b2397dc2bdff039d9127a8119abe4c2f85a85e1f0" or
- hash.sha256(0, filesize) == "24e11c80f1d4c1e9db654d54cc784db6b5f4a126f9fe5e26c269fdc4009c8f29" or
- hash.sha256(0, filesize) == "8325cd6e26fb39cf7a08787e771a6cf708e0b45350d1ea239982af06db90804f" or
- hash.sha256(0, filesize) == "a5b68575ac4fbe83c23ff991ad0d5389f51a2aef71ee3c2277985c68361cf1cc" or
- hash.sha256(0, filesize) == "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb" or
- hash.sha256(0, filesize) == "1e6a0e542dcddec9d937c111c3ea6670e08c6606f869444d0702ec7f1363bff1" or
- hash.sha256(0, filesize) == "001d65185910ae8cd9e7e2472745e593be62b98eae3f5f2266a29c37e56daa1d" or
- hash.sha256(0, filesize) == "8925aa5c9e912236f265f3d3f95b9fa8bbfd8dec1e381f168309056b23995d4c" or
- hash.sha256(0, filesize) == "d4525abc9dd2b7ab7f0c22e58a0117980039afdf15bed04bb0c637cd41fbfb9d" or
- hash.sha256(0, filesize) == "858e7a7223d6ed91cfa89f5cae013f9a450d13cdc7adb1963072d6eb6cbad513" or
- hash.sha256(0, filesize) == "0abda721c4f1ca626f5d8bd2ce186aa98b197ca68d53e81cf152c32230345071" or
- hash.sha256(0, filesize) == "ddab96e4a8e909065e05c4b6a73ba351ea45ad4806258f41ac3cecbcae8671a6" or
- hash.sha256(0, filesize) == "4182821d00485cbc5628bbdc41a76e8a956142021f6682549559d04636a17a3f" or
- hash.sha256(0, filesize) == "fc2dbfda41860b2385314c87e81f1ebb4f9ae1106b697e019841d8c3bf402570" or
- hash.sha256(0, filesize) == "f97f2985ff599e073156e37cbd34024067680072ac18f9d2040c64eedbe38e4f" or
- hash.sha256(0, filesize) == "a0749f75ec464a86acd146a825d6ddf1c351f290860fe7bf6a47ce4fb2a085f1" or
- hash.sha256(0, filesize) == "07393ac2e890772f70adf9e8d3aa07ab2f98e2726e3be275276dadd00daf5fc6" or
- hash.sha256(0, filesize) == "6c69b9bda696d416cb22b775f9a63f98dd4e634f003e3b0704cbb67721b13dde" or
- hash.sha256(0, filesize) == "dd8facad6c0626b6c94e1cc891698d4982782a5564aae696a218c940b7b8d084" or
- hash.sha256(0, filesize) == "715f69916db9ff8fedf6630307f4ebb84aae6653fd0e593036517c5040d84dbe" or
- hash.sha256(0, filesize) == "82fc44696d1c5ddfdd5338fcafb6a9dcf7a0796235cd58184d05a2f388ed7e9e" or
- hash.sha256(0, filesize) == "b1800cb1d4b755e05b0fca251b8c6da96bb85f8042f2d755b7f607cbeef58db8" or
- hash.sha256(0, filesize) == "2d11e8d81bf776d668355ed15a596193d4bb10a42289ddb3223c1227b042d854" or
- hash.sha256(0, filesize) == "ee8636cfa3521c7f9cc7588221d1edc0eed7ba68256b72e3dc2a4a75a6bd5b87" or
- hash.sha256(0, filesize) == "b23193bff95c4e65af0c9848036eb80ef006503a78be842e921035f8d77eb5de" or
- hash.sha256(0, filesize) == "9a527274f99865a7d70487fe22e62f692f8b239d6cb80816b919734c7c741584" or
- hash.sha256(0, filesize) == "94c220653ea7421c60e3eafd753a9ae9d69b475d61230f2f403789d326309c24" or
- hash.sha256(0, filesize) == "d11dcf98d78c8281fc7f4affc30a798d6fd7cb0fbdbd9daa8f004fbcd1deee28" or
- hash.sha256(0, filesize) == "2b6e280b4ff000dc0926d9586a8b3710697ed95112b2e465660e6409823e6bad" or
- hash.sha256(0, filesize) == "8554e0894babf3c743b66aa2a07f9aa99893be131824ec72835b9fb11e0aeb39" or
- hash.sha256(0, filesize) == "69691bc9ff36ccb46c2acef50edc393996a4c42bc6e9a86976050b9eff83dc00" or
- hash.sha256(0, filesize) == "1daeacb30433f88c52f21f2d323dd3c6b556b3611d29a34c6c72e4a8e714f86a" or
- hash.sha256(0, filesize) == "e00eaf295a28f5497dbb5cb8f647537b6e55dd66613505389c24e658d150972c" or
- hash.sha256(0, filesize) == "596c486fabc8581f788fe27dcd24fddee8fd8cc484e6744db68a29fa5a804cf6" or
- hash.sha256(0, filesize) == "72ee0330474c00ec15576112b33e8198b1272e0e3f44fce3800af79821b7e431" or
- hash.sha256(0, filesize) == "c7661b27a06a3a8c471fbb060ab8cab25fa9546e0a4c5c1101fe8098b2ad11e9" or
- hash.sha256(0, filesize) == "225e94f198bdfcf7550dc30881654f192e460dce88fe927fad8c5adb149eed25" or
- hash.sha256(0, filesize) == "52bf280be543485434945074ebc3d1e4f2ab15c0286c7a063c33ea39786a77e1" or
- hash.sha256(0, filesize) == "cee85e2fd2ca34a2f90bce9b50c400fe4fd14b536fd0ff26c0c3a9aad6e1904a" or
- hash.sha256(0, filesize) == "b93e55763bd8dec8944410e4e00d0f174640905b99629d8111819528593d1c2a" or
- hash.sha256(0, filesize) == "608a428b7c7f32726b8239725fb7b7a7760b750ea89e2d66fa966b0797ea614e" or
- hash.sha256(0, filesize) == "f2287ddc1376c1ffbf6652d06d115a42e041df1976b321142c0f92dbdb96e82e" or
- hash.sha256(0, filesize) == "32717c2876f5622a562d548b55e09657f453b40d7aeb15bb738c789a4c4ee61d" or
- hash.sha256(0, filesize) == "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592" or
- hash.sha256(0, filesize) == "e2bea753318d715dfc2f186c49ae3e9c404d0f5df52e959ea546f78a3624bc3b" or
- hash.sha256(0, filesize) == "b4f755c91c2790f4ab9bac4ee60725132323e13a2688f3d8939ae9ed4793d014" or
- hash.sha256(0, filesize) == "3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8" or
- hash.sha256(0, filesize) == "b5413aab02e9076e7a62fe53826b16147c3fa4d47b073e334311184e39d9a71e" or
- hash.sha256(0, filesize) == "dea3a99388e9c962de9ea1008ff35bc2dc66f67a911451e7b501183e360bb95e" or
- hash.sha256(0, filesize) == "fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5" or
- hash.sha256(0, filesize) == "aa2914cc937b6eb4e703955cbf576e8d783af2164ddd9ec759dd9ad2cc71d42a" or
- hash.sha256(0, filesize) == "d0e019229493a1cfb3ffc918a2d8ffcbaee31f9132293c95b1f8c1fd6d595054" or
- hash.sha256(0, filesize) == "ea957d663dbc0b28844f6aa7dfdc5ac0110a4004ac46c87d0f1aa943ef253cfe" or
- hash.sha256(0, filesize) == "9ead4bc59075215f8e474d790cef4aa8dbc35815c7339011b956ecce6a84ff47" or
- hash.sha256(0, filesize) == "b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6" or
- hash.sha256(0, filesize) == "638e7ca68643d4b01432f0ecaaa0495b805cc3cccc17a753b0fa511d94a22bdd" or
- hash.sha256(0, filesize) == "99d3f03fc6f048c74e58da6fb7ea1e831ba31d58194ad2463a7a6cd55da5f96b" or
- hash.sha256(0, filesize) == "e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81" or
- hash.sha256(0, filesize) == "bf28267386a010197a50b65f24e815aa527f2adbc53c609d2b2a4f999a639413" or
- hash.sha256(0, filesize) == "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1" or
- 12 of them
-}
-
-rule SeduploaderPayload2 {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_1 = { 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_2 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 33 ?? 5? FF 7? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_3 = { 6A ?? 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? FF 7? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_4 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 80 C? ?? 75 }
- $block_5 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_6 = { 5? 33 ?? 6A ?? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 5? 85 ?? 75 }
- $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 8B ?? ?? 8B ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_8 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 5? 6A ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_9 = { 33 ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_10 = { FF 7? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 8B ?? 5? C9 C3 }
- $block_11 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_12 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 33 ?? 8D ?? ?? AB AB 8B ?? 33 ?? 33 ?? E8 ?? ?? ?? ?? 3B ?? 74 }
- $block_13 = { 83 ?? ?? ?? 8D ?? ?? 5? FF 7? ?? FF D? 8B ?? ?? 33 ?? 84 ?? 0F 44 ?? 33 ?? 85 ?? 0F 94 }
- $block_14 = { FF 7? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? 5? C9 C3 }
- $block_15 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? C6 ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_16 = { 5? 8B ?? 83 ?? ?? 5? 5? 6A ?? FF 7? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_17 = { 5? 8B ?? 83 ?? ?? 5? 6A ?? FF 7? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_18 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 5? 5? 89 ?? ?? 8B ?? ?? 5? C9 C2 }
- $block_19 = { FF 7? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 33 ?? 4? 85 ?? 5? 0F 45 ?? E8 ?? ?? ?? ?? 83 }
- $block_20 = { 81 7? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 85 }
- $block_21 = { 5? E8 ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 0F B6 }
- $block_22 = { 8D ?? ?? 89 ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_23 = { 8B ?? 83 ?? ?? 89 ?? 33 ?? 39 ?? 0F 45 ?? 03 ?? 89 ?? ?? 8D ?? ?? 3B ?? 72 }
- $block_24 = { 8B ?? 33 ?? AB AB AB 83 ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? EB }
- $block_25 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 5? 5? 89 ?? 8B ?? ?? 5? C9 C2 }
- $block_26 = { FF 7? ?? E8 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C2 }
- $block_27 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 25 ?? ?? ?? ?? 79 }
- $block_28 = { 5? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_29 = { FF 7? ?? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? C9 C2 }
- $block_30 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 84 ?? 0F 85 }
- $block_31 = { 8D ?? ?? 5? 8D ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_32 = { 0F B7 ?? 8B ?? 81 E? ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 66 ?? ?? ?? 74 }
- $block_33 = { 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 }
- $block_34 = { 0F B7 ?? 8B ?? 66 ?? ?? ?? 25 ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 74 }
- $block_35 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 89 ?? ?? 5? 5? 83 ?? ?? 0F 82 }
- $block_36 = { 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_37 = { 5? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_38 = { FE ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 8A ?? 88 ?? 88 ?? 75 }
- $block_39 = { 8B ?? ?? E8 ?? ?? ?? ?? 84 ?? 8B ?? ?? 8B ?? ?? 6A ?? 0F 85 }
- $block_40 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 0F 82 }
- $block_41 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 89 ?? ?? 83 ?? ?? 0F 82 }
- $block_42 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_43 = { 0F B6 ?? ?? 8A ?? ?? FE ?? ?? 88 ?? ?? ?? ?? ?? ?? 75 }
- $block_44 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 33 ?? 8B ?? 85 ?? 0F 84 }
- $block_45 = { FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 5? ?? 5? C9 C3 }
- $block_46 = { 8B ?? ?? E8 ?? ?? ?? ?? 84 ?? 8B ?? ?? 8B ?? ?? 0F 85 }
- $block_47 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? C9 C2 }
- $block_48 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 85 ?? 0F 84 }
- $block_49 = { 8B ?? 8B ?? ?? 66 ?? ?? 0F 95 ?? ?? 66 ?? ?? ?? 74 }
- $block_50 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C2 }
- $block_51 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 33 ?? 5? 39 ?? ?? 0F 84 }
- $block_52 = { 5? 8B ?? 5? 5? 8B ?? 5? 33 ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_53 = { 85 ?? 89 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 44 }
- $block_54 = { 8B ?? ?? 8B ?? ?? 5? 5? C6 ?? ?? ?? ?? 5? C9 C3 }
- $block_55 = { 8B ?? 4? 99 F7 ?? 8B ?? 80 C? ?? 88 ?? 85 ?? 75 }
- $block_56 = { 5? 8B ?? 5? 5? 8B ?? 5? 33 ?? 8B ?? 85 ?? 0F 84 }
- $block_57 = { FF 7? ?? E8 ?? ?? ?? ?? 5? 8B ?? 5? 5? 5? C9 C3 }
- $block_58 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 5? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18" or
- hash.sha256(0, filesize) == "12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8" or
- hash.sha256(0, filesize) == "3ac11a74275725a22c233cd974229d2b167c336da667410f7262b4926dabd31b" or
- hash.sha256(0, filesize) == "430902c206ab08581de0500ad2f23a77e4915680edb8437c151c77bab6e6cbc3" or
- hash.sha256(0, filesize) == "eae782130b06d95f3373ff7d5c0977a8019960bdf80614c1aa7e324dc350428a" or
- hash.sha256(0, filesize) == "0a842c40cdbbbc2bf5a6513e39a2bd8ea266f914ac93c958fda8c0d0048c4f94" or
- hash.sha256(0, filesize) == "f50791f9909c542e4abb5e3f760c896995758a832b0699c23ca54b579a9f2108" or
- hash.sha256(0, filesize) == "8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57" or
- hash.sha256(0, filesize) == "11cd541511cc793e7416655cda1e100d0a70fb043dfe7f6664564b91733431d0" or
- hash.sha256(0, filesize) == "c3b2c7bbd2aa1e3100b9382ed78dfa0041af764e0e02013acdf282410b302ead" or
- hash.sha256(0, filesize) == "0ac7b666814fd016b3d21d7812f4a272104511f90ca666fa13e9fb6cefa603c7" or
- hash.sha256(0, filesize) == "df47a939809f925475bc19804319652635848b8f346fb7dfd8c95c620595fe9f" or
- hash.sha256(0, filesize) == "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632" or
- hash.sha256(0, filesize) == "853dbbba09e2463c45c0ad913d15d67d15792d888f81b4908b2216859342aa04" or
- hash.sha256(0, filesize) == "73db52c0d4e31a00030b47b4f0fa7125000b19c6c9d462c3d0ce0f9d68f04e4c" or
- hash.sha256(0, filesize) == "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b" or
- hash.sha256(0, filesize) == "500fa112a204b6abb365101013a17749ce83403c30cd37f7c6f94e693c2d492f" or
- hash.sha256(0, filesize) == "dfa8a85e26c07a348a854130c652dcc6d29b203ee230ce0603c83d9f11bbcacc" or
- hash.sha256(0, filesize) == "5a414a39851c4e22d4f9383211dfc080e16e2caffd90fa06dcbe51d11fdb0d6c" or
- hash.sha256(0, filesize) == "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261" or
- hash.sha256(0, filesize) == "b6fff95a74f9847f1a4282b38f148d80e4684d9c35d9ae79fad813d5dc0fd7a9" or
- hash.sha256(0, filesize) == "3b87bfb837339445987cdf2e97169cb0c63072dc1d5bffa8ffb4af108a410988" or
- hash.sha256(0, filesize) == "1140c624fbfe28b9ef19fef2e9aa251adfbe8c157820d5f0356d88b4d80c2c88" or
- hash.sha256(0, filesize) == "6b8c44ba1d8ed34b9c3ce7142f9a09a8b50aa1a40a45774bec23c0f59aad0117" or
- 12 of them
-}
-
-rule WinexeSVC {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 31 ?? B9 ?? ?? ?? ?? 48 ?? ?? F3 ?? ?? 48 ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 31 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 31 ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF D? 48 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_2 = { 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 85 }
- $block_3 = { FF 1? ?? ?? ?? ?? C1 ?? ?? 03 ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? 89 ?? E8 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? ?? ?? 41 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_4 = { 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_5 = { 0F 1F ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? BA ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? FF D? 8B ?? ?? 85 ?? 0F 85 }
- $block_6 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? BA ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? FF D? 8B ?? ?? 85 ?? 0F 85 }
- $block_7 = { 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 45 ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_8 = { 89 ?? 48 ?? ?? ?? ?? C1 ?? ?? A9 ?? ?? ?? ?? 0F 44 ?? 49 ?? ?? ?? 89 ?? 4C ?? ?? ?? 00 ?? 48 ?? ?? 49 ?? ?? ?? 48 ?? ?? 45 ?? ?? 41 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 74 }
- $block_9 = { 41 ?? 41 ?? 41 ?? 41 ?? 5? 5? 5? 5? 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "993d38b57284ebead293296c4aaf4ecffe4f8ac63ca115ae9463368b407cef97" or
- hash.sha256(0, filesize) == "a4a838150809d833f84ab590f2ef566be777d12655c1f2c5df17c895497262fa" or
- 10 of them
-}
-
-rule SeduploaderDropper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 41 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_1 = { 0F B7 ?? ?? 4C ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 74 }
- $block_2 = { 41 ?? ?? ?? 0F B6 ?? ?? ?? 88 ?? ?? ?? 88 ?? ?? ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 41 ?? ?? 7D }
- $block_3 = { FF 1? ?? ?? ?? ?? 4C ?? ?? 41 ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 }
- $block_4 = { 0F B6 ?? 0F B6 ?? 0F AF ?? 8A ?? ?? 02 ?? ?? ?? ?? ?? 32 ?? 4? 88 ?? ?? 83 ?? ?? 72 }
- $block_5 = { FF D? 5? 5? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 5? 5? 33 ?? B0 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_6 = { FF 7? ?? 33 ?? 5? 5? FF 7? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 9D }
- $block_7 = { 40 ?? 5? 5? 5? 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? 48 ?? ?? 3B ?? ?? 0F 83 }
- $block_8 = { 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 66 ?? 33 }
- $block_9 = { 42 ?? ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? 88 ?? ?? 48 ?? ?? ?? 49 ?? ?? 0F 87 }
- $block_10 = { 42 ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? 88 ?? ?? 48 ?? ?? ?? 49 ?? ?? 0F 87 }
- $block_11 = { 6A ?? FF 7? ?? 6A ?? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_12 = { 42 ?? ?? ?? 83 ?? ?? 8D ?? ?? 89 ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 87 }
- $block_13 = { 4C ?? ?? ?? 48 ?? ?? 8B ?? 48 ?? ?? FF 5? ?? 45 ?? ?? 84 ?? 0F 84 }
- $block_14 = { 0F B6 ?? ?? ?? ?? ?? 03 ?? 03 ?? ?? 33 ?? 4? 89 ?? 83 ?? ?? 72 }
- $block_15 = { 40 ?? ?? 0F B6 ?? 8A ?? ?? ?? 42 ?? ?? ?? ?? 44 ?? ?? ?? ?? 75 }
- $block_16 = { 45 ?? ?? ?? 40 ?? ?? ?? 0F B6 ?? ?? ?? 44 ?? ?? 45 ?? ?? 7D }
- $block_17 = { 49 ?? ?? 48 ?? ?? 45 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_18 = { 8B ?? 4D ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? 0F 86 }
- $block_19 = { 8B ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_20 = { 6A ?? 5? 6A ?? 6A ?? FF 7? ?? FF D? 8B ?? 83 ?? ?? 0F 84 }
- $block_21 = { 5? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 5? 0F 85 }
- $block_22 = { 42 ?? ?? ?? 83 ?? ?? 89 ?? ?? 48 ?? ?? ?? 49 ?? ?? 0F 87 }
- $block_23 = { 4A ?? ?? ?? 83 ?? ?? 48 ?? ?? ?? 89 ?? ?? 49 ?? ?? 0F 87 }
- $block_24 = { 0F B6 ?? ?? ?? ?? ?? 03 ?? 03 ?? 33 ?? 4? 83 ?? ?? 72 }
- $block_25 = { 8B ?? 83 ?? ?? 4A ?? ?? ?? 8D ?? ?? 41 ?? ?? 0F 87 }
- $block_26 = { 48 ?? ?? ?? 4C ?? ?? ?? 45 ?? ?? 49 ?? ?? 0F 87 }
- $block_27 = { 4A ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? 41 ?? ?? 0F 87 }
-
- condition:
- hash.sha256(0, filesize) == "ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8" or
- hash.sha256(0, filesize) == "69d5123a277dc1f618be5edcc95938a0df148c856d2e1231a07e2743bd683e01" or
- hash.sha256(0, filesize) == "4bcd11142d5b9f96730715905152a645a1bf487921dd65618c354281512a4ae7" or
- hash.sha256(0, filesize) == "2884e438b4dbb3bcead37789908e2eb210ead820dfc03091dc7f46b50ddd1e5b" or
- hash.sha256(0, filesize) == "63d0b28114f6277b901132bc1cc1f541a594ee72f27d95653c54e1b73382a5f6" or
- 12 of them
-}
-
-rule Seduploader {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 6A ?? 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? FF 7? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_1 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 80 C? ?? 75 }
- $block_2 = { 33 ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_3 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_4 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 5? 6A ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_5 = { 83 ?? ?? ?? 8D ?? ?? 5? FF 7? ?? FF D? 8B ?? ?? 33 ?? 84 ?? 0F 44 ?? 33 ?? 85 ?? 0F 94 }
- $block_6 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? C6 ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_7 = { 5? E8 ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 0F B6 }
- $block_8 = { 8B ?? 33 ?? AB AB AB 83 ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? EB }
- $block_9 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 25 ?? ?? ?? ?? 79 }
- $block_10 = { 0F B7 ?? 8B ?? 66 ?? ?? ?? 25 ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 74 }
- $block_11 = { 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_12 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 89 ?? ?? 83 ?? ?? 0F 82 }
- $block_13 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 85 ?? 0F 84 }
- $block_14 = { 8B ?? 4? 99 F7 ?? 8B ?? 80 C? ?? 88 ?? 85 ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "f5b3f920cdd1ea42905caf7f0894194aaf5096b9a90c77ac06139dcb42018f9e" or
- 12 of them
-}
-
-rule HideDRV {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 45 ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_1 = { 48 ?? ?? ?? ?? 0F B7 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 7D }
- $block_2 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_3 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 74 }
- $block_4 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_5 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_6 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_7 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F BF ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_8 = { BA ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 }
- $block_9 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 85 }
- $block_10 = { BA ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_11 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 89 ?? ?? ?? 48 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_13 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 74 }
- $block_14 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430" or
- 12 of them
-}
-
-rule OLDBAIT {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8D ?? ?? 5? 6A ?? FF D? 8B ?? ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 6A ?? 33 ?? 5? 89 ?? ?? ?? FF D? 89 ?? ?? 8B ?? 89 ?? 89 ?? ?? 6A ?? 89 ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 83 ?? ?? 3B ?? 0F 85 }
- $block_1 = { 8D ?? ?? 5? 6A ?? FF D? 8B ?? ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 6A ?? 33 ?? 5? 89 ?? ?? ?? FF D? 89 ?? ?? 8B ?? 89 ?? 89 ?? ?? 6A ?? 89 ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_2 = { 5? 6A ?? 5? FF D? 5? 5? 8B ?? ?? ?? 89 ?? ?? 6A ?? 5? 89 ?? ?? ?? 89 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_3 = { 5? 6A ?? 5? FF D? 8B ?? 8B ?? ?? ?? 89 ?? ?? 6A ?? 5? 89 ?? ?? ?? 89 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_4 = { 8D ?? ?? 5? 6A ?? FF D? 8B ?? ?? ?? 5? 5? 5? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { 5? 5? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 29 ?? 66 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_6 = { 8B ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 66 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? FF 7? ?? 60 FC B2 ?? 33 }
- $block_8 = { 30 ?? ?? 0F B6 ?? C1 ?? ?? D1 ?? 4? 0B ?? 3B ?? 72 }
-
- condition:
- hash.sha256(0, filesize) == "10b02dfe93a30d5da0aab3559ec3a55dab6cd96e8ef7c4d1a8e86c59efe63634" or
- hash.sha256(0, filesize) == "de006fffc2c0580844830436ee2bdce2f492072b72375b93867a1523c0275ecd" or
- hash.sha256(0, filesize) == "360fc67cb295c0a79934f7899ed804424e0c6c4e316d7f3478f2f8c4386f5b68" or
- hash.sha256(0, filesize) == "7313eaf95a8a8b4c206b9afe306e7c0675a21999921a71a5a16456894571d21d" or
- 9 of them
-}
-
-rule dropper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 8B ?? ?? B9 ?? ?? ?? ?? A1 ?? ?? ?? ?? 85 ?? 0F 45 ?? A3 ?? ?? ?? ?? 8B ?? ?? 85 ?? 74 }
- $block_1 = { 0F B6 ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 89 ?? ?? 03 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 75 }
- $block_2 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 44 ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_3 = { 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 33 ?? 8B ?? 4? 8B ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_4 = { 0F B7 ?? 4? 8B ?? 89 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? 03 ?? ?? 89 ?? ?? 66 ?? ?? ?? 75 }
- $block_5 = { 0F 28 ?? ?? ?? ?? ?? 8B ?? 0F 11 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 28 ?? ?? ?? ?? ?? 0F 11 ?? ?? C7 }
- $block_6 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_7 = { 0F 57 ?? 32 ?? 66 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 }
- $block_8 = { 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_9 = { 8D ?? ?? 0F B7 ?? 5? FF 7? ?? 89 ?? ?? 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 74 }
- $block_10 = { 83 ?? ?? ?? 03 ?? 5? 8D ?? ?? 5? FF 5? ?? 8D ?? ?? 5? 8D ?? ?? 5? 6A ?? 6A ?? FF D? 85 ?? 0F 88 }
- $block_11 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? EB }
- $block_12 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 83 ?? ?? 0F 84 }
- $block_13 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 2B ?? ?? F7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 89 ?? ?? 74 }
- $block_14 = { 5? 8B ?? 83 ?? ?? 8B ?? 33 ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 38 ?? 0F 84 }
- $block_15 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_16 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? 80 7? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 0F 85 }
- $block_17 = { 8B ?? 0F 57 ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 66 ?? ?? ?? ?? 5? 8B ?? ?? 89 ?? ?? 89 ?? ?? 0F 88 }
- $block_18 = { 5? 8B ?? ?? ?? ?? ?? 5? 6A ?? BF ?? ?? ?? ?? 5? 6A ?? 5? FF D? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_19 = { 80 B? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8D ?? ?? 0F 44 ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_20 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 0F B7 ?? ?? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 74 }
- $block_21 = { 8D ?? ?? 33 ?? 4? 3B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F 4E ?? 89 ?? ?? 84 ?? 75 }
- $block_22 = { 8B ?? ?? FF B? ?? ?? ?? ?? 4? 01 ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 }
- $block_23 = { 8B ?? ?? 8D ?? ?? 81 F? ?? ?? ?? ?? 0F 42 ?? 81 F? ?? ?? ?? ?? 8D ?? ?? 0F 43 ?? 85 ?? 74 }
- $block_24 = { 8A ?? 8D ?? ?? 30 ?? ?? 0F B6 ?? 30 ?? ?? 0F B6 ?? 30 ?? ?? 0F B6 ?? 30 ?? ?? 83 ?? ?? 75 }
- $block_25 = { 3B ?? 8B ?? 6A ?? 5? 0F 4C ?? 3B ?? 0F 4C ?? 8A ?? ?? ?? 88 ?? ?? ?? 4? 4? 4? 83 ?? ?? 7C }
- $block_26 = { 8B ?? 0F AF ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 85 ?? 7E }
- $block_27 = { FF 7? ?? 8D ?? ?? ?? ?? ?? FF B? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_28 = { 8B ?? ?? 4? 8B ?? ?? 83 ?? ?? 4? 89 ?? ?? 89 ?? ?? 89 ?? 8B ?? ?? 89 ?? ?? 3B ?? ?? 0F 8C }
- $block_29 = { 8B ?? ?? 0F 57 ?? 8B ?? 8B ?? ?? 8B ?? 66 ?? ?? ?? ?? 03 ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 8D }
- $block_30 = { B9 ?? ?? ?? ?? 83 ?? ?? 2B ?? 8B ?? ?? 3B ?? 0F B6 ?? 8B ?? ?? 6A ?? 5? 0F 4F ?? 84 ?? 75 }
- $block_31 = { 8D ?? ?? ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 6A ?? 5? 0F 45 ?? 85 ?? 0F 85 }
- $block_32 = { 5? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_33 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 5? 85 ?? 5? 0F 45 ?? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 45 }
- $block_34 = { 0F BF ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 }
- $block_35 = { FF B? ?? ?? ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_36 = { 0F B7 ?? ?? ?? ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? F6 ?? ?? ?? ?? ?? ?? 75 }
- $block_37 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? F6 ?? ?? ?? 8B ?? ?? 8D ?? ?? 0F 45 ?? ?? 89 ?? ?? 85 ?? 74 }
- $block_38 = { 8B ?? 8D ?? ?? ?? ?? ?? 2B ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 }
- $block_39 = { 8B ?? ?? FF 7? ?? 8B ?? ?? 4? 03 ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_40 = { 8B ?? ?? 03 ?? ?? 03 ?? C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 3B ?? 8B ?? 0F 46 ?? 8D ?? ?? EB }
- $block_41 = { 5? 8B ?? 83 ?? ?? BA ?? ?? ?? ?? 5? 5? 8B ?? 5? 8B ?? ?? 03 ?? 0F B7 ?? ?? 66 ?? ?? 75 }
- $block_42 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_43 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? ?? B8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_44 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_45 = { 8B ?? ?? ?? ?? ?? 6A ?? 5? 3B ?? 6A ?? 0F 42 ?? 83 ?? ?? 5? 0F 48 ?? 89 ?? ?? 85 ?? 7E }
- $block_46 = { 8B ?? ?? 33 ?? 8B ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 4? 66 ?? ?? ?? 8B ?? ?? 89 ?? ?? 0F 83 }
- $block_47 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? C1 ?? ?? 6A ?? 88 ?? ?? 5? 88 ?? ?? 89 ?? ?? ?? ?? ?? EB }
- $block_48 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_49 = { 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_50 = { 8B ?? ?? 8B ?? ?? 5? 8B ?? 8B ?? 03 ?? 3B ?? 0F 4C ?? 89 ?? ?? 81 F? ?? ?? ?? ?? 7E }
- $block_51 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? 33 ?? 5? 5? 5? 8B ?? ?? 66 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_52 = { 33 ?? 4? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 7F }
- $block_53 = { 8B ?? ?? 6A ?? 5? D3 ?? 03 ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_54 = { 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 85 }
- $block_55 = { 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_56 = { 5? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_57 = { 8B ?? ?? 0F B6 ?? ?? FF 0? 8B ?? 8B ?? 2B ?? 03 ?? 89 ?? ?? 89 ?? ?? 3B ?? ?? 77 }
- $block_58 = { 8B ?? ?? 8B ?? ?? 5? 8B ?? ?? 4? 0F B6 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_59 = { 33 ?? 83 ?? ?? 0F 92 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 5? 85 ?? 74 }
- $block_60 = { 2B ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 }
- $block_61 = { 2B ?? 8B ?? ?? 8D ?? ?? 3B ?? 0F 9D ?? FE ?? 24 ?? 4? 88 ?? ?? 4? 03 ?? 3B ?? 7C }
- $block_62 = { 33 ?? 8D ?? ?? 5? 5? FF 7? ?? 89 ?? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_63 = { 5? 8B ?? 83 ?? ?? 8D ?? ?? 5? 8B ?? ?? FF 3? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_64 = { 8B ?? 89 ?? ?? 8B ?? ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 5? 85 ?? 0F 84 }
- $block_65 = { 8B ?? ?? BE ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? A5 89 ?? ?? A5 A5 66 ?? 8B ?? ?? 8B }
- $block_66 = { 8D ?? ?? 88 ?? ?? 5? 5? FF D? 0F 28 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 0F 11 }
- $block_67 = { 6B ?? ?? ?? 89 ?? ?? ?? ?? ?? 33 ?? 03 ?? ?? ?? ?? ?? 85 ?? 0F 95 ?? A8 ?? 74 }
- $block_68 = { 8B ?? ?? 33 ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? ?? 8B ?? ?? 0F 95 ?? 85 ?? 74 }
- $block_69 = { 8B ?? ?? 6A ?? 5? 5? 83 ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_70 = { 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 83 }
- $block_71 = { 8D ?? ?? 5? 5? FF D? 0F 28 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 0F 11 ?? ?? 66 }
- $block_72 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_73 = { 8A ?? ?? 24 ?? 0F B6 ?? 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? 66 }
- $block_74 = { 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? 39 ?? ?? 0F 4C ?? ?? 85 ?? 75 }
- $block_75 = { 33 ?? 8B ?? 39 ?? ?? 0F 45 ?? ?? C6 ?? ?? ?? 8B ?? ?? F7 ?? ?? ?? ?? ?? ?? 74 }
- $block_76 = { A1 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 3B ?? 5? 8B ?? 0F 45 ?? 39 ?? ?? ?? ?? ?? 7D }
- $block_77 = { 0F B7 ?? ?? ?? ?? ?? 4? 3B ?? B8 ?? ?? ?? ?? 0F 47 ?? 66 ?? ?? ?? ?? ?? ?? 74 }
- $block_78 = { 8B ?? ?? 03 ?? 2B ?? FF 8? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_79 = { FF 7? ?? 8D ?? ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_80 = { 4? 2B ?? 89 ?? ?? D3 ?? 8B ?? ?? 0B ?? 89 ?? ?? 6A ?? 5? 89 ?? ?? 3B ?? 0F 85 }
- $block_81 = { 8B ?? ?? ?? ?? ?? 0F B6 ?? 0F B6 ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? ?? 75 }
- $block_82 = { 5? 8D ?? ?? ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_83 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_84 = { 0F B6 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 4? C6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_85 = { 0F 10 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? 83 ?? ?? 83 ?? ?? 72 }
- $block_86 = { 83 ?? ?? ?? ?? ?? ?? 33 ?? 4? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_87 = { 8B ?? ?? 8A ?? ?? ?? ?? ?? ?? 4? 88 ?? ?? 4? 8B ?? ?? 0F B7 ?? ?? 3B ?? 7C }
- $block_88 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_89 = { 8B ?? ?? 2B ?? ?? 03 ?? ?? 01 ?? ?? 8B ?? ?? 89 ?? ?? ?? 4? 83 ?? ?? 0F 8C }
- $block_90 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 33 ?? 89 ?? ?? 89 ?? ?? 5? 8B ?? 85 ?? 0F 84 }
- $block_91 = { 8A ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? 3C ?? 75 }
- $block_92 = { 5? 8B ?? 5? 5? 8B ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_93 = { 8B ?? ?? 89 ?? ?? 66 ?? ?? 33 ?? 8B ?? ?? 89 ?? ?? 89 ?? 39 ?? ?? 0F 8E }
- $block_94 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_95 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_96 = { 80 3? ?? 8D ?? ?? 0F 44 ?? 85 ?? 8B ?? 8D ?? ?? 0F 4E ?? 8B ?? 85 ?? 7F }
- $block_97 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_98 = { 5? 8D ?? ?? 89 ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 }
- $block_99 = { 8B ?? 8B ?? ?? 2B ?? 6A ?? 03 ?? E8 ?? ?? ?? ?? 89 ?? ?? 5? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "e1a3a012b332f0728e11f7bbb7429dece387a1244b3daaee6da6b4407c48caf7" or
- 12 of them
-}
-
-rule koadic {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? ?? 33 ?? 5? 5? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? FF D? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 89 }
- $block_1 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 }
- $block_2 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 }
- $block_3 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 }
- $block_4 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 }
- $block_5 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 }
- $block_7 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 }
- $block_8 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 }
- $block_9 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "430cbf950f9cea3f77374145f488a104f4ab664edca448effacbf2f8ba01b901" or
- hash.sha256(0, filesize) == "7ea33696c91761e95697549e0b0f84db2cf4033216cd16c3264b10daa31f598c" or
- 10 of them
-}
-
-rule SedrecoDropper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { FF B? ?? ?? ?? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_1 = { 68 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_2 = { 41 ?? ?? ?? 48 ?? ?? 44 ?? ?? 46 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 40 ?? ?? ?? 0F 1F }
- $block_3 = { 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_4 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { 8B ?? 33 ?? F7 ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 33 ?? 89 ?? ?? 4? 03 ?? 89 ?? ?? 3B }
- $block_6 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 5? 6A ?? 6A ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_7 = { 8B ?? 33 ?? F7 ?? ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? EB }
- $block_8 = { 4C ?? ?? ?? 41 ?? ?? ?? D1 ?? 49 ?? ?? ?? FF C? 8B ?? 8D ?? ?? 0F 1F }
- $block_9 = { 8D ?? ?? ?? ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_10 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_11 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 03 ?? 0F 1F ?? 44 ?? ?? 75 }
- $block_13 = { 6A ?? 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_14 = { 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 }
- $block_15 = { 33 ?? 83 ?? ?? 0F 9F ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB }
- $block_16 = { 45 ?? ?? ?? 46 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 0F 1F }
- $block_17 = { 0F B6 ?? ?? 01 ?? ?? 0F B6 ?? 01 ?? ?? 83 ?? ?? 4? 75 }
- $block_18 = { 8D ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 03 ?? 0F 1F }
- $block_19 = { 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_20 = { E8 ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB }
- $block_21 = { BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B ?? 0F 4E ?? EB }
-
- condition:
- hash.sha256(0, filesize) == "378ef276eeaa4a29dab46d114710fc14ba0a9f964f6d949bcbc5ed3267579892" or
- hash.sha256(0, filesize) == "0d260a4ea865773a86b3fc0fe89df92c86289c0266b1dd5ab8e3174839cb94c2" or
- hash.sha256(0, filesize) == "fb3a3339e2ba82cb3dcdc43d0e49e7b8a26ced3a587f5ee15a256aee062e6e05" or
- hash.sha256(0, filesize) == "d403ded7c4acfffe8dc2a3ad8fb848f08388b4c3452104f6970835913d92166c" or
- hash.sha256(0, filesize) == "2c81023a146d2b5003d2b0c617ebf2eb1501dc6e55fc6326e834f05f5558c0ec" or
- 12 of them
-}
-
-rule Downdelph {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 81 C? ?? ?? ?? ?? 5? 5? 33 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 8B ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 83 ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 5? 8B ?? 5? 5? 8B ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 6A ?? 4? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? F7 ?? 6A ?? 03 ?? 5? 5? E8 ?? ?? ?? ?? 5? FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 3B ?? 74 }
- $block_2 = { 5? 8D ?? ?? 33 ?? E8 ?? ?? ?? ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 66 ?? 33 }
- $block_4 = { FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 66 ?? ?? ?? C6 ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_5 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 66 ?? 33 }
- $block_6 = { 6A ?? 6A ?? FF 3? E8 ?? ?? ?? ?? FF 3? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_7 = { 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? ?? 4? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_8 = { 0F BE ?? ?? ?? 6A ?? 99 5? F7 ?? 32 ?? ?? ?? 4? 88 ?? ?? ?? 83 ?? ?? 72 }
- $block_9 = { FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805" or
- hash.sha256(0, filesize) == "cfc60d5db3bfb4ec462d5e4bd5222f04d7383d2c1aec1dc2a23e3c74a166a93d" or
- hash.sha256(0, filesize) == "6ccc375923a00571dffca613a036f77a9fc1ee22d1fddffb90ab7adfbb6b75f1" or
- hash.sha256(0, filesize) == "3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d" or
- hash.sha256(0, filesize) == "79a508ba42247ddf92accbf5987b1ffc7ba20cd11806d332979d8a8fe85abb04" or
- 10 of them
-}
-
-rule Coreshell {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 6A ?? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_1 = { A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F AF ?? 69 ?? ?? ?? ?? ?? 2D ?? ?? ?? ?? 0F AF ?? 39 ?? 0F 84 }
- $block_2 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_3 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_4 = { 8D ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_5 = { 5? E8 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 8D ?? ?? 5? 5? 89 ?? ?? FF 5? ?? 85 ?? 0F 85 }
- $block_6 = { 68 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_7 = { FF B? ?? ?? ?? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_8 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_9 = { 8B ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_10 = { 8B ?? 33 ?? F7 ?? ?? ?? ?? ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 89 ?? ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? EB }
- $block_11 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_12 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_14 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 89 ?? ?? ?? 0F 84 }
- $block_15 = { 8B ?? ?? ?? ?? ?? 0B ?? 83 ?? ?? 8A ?? ?? 8B ?? ?? 88 ?? ?? 8B ?? ?? 4? 4? 83 ?? ?? 0F 82 }
- $block_16 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_17 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? 4? 80 C? ?? 88 ?? ?? ?? 3B ?? ?? ?? 72 }
- $block_18 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? C7 ?? ?? ?? ?? ?? ?? 0F 6E ?? ?? 0F 72 ?? ?? 0F 7E ?? ?? EB }
- $block_19 = { 8D ?? ?? ?? 8D ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? FF D? 85 ?? 0F 85 }
- $block_20 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_21 = { B9 ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? C6 ?? ?? ?? ?? F3 ?? 66 ?? AA 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_22 = { B9 ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? 88 ?? ?? ?? F3 ?? 66 ?? AA 8B ?? ?? ?? 3B ?? 0F 84 }
- $block_23 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 5? 8B ?? 8B ?? 5? 33 ?? 5? 89 ?? ?? 3B ?? 0F 83 }
- $block_24 = { 5? 8B ?? 83 ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_25 = { 8D ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_26 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 83 ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 3B ?? 72 }
- $block_27 = { B8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 31 ?? F7 ?? 0F AF ?? 01 ?? 89 ?? ?? ?? ?? ?? E9 }
- $block_28 = { 8B ?? 33 ?? F7 ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 33 ?? 89 ?? ?? 4? 03 ?? 89 ?? ?? 3B }
- $block_29 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 80 C? ?? FF 8? ?? ?? ?? ?? 88 ?? ?? 75 }
- $block_30 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_31 = { 8B ?? 33 ?? F7 ?? ?? 33 ?? 5? 85 ?? 0F 95 ?? 33 ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? EB }
- $block_32 = { 5? 8B ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 6E ?? ?? 0F 72 ?? ?? 0F 7E ?? ?? EB }
- $block_33 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_34 = { 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 98 ?? 8D ?? ?? ?? 8D ?? ?? 23 }
- $block_35 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_36 = { 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_37 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_38 = { 8B ?? ?? ?? 33 ?? BE ?? ?? ?? ?? 89 ?? ?? ?? F7 ?? 3B ?? 89 ?? ?? ?? 0F 83 }
- $block_39 = { 0F B6 ?? ?? ?? D2 ?? 8A ?? ?? ?? D2 ?? 8B ?? ?? 0A ?? 8B ?? ?? FF 4? ?? 88 }
- $block_40 = { 8B ?? ?? 0F B6 ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 85 ?? 5? 74 }
- $block_41 = { 8B ?? ?? ?? ?? ?? 9A ?? ?? ?? ?? ?? ?? 2F 9D FF D? FF D? 8B ?? 83 ?? ?? 75 }
- $block_42 = { 8B ?? ?? ?? ?? ?? 4? 15 ?? ?? ?? ?? A6 01 ?? ?? 3A ?? ?? ?? 9E FF D? FF D? }
- $block_43 = { 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_44 = { 8B ?? ?? 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_45 = { 6A ?? 6A ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_46 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 83 ?? ?? 66 ?? ?? ?? ?? 3B ?? 72 }
- $block_47 = { 8B ?? ?? ?? 4? 83 ?? ?? 3B ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 0F 82 }
- $block_48 = { FF 7? ?? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C2 }
- $block_49 = { 0F B6 ?? ?? 88 ?? ?? 8B ?? ?? 0F B6 ?? ?? 30 ?? ?? 8B ?? ?? 4? 3B ?? 7C }
- $block_50 = { 33 ?? 5? 85 ?? 5? 0F 94 ?? 5? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_51 = { 68 ?? ?? ?? ?? A4 A4 4? 3F DC ?? 15 ?? ?? ?? ?? 5? FF D? 8B ?? 3B ?? 75 }
- $block_52 = { 5? 8D ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_53 = { 8B ?? ?? 33 ?? 85 ?? 5? 0F 94 ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? C2 }
- $block_54 = { 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 98 ?? 8D ?? ?? ?? 4? }
- $block_55 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_56 = { 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F 83 }
- $block_57 = { 6A ?? 8D ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_58 = { 8B ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 0F 83 }
- $block_59 = { 8B ?? 33 ?? BB ?? ?? ?? ?? F7 ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 0F 83 }
- $block_60 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_61 = { 80 6? ?? ?? 6A ?? 5? 33 ?? 8D ?? ?? 39 ?? ?? F3 ?? 66 ?? AA 0F 84 }
- $block_62 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 80 C? ?? 4? 88 ?? ?? 75 }
- $block_63 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 }
- $block_64 = { 6A ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_65 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_66 = { FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 98 ?? 8D ?? ?? ?? 8D ?? ?? E9 }
- $block_67 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_68 = { 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? 0F 84 }
- $block_69 = { FF 7? ?? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? C9 C2 }
- $block_70 = { 6A ?? 6A ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_71 = { 6A ?? 8D ?? ?? ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_72 = { 8D ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_73 = { C7 ?? ?? ?? ?? ?? ?? 0F 6E ?? ?? 0F 72 ?? ?? 0F 7E ?? ?? EB }
- $block_74 = { 5? 64 ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? ?? AD 8B ?? ?? E9 }
- $block_75 = { 8B ?? ?? 03 ?? ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 39 ?? ?? 0F 83 }
- $block_76 = { FF 1? ?? ?? ?? ?? 0F B6 ?? ?? 03 ?? ?? 8B ?? ?? 88 ?? ?? EB }
- $block_77 = { 4? 83 ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 82 }
- $block_78 = { B0 ?? 8A ?? ?? ?? ?? ?? F6 ?? ?? 88 ?? ?? ?? ?? ?? 0F 85 }
- $block_79 = { 8B ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_80 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 89 ?? ?? 0F 85 }
- $block_81 = { 6A ?? 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_82 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 81 3? ?? ?? ?? ?? 0F 85 }
- $block_83 = { 33 ?? 83 ?? ?? 0F 9F ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB }
- $block_84 = { 8B ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_85 = { 8B ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 87 }
- $block_86 = { 81 E? ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 84 ?? 0F 85 }
- $block_87 = { 33 ?? 5? 85 ?? 5? 5? 0F 94 ?? 5? 81 C? ?? ?? ?? ?? C2 }
- $block_88 = { 83 ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 82 }
- $block_89 = { FF 1? ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB }
- $block_90 = { 8B ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 82 }
- $block_91 = { 8B ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_92 = { 8B ?? ?? ?? ?? ?? 5? FF 9? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_93 = { 4? 83 ?? ?? 3B ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 82 }
- $block_94 = { 8B ?? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? 0F 95 ?? 88 }
- $block_95 = { 8B ?? ?? ?? ?? ?? FF D? 3B ?? ?? ?? ?? ?? 0F 86 }
- $block_96 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C2 }
- $block_97 = { E8 ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB }
- $block_98 = { 8B ?? ?? 83 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_99 = { BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B ?? 0F 4E ?? EB }
-
- condition:
- hash.sha256(0, filesize) == "102b0158bcd5a8b64de44d9f765193dd80df1504e398ce52d37b7c8c33f2552a" or
- hash.sha256(0, filesize) == "eb5ab0c73b28d7b7c7e29411609b7686813f3bf629ec3a764bfdf2f9a19b5341" or
- hash.sha256(0, filesize) == "4f26e4178b078a4be3842e3b86bf5299c7f7ad386a226b4da5a2cca5c9129f6d" or
- hash.sha256(0, filesize) == "d5debe5d88e76a409b9bc3f69a02a7497d333934d66f6aaa30eb22e45b81a9ab" or
- hash.sha256(0, filesize) == "31a0906b0d8b07167129e134009dc307c2d92522da5709e52b67d3c5a70adf93" or
- hash.sha256(0, filesize) == "e6d09ce32cc62b6f17279204fac1771a6eb35077bb79471115e8dfed2c86cd75" or
- hash.sha256(0, filesize) == "744f2a1e1a62dff2a8d5bd273304a4d21ee37a3c9b0bdcffeeca50374bd10a39" or
- hash.sha256(0, filesize) == "1fa3e580eabfcf7ffc8f59d96ee0d6b4ab96a7a33ab73558e454d7ce79147c41" or
- hash.sha256(0, filesize) == "9392776d6d8e697468ab671b43dce2b7baf97057b53bd3517ecd77a081eff67d" or
- hash.sha256(0, filesize) == "d54173be095b688016528f18dc97f2d583efcf5ce562ec766afc0b294eb51ac7" or
- hash.sha256(0, filesize) == "423a0799efe41b28a8b765fa505699183c8278d5a7bf07658b3bd507bfa5346f" or
- hash.sha256(0, filesize) == "51dae85f5971dbdeb601c974350b80ec1104f304f08893d80e24a52279e1edc7" or
- hash.sha256(0, filesize) == "e917166adf6e1135444f327d8fff6ec6c6a8606d65dda4e24c2f416d23b69d45" or
- hash.sha256(0, filesize) == "1b5b7c0818ca68e7107ab18d89476314d854b02f0809f8c530fb4334a864c594" or
- hash.sha256(0, filesize) == "7695f20315f84bb1d940149b17dd58383210ea3498450b45fefa22a450e79683" or
- hash.sha256(0, filesize) == "22c3718bf7df29555098738f77c3139dae39dcdd34b39dab72df04ade4cffa7f" or
- hash.sha256(0, filesize) == "67ecc3b8c6057090c7982883e8d9d0389a8a8f6e8b00f9e9b73c45b008241322" or
- hash.sha256(0, filesize) == "29cc2e69f65b9ce5fe04eb9b65942b2dabf48e41770f0a49eb698271b99d2787" or
- hash.sha256(0, filesize) == "69e9fd2edc1b752117c1d864b18cfa0cca6443825d909ef483a3664f851f5bc8" or
- hash.sha256(0, filesize) == "03ed773bde6c6a1ac3b24bde6003322df8d41d3d1c85109b8669c430b58d2f69" or
- hash.sha256(0, filesize) == "0c7cdbfc5226c3b94b17f70f5a82da016c054fe12b050ee7f3c28db900ea98a5" or
- hash.sha256(0, filesize) == "5ac044cf6bab6ebfdda66f92d3b420f5f6d4629a535d80e43705ab55f3b03ea0" or
- hash.sha256(0, filesize) == "c8087186a215553d2f95c68c03398e17e67517553f6e9a8adc906faa51bce946" or
- hash.sha256(0, filesize) == "ce554d57333bdbccebb5e2e8d16a304947981e48ea2a5cc3d5f4ced7c1f56df3" or
- hash.sha256(0, filesize) == "dbfeaebd4e716bf6a0f2518b7edba3dda475f2de7ef70c3ff6399cfee2e47ec0" or
- hash.sha256(0, filesize) == "7edeedea096e890d59ed8435db6760dc7fa4d55f9d039fefd473ba1e43ba5838" or
- hash.sha256(0, filesize) == "f6d107a65479bb5e8a6d885739ae4c2dcc46e9b468e5d8f388dadfc7f57719fc" or
- hash.sha256(0, filesize) == "6cd30c85dd8a64ca529c6eab98a757fb326de639a39b597414d5340285ba91c6" or
- hash.sha256(0, filesize) == "d58f2a799552aff8358e9c63a4345ea971b27edd14b8eac825db30a8321d1a7a" or
- hash.sha256(0, filesize) == "7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965" or
- hash.sha256(0, filesize) == "4536650c9c5e5e1bb57d9bedf7f9a543d6f09addf857f0d802fb64e437b6844a" or
- hash.sha256(0, filesize) == "4af1736b26052d95cbd106ee1a667e2ce3346f78783f1231df19282a5e738348" or
- hash.sha256(0, filesize) == "1b3dd8aaafd750aa85185dc52672b26d67d662796847d7cbb01a35b565e74d35" or
- hash.sha256(0, filesize) == "4a9efdfa479c8092fefee182eb7d285de23340e29e6966f1a7302a76503799a2" or
- hash.sha256(0, filesize) == "1bab1a3e0e501d3c14652ecf60870e483ed4e90e500987c35489f17a44fef26c" or
- hash.sha256(0, filesize) == "966660738c9e3ec103c2f8fe361c8ac20647cacaa5153197fa1917e9da99082e" or
- 12 of them
-}
-
-rule SedrecoPayload {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 4D ?? ?? 0F 84 }
- $block_2 = { 8B ?? ?? ?? 83 ?? ?? 8B ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 74 }
- $block_3 = { 33 ?? 33 ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 48 ?? ?? ?? ?? 0F 9C ?? 89 }
- $block_4 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_6 = { 8D ?? ?? ?? ?? ?? 5? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_7 = { 48 ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_8 = { 48 ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_10 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_11 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_12 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 45 ?? ?? 45 ?? ?? 48 ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8D ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_14 = { 8D ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_15 = { 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF D? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_16 = { 8D ?? ?? C1 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 86 }
- $block_17 = { 41 ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 4D ?? ?? 44 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_18 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 9? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_19 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? 39 ?? ?? ?? 0F 83 }
- $block_20 = { 4C ?? ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 }
- $block_21 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? FF D? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_22 = { 6A ?? 6A ?? 8D ?? ?? 5? 6A ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 0F 84 }
- $block_23 = { 8B ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_24 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? 5? 5? FF D? 85 ?? 0F 84 }
- $block_25 = { 8D ?? ?? 5? 5? 6A ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 0F 85 }
- $block_26 = { 5? 8D ?? ?? ?? 5? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_27 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BE ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_28 = { 8D ?? ?? ?? ?? ?? 5? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_29 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_30 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 87 }
- $block_31 = { 8B ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? 6A ?? 5? FF D? 8B ?? 83 ?? ?? 0F 84 }
- $block_32 = { 6A ?? 6A ?? 8D ?? ?? ?? 5? A1 ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_33 = { 8D ?? ?? 5? 5? 6A ?? 5? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 0F 85 }
- $block_34 = { 0F 57 ?? 5? 8B ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_35 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_36 = { A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_37 = { 5? A1 ?? ?? ?? ?? 6A ?? FF 3? ?? ?? ?? ?? 8B ?? ?? FF D? 8B ?? 83 ?? ?? 0F 84 }
- $block_38 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_39 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 39 ?? ?? 0F 83 }
- $block_40 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? A1 ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_41 = { 0F B7 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 5? 5? 5? C3 }
- $block_42 = { 8B ?? ?? ?? 4? 8A ?? 4? 88 ?? ?? ?? 8A ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 85 }
- $block_43 = { A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB }
- $block_44 = { 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 }
- $block_45 = { A1 ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? FF D? A1 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_46 = { A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? FF D? A1 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_47 = { 5? 8B ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? 5? C7 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_48 = { 33 ?? 8B ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_49 = { A1 ?? ?? ?? ?? 6A ?? 8B ?? ?? ?? ?? ?? 6A ?? 6A ?? 5? FF D? 85 ?? 0F 84 }
- $block_50 = { 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB }
- $block_51 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_52 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 3B ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_53 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? 0F 86 }
- $block_54 = { BF ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_55 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_56 = { 0F B6 ?? ?? ?? C6 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 }
- $block_57 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 5? ?? 85 ?? 0F 84 }
- $block_58 = { 83 ?? ?? ?? 8B ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? ?? 0F 82 }
- $block_59 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? FF 5? ?? 83 ?? ?? 0F 85 }
- $block_60 = { 48 ?? ?? ?? ?? 8D ?? ?? 48 ?? ?? 8D ?? ?? 0F B6 ?? ?? 40 ?? ?? 74 }
- $block_61 = { 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_62 = { 8D ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? C6 ?? ?? ?? 3B ?? 0F 86 }
- $block_63 = { 83 ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_64 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_65 = { 8B ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_66 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_67 = { 8B ?? ?? 0F B6 ?? ?? ?? 03 ?? 01 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_68 = { 8B ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 83 ?? ?? 0F 85 }
- $block_69 = { 83 ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_70 = { 4C ?? ?? 8D ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_71 = { 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_72 = { 4? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 }
- $block_73 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? 29 ?? ?? 0F 88 }
- $block_74 = { B9 ?? ?? ?? ?? 01 ?? ?? 29 ?? ?? 4? 89 ?? ?? 3B ?? 0F 82 }
- $block_75 = { FF 7? ?? A1 ?? ?? ?? ?? 5? 8B ?? ?? FF D? 83 ?? ?? 0F 85 }
- $block_76 = { FF 1? ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_77 = { 0F B6 ?? ?? 01 ?? ?? 0F B6 ?? 01 ?? ?? 83 ?? ?? 4? 75 }
- $block_78 = { 8B ?? ?? 8D ?? ?? 03 ?? 2B ?? 89 ?? ?? 83 ?? ?? 0F 83 }
- $block_79 = { 8D ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 83 }
- $block_80 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 84 }
- $block_81 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 1F }
- $block_82 = { A1 ?? ?? ?? ?? 8B ?? ?? FF D? 3D ?? ?? ?? ?? 0F 85 }
- $block_83 = { 8B ?? ?? 8A ?? ?? ?? 0F B6 ?? 8D ?? ?? 83 ?? ?? 77 }
- $block_84 = { 48 ?? ?? ?? ?? ?? ?? FF 5? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_85 = { 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 03 ?? 8B ?? 66 }
- $block_86 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 }
- $block_87 = { 0F B6 ?? ?? 03 ?? 0F B6 ?? 03 ?? 83 ?? ?? 4? 75 }
- $block_88 = { 8D ?? ?? 81 F? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 }
- $block_89 = { 0F B6 ?? ?? 03 ?? 0F B6 ?? 03 ?? 8D ?? ?? 4? 75 }
- $block_90 = { 89 ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_91 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D }
- $block_92 = { 8D ?? ?? ?? 41 ?? ?? 03 ?? 2B ?? 83 ?? ?? 0F 83 }
- $block_93 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_94 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 87 }
-
- condition:
- hash.sha256(0, filesize) == "19d05f9a5eacb4acd748cfbf7640b842fd6ed1f4f25dc5bbe592e0e802f7ab0f" or
- hash.sha256(0, filesize) == "69a49e535d635b55efdc1c0e5e923891832089ab1fec0ea406f4798605e42ef1" or
- hash.sha256(0, filesize) == "02be8ba0c1d64099f0529dab3251ee6e5602493085e54abe739659abc2ea050c" or
- hash.sha256(0, filesize) == "3580a48e47119fd36913b0108cce9b20a1adf0a2458c2b33f0d9a7df1fe140ef" or
- hash.sha256(0, filesize) == "a939510f362c50cafee4d5a8d6c7db555a819e78e9f7614a243f6adc59190745" or
- hash.sha256(0, filesize) == "a64340b35668f375a321cb7ee0e027391d875f64cf4f3780c83fb4e84a43c8f9" or
- hash.sha256(0, filesize) == "74c404cfc6e8c752635b4d8a0488d0fb6801c7096fa5c1173660da0b05f44f9e" or
- hash.sha256(0, filesize) == "c808c38fd8157e3e0fadadd6a1748e302bd0e69429697625f53ad692c539b241" or
- hash.sha256(0, filesize) == "43e0f9b4cb9186ededff44a79db89627ce1be2fcd0d96d727aca525a0736efc9" or
- hash.sha256(0, filesize) == "baaf5fa70b68ec9c1847d8784227e0f2dcf48d02a203f7cbffc113f4cec0f006" or
- hash.sha256(0, filesize) == "ba1c02aa6c12794a33c4742e62cbda3c17def08732f3fbaeb801f1806770b9a0" or
- hash.sha256(0, filesize) == "9a508287e3089d1d838271c9f19e659ea2d4b0a47de7faa7ad09191a758de862" or
- hash.sha256(0, filesize) == "0260ed46bdf7d903ac06292a39568040fed63f4aae0a723216e53a2b29730052" or
- hash.sha256(0, filesize) == "37bf2c811842972314956434449fd294e793b43c1a7b37cfe41af4fcc07d329d" or
- hash.sha256(0, filesize) == "11097a7a3336e0ab124fa921b94e3d51c4e9e4424e140e96127bfcf1c10ef110" or
- hash.sha256(0, filesize) == "a9dc96d45702538c2086a749ba2fb467ba8d8b603e513bdef62a024dfeb124cb" or
- 12 of them
-}
-
-rule SeduploaderPayload {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_1 = { 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_2 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_3 = { 5? 33 ?? 6A ?? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 5? 85 ?? 75 }
- $block_4 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 8B ?? ?? 8B ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_5 = { FF 7? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 33 ?? 4? 85 ?? 5? 0F 45 ?? E8 ?? ?? ?? ?? 83 }
- $block_6 = { 8B ?? 83 ?? ?? 89 ?? 33 ?? 39 ?? 0F 45 ?? 03 ?? 89 ?? ?? 8D ?? ?? 3B ?? 72 }
- $block_7 = { 8D ?? ?? 89 ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_8 = { 5? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_9 = { 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_10 = { 5? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 }
- $block_11 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 33 ?? 8B ?? 85 ?? 0F 84 }
- $block_12 = { 85 ?? 89 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 44 }
-
- condition:
- hash.sha256(0, filesize) == "de660457cab011deedf4c1a142021b8702ab94ce71dc5e0c75300253e7db3ee0" or
- 12 of them
-}
-
-rule CarbonDropper_v3_71_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? 5? 89 ?? ?? 66 ?? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 5? 89 ?? ?? 8B ?? ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? ?? ?? ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? C6 ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? 88 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 5? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 84 ?? 74 }
- $block_1 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? C6 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? C6 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_2 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 88 ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 84 }
- $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 5? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_4 = { 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? 68 ?? ?? ?? ?? 5? FF D? 83 ?? ?? 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { FF 1? ?? ?? ?? ?? 83 ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? FF D? 83 ?? ?? 8B ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? FF D? 83 ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_6 = { 5? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? 6A ?? FF D? 5? FF D? 8B ?? ?? 5? 6A ?? 8B ?? FF D? 5? FF D? 89 ?? ?? 8B ?? ?? 5? 6A ?? FF D? 5? FF D? 85 ?? 0F 84 }
- $block_7 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 6A ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_8 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 5? 6A ?? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_9 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122" or
- 10 of them
-}
-
-rule Mosquito {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 33 ?? 8D ?? ?? ?? BA ?? ?? ?? ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 76 }
- $block_1 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? 68 ?? ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 8C }
- $block_2 = { 8B ?? 89 ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_4 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_5 = { 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? 85 ?? 0F 85 }
- $block_6 = { 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? 8B ?? ?? 5? FF D? 8B ?? ?? ?? 85 ?? 0F 85 }
- $block_7 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_8 = { 2B ?? D1 ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 3B ?? 0F 86 }
- $block_9 = { 8B ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 6A ?? 6A ?? 5? 8B ?? ?? FF D? 83 ?? ?? ?? ?? 0F 84 }
- $block_10 = { 8D ?? ?? ?? 5? BB ?? ?? ?? ?? 8B ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_11 = { 8B ?? ?? ?? 33 ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_12 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 5? 68 ?? ?? ?? ?? FF D? FF 1? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 95 ?? 8B ?? 3B ?? 74 }
- $block_14 = { 2B ?? ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 83 ?? ?? 0F 83 }
- $block_15 = { 8D ?? ?? ?? 5? 8B ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_16 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_17 = { 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_18 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_19 = { 8B ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_20 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_21 = { 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_22 = { 5? 5? 5? 6A ?? 5? 5? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8C }
- $block_23 = { E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_24 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_25 = { 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? ?? 2B ?? 83 ?? ?? 0F 82 }
- $block_26 = { 2B ?? D1 ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? ?? ?? 3B ?? 0F 87 }
- $block_27 = { 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 87 }
- $block_28 = { 33 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_29 = { 8B ?? ?? ?? FF 4? ?? ?? 01 ?? 03 ?? 3B ?? ?? 0F 83 }
- $block_30 = { 0F B7 ?? 66 ?? ?? 83 ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_31 = { 0F B7 ?? B9 ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "b4249f6af24ea89976f3f7d9e3a605ccfbfe768069891f62c48df950d9212093" or
- hash.sha256(0, filesize) == "a2af1e9af48c4fa52a52ffba734ffeaa46c17d7320137d51dbd15539cc4cef8b" or
- hash.sha256(0, filesize) == "443cd03b37fca8a5df1bbaa6320649b441ca50d1c1fcc4f5a7b94b95040c73d1" or
- hash.sha256(0, filesize) == "62209d2f0ceeff20534292d5a58ed532c960579b75927321f4f7c7e7079dd06a" or
- hash.sha256(0, filesize) == "a41a80cd7a485e5bcb038b0170e70a25040c71a41dad4bc2c8f3915fbcbeac0c" or
- hash.sha256(0, filesize) == "555efee854fd1ffe71bc6130ec51995f89ceb93b9ee0e6e22d9c911d0adf7699" or
- hash.sha256(0, filesize) == "f9b83eff6d705c214993be9575f8990aa8150128a815e849c6faee90df14a0ea" or
- hash.sha256(0, filesize) == "2bc291368b3819de13a3aa8365f22de94acebf2f93133c38bfdade770c9d8f1e" or
- hash.sha256(0, filesize) == "bdcc7e900f10986cdb6dc7762de35b4f07f2ee153a341bef843b866e999d73a3" or
- 12 of them
-}
-
-rule CarbonLoader_v3_77_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 40 ?? 5? 5? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 4D ?? ?? 0F 84 }
- $block_1 = { 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF C? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 33 ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_2 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { 40 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 33 ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 }
- $block_5 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_6 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_7 = { 4C ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_8 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a" or
- 10 of them
-}
-
-rule CarbonLoader_v3_71_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 40 ?? 5? 5? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 4D ?? ?? 0F 84 }
- $block_1 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 40 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 33 ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 }
- $block_4 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_5 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_6 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_7 = { 4C ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_8 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_9 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566" or
- hash.sha256(0, filesize) == "1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e" or
- hash.sha256(0, filesize) == "02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198" or
- hash.sha256(0, filesize) == "ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f" or
- 10 of them
-}
-
-rule UroburosVirtualBoxDriver {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 48 ?? ?? ?? 3B ?? 0F 46 ?? 85 ?? 74 }
- $block_1 = { 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_2 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 4D ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 }
- $block_3 = { 8B ?? 48 ?? ?? ?? ?? 41 ?? ?? C1 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 }
- $block_4 = { 45 ?? ?? ?? 45 ?? ?? ?? 65 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 33 ?? 0F B6 ?? 3B ?? 74 }
- $block_5 = { 48 ?? ?? 49 ?? ?? ?? 4D ?? ?? ?? 45 ?? ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_6 = { B8 ?? ?? ?? ?? 0F A2 3D ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 72 }
- $block_7 = { B8 ?? ?? ?? ?? 0F A2 0F BA ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 72 }
- $block_8 = { 48 ?? ?? ?? ?? C1 ?? ?? 41 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 }
- $block_9 = { 8B ?? B8 ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 44 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 5? C3 }
- $block_10 = { 48 ?? ?? ?? ?? 8B ?? 41 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 }
- $block_11 = { 49 ?? ?? ?? 49 ?? ?? ?? 45 ?? ?? 48 ?? ?? 4D ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 }
- $block_12 = { 33 ?? 0F A2 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 72 }
- $block_13 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? B8 ?? ?? ?? ?? 85 ?? 0F 49 }
- $block_14 = { B9 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_15 = { 4C ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_16 = { 40 ?? 5? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_17 = { 8B ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 92 ?? 84 ?? 0F 84 }
- $block_18 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_19 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_20 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 }
-
- condition:
- hash.sha256(0, filesize) == "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986" or
- 12 of them
-}
-
-rule CarbonCommunicationLibrary_v3_62_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F 8C }
- $block_1 = { 8B ?? 48 ?? ?? ?? ?? ?? ?? 8D ?? ?? 4C ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_2 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 33 ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_3 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 }
- $block_4 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 0F 84 }
- $block_5 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 0F 85 }
- $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 75 }
- $block_7 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 41 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_8 = { 41 ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? 41 ?? ?? 2B ?? 83 ?? ?? 85 ?? 48 ?? ?? 7E }
- $block_9 = { 41 ?? ?? 44 ?? ?? 41 ?? ?? 45 ?? ?? 41 ?? ?? 41 ?? ?? 0F 4C ?? 8B ?? 2B ?? 85 ?? 48 ?? ?? 7E }
- $block_10 = { 44 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? 0F 85 }
- $block_11 = { 48 ?? ?? ?? ?? 5? 5? 5? 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 83 ?? ?? 0F 8E }
- $block_12 = { 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 40 ?? ?? ?? 85 ?? 0F 44 ?? 40 ?? ?? 74 }
- $block_13 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 ?? ?? 0F 84 }
- $block_14 = { FF 7? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 5? 5? 0F 85 }
- $block_15 = { FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? 0F 84 }
- $block_16 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 }
- $block_17 = { 89 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 99 83 ?? ?? 03 ?? 83 ?? ?? 2B ?? 49 ?? ?? 8D ?? ?? ?? 75 }
- $block_18 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 85 }
- $block_19 = { 8B ?? 33 ?? 45 ?? ?? 21 ?? ?? ?? 99 45 ?? ?? 45 ?? ?? 4D ?? ?? 41 ?? ?? 85 ?? 4C ?? ?? 7E }
- $block_20 = { 8B ?? 99 F7 ?? 83 ?? ?? ?? 8A ?? 83 ?? ?? ?? 33 ?? 4? 89 ?? ?? 88 ?? ?? 85 ?? 89 ?? ?? 7E }
- $block_21 = { 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_22 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_23 = { 44 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_24 = { 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? 3B ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 8C }
- $block_25 = { 44 ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_26 = { 4C ?? ?? ?? ?? ?? ?? 33 ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_27 = { 48 ?? ?? B8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 45 ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 83 }
- $block_28 = { 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 0F B6 ?? ?? 2B ?? ?? ?? ?? ?? ?? 75 }
- $block_29 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 44 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_30 = { 8B ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 99 2B ?? 83 ?? ?? F7 ?? 8D ?? ?? EB }
- $block_31 = { 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 4? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_32 = { 45 ?? ?? 49 ?? ?? 45 ?? ?? 49 ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? 0F 8E }
- $block_33 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 33 ?? 8B ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_34 = { 41 ?? ?? 48 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 }
- $block_35 = { 49 ?? ?? 8B ?? 48 ?? ?? ?? 83 ?? ?? 0F A3 ?? ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? 79 }
- $block_36 = { 48 ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_37 = { 4C ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_38 = { 8B ?? ?? 89 ?? ?? 2B ?? ?? 03 ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 5? 89 ?? ?? 0F 84 }
- $block_39 = { 0F B6 ?? 23 ?? ?? 8B ?? ?? D3 ?? 8B ?? ?? D2 ?? 08 ?? ?? FF 4? ?? 83 ?? ?? ?? 7C }
- $block_40 = { 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 5? 5? 0F 84 }
- $block_41 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 }
- $block_42 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? 0F 85 }
- $block_43 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? ?? FF D? 3B ?? 5? 5? 89 ?? ?? ?? 0F 84 }
- $block_44 = { FF 4? ?? 81 6? ?? ?? ?? ?? ?? FF 4? ?? 29 ?? ?? 4? 83 ?? ?? ?? 89 ?? ?? 0F 8F }
- $block_45 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_46 = { 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? 45 ?? ?? 41 ?? ?? 48 ?? ?? 0F 84 }
- $block_47 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 8F }
- $block_48 = { 8B ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 89 ?? ?? 89 ?? ?? 0F 8E }
- $block_49 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 5? 5? 33 ?? 33 ?? 3B ?? 89 ?? ?? 0F 84 }
- $block_50 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 84 }
- $block_51 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 72 }
- $block_52 = { 8B ?? ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? 0F 87 }
- $block_53 = { 83 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 87 }
- $block_54 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_55 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 }
- $block_56 = { 8B ?? 99 F7 ?? ?? 33 ?? 89 ?? ?? 88 ?? ?? 89 ?? ?? 3B ?? 89 ?? ?? 7E }
- $block_57 = { 8B ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? 8B ?? 2B ?? 89 ?? ?? ?? EB }
- $block_58 = { 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_59 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 33 ?? 48 ?? ?? 0F 84 }
- $block_60 = { 48 ?? ?? ?? ?? 83 ?? ?? 48 ?? ?? ?? ?? 0F 93 ?? 48 ?? ?? ?? 5? C3 }
- $block_61 = { C6 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? 75 }
- $block_62 = { 8B ?? ?? 03 ?? ?? 5? 99 2B ?? 5? 8B ?? ?? 8B ?? D1 ?? 3B ?? 5? 7D }
- $block_63 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 5? 8B ?? ?? 39 ?? 89 ?? 89 ?? ?? 0F 84 }
- $block_64 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 39 ?? 5? 89 ?? 89 ?? ?? 0F 84 }
- $block_65 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? ?? FF D? 85 ?? 5? 5? 0F 84 }
- $block_66 = { 0F B7 ?? ?? ?? 5? FF 7? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 5? 5? 74 }
- $block_67 = { 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 03 ?? E8 ?? ?? ?? ?? 85 ?? 5? 0F 84 }
- $block_68 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 85 }
- $block_69 = { 8B ?? ?? ?? 41 ?? ?? ?? ?? 0F BA ?? ?? 83 ?? ?? 41 ?? ?? 0F 8E }
- $block_70 = { 48 ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_71 = { 48 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F 8F }
- $block_72 = { 8B ?? 85 ?? 0F 44 ?? C1 ?? ?? 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? 75 }
- $block_73 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? FF D? 3B ?? 5? 5? 0F 84 }
- $block_74 = { 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 8E }
- $block_75 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? 4? 99 F7 ?? 8B ?? 03 ?? EB }
- $block_76 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 5? FF 1? ?? ?? ?? ?? EB }
- $block_77 = { 8B ?? ?? ?? 45 ?? ?? 41 ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? 0F 87 }
- $block_78 = { 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? ?? FF 0? 4? 3B ?? 7C }
- $block_79 = { FF 3? ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 85 }
- $block_80 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF D? 3B ?? 89 ?? ?? 0F 84 }
- $block_81 = { 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 5? 5? 0F 85 }
- $block_82 = { 49 ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 85 }
- $block_83 = { 49 ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_84 = { B9 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_85 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? 0F 85 }
- $block_86 = { 8B ?? ?? ?? ?? ?? ?? 99 83 ?? ?? 33 ?? 2B ?? 83 ?? ?? 75 }
- $block_87 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_88 = { 5? 5? FF 3? ?? ?? ?? ?? FF D? 3B ?? A3 ?? ?? ?? ?? 0F 84 }
- $block_89 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 2B ?? 2B }
- $block_90 = { 45 ?? ?? 48 ?? ?? 48 ?? ?? 41 ?? ?? 85 ?? 8B ?? 0F 85 }
- $block_91 = { 44 ?? ?? 48 ?? ?? 48 ?? ?? 41 ?? ?? 85 ?? 8B ?? 0F 85 }
- $block_92 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 3A ?? 0F 84 }
- $block_93 = { 49 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_94 = { 49 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_95 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_96 = { 48 ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 85 }
- $block_97 = { 0F B6 ?? ?? 49 ?? ?? 44 ?? ?? ?? ?? 48 ?? ?? 7C }
- $block_98 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_99 = { 41 ?? ?? 99 83 ?? ?? 03 ?? 83 ?? ?? 2B ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0" or
- hash.sha256(0, filesize) == "8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb" or
- hash.sha256(0, filesize) == "7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121" or
- 12 of them
-}
-
-rule Agent_BTZ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 66 ?? ?? ?? D1 ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 }
- $block_1 = { 8B ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_2 = { 83 ?? ?? 5? 5? 5? 5? 8B ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_3 = { 0F B7 ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 4? EB }
- $block_4 = { 2B ?? D1 ?? 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_5 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_6 = { E8 ?? ?? ?? ?? 33 ?? F7 ?? 8B ?? 03 ?? 9B 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? 5? C2 }
- $block_7 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 8D }
- $block_8 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 3B ?? 0F 84 }
- $block_9 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 89 ?? ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_10 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 80 C? ?? 88 ?? ?? ?? ?? ?? ?? 4? 81 F? ?? ?? ?? ?? 72 }
- $block_11 = { 3B ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 }
- $block_12 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 }
- $block_13 = { 0F B7 ?? 8B ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 66 ?? ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 0F B7 ?? 75 }
- $block_14 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 85 ?? 0F 85 }
- $block_15 = { BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? C6 ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 }
- $block_16 = { 8D ?? ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 }
- $block_17 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? FF D? 83 ?? ?? 0F 84 }
- $block_19 = { 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_20 = { 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_21 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? 8B ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 85 }
- $block_22 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_23 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 }
- $block_24 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 85 ?? 0F 85 }
- $block_25 = { BA ?? ?? ?? ?? 66 ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? 33 ?? 66 ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_26 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? 0F AF ?? 4? 33 ?? F7 ?? 4? 01 ?? ?? ?? 81 F? ?? ?? ?? ?? 72 }
- $block_27 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? 33 ?? 5? C1 ?? ?? 5? 0B ?? 5? 5? C3 }
- $block_28 = { 0F B6 ?? ?? 0F B6 ?? ?? 83 ?? ?? 03 ?? 03 ?? C1 ?? ?? 0B ?? 0F BE ?? ?? ?? ?? ?? EB }
- $block_29 = { 8D ?? ?? 8B ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 8B ?? ?? ?? C1 ?? ?? 03 ?? 3B ?? 0F 8C }
- $block_30 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_31 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? C3 }
- $block_32 = { 33 ?? 0F B7 ?? 8B ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? F3 ?? 33 ?? EB }
- $block_33 = { 8D ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_34 = { 68 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_35 = { 0F B7 ?? ?? C1 ?? ?? 0F B7 ?? ?? 0B ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 80 3? ?? 0F 85 }
- $block_36 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_37 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? 0F AF ?? 4? 99 F7 ?? 4? 03 ?? 81 F? ?? ?? ?? ?? 7C }
- $block_38 = { C6 ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 83 ?? ?? 0F 82 }
- $block_39 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_40 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_41 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_42 = { C6 ?? ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 88 ?? ?? 8B ?? 8B ?? D3 ?? 83 ?? ?? 0F 84 }
- $block_43 = { 0F BE ?? 33 ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 33 ?? ?? ?? ?? ?? ?? 4? 4? 85 ?? 75 }
- $block_44 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_45 = { 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 }
- $block_46 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_47 = { E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8D }
- $block_48 = { 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 0F B7 ?? 79 }
- $block_49 = { 85 ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 }
- $block_50 = { 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_51 = { 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 33 ?? 8D ?? ?? ?? 0F AF ?? 85 ?? 76 }
- $block_52 = { 8D ?? ?? 5? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 85 ?? 0F 84 }
- $block_53 = { 5? 8B ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 79 }
- $block_54 = { 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? 5? C3 }
- $block_55 = { 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_56 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 85 ?? 0F 85 }
- $block_57 = { 8D ?? ?? ?? ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? FF D? 83 ?? ?? 0F 85 }
- $block_58 = { DF ?? ?? ?? DF ?? ?? ?? D8 ?? DC ?? ?? ?? ?? ?? DF ?? F6 ?? ?? 0F 85 }
- $block_59 = { BA ?? ?? ?? ?? D3 ?? 8B ?? ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 }
- $block_60 = { 8D ?? ?? 5? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_61 = { 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 3B ?? 0F 84 }
- $block_62 = { 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_63 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_64 = { 8A ?? ?? 0F BE ?? 34 ?? 03 ?? 88 ?? ?? 0F BE ?? 03 ?? 4? 3B ?? 72 }
- $block_65 = { 8B ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 }
- $block_66 = { 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_67 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_68 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? 3B ?? 0F 85 }
- $block_69 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? FF D? 83 ?? ?? 0F 85 }
- $block_70 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_71 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_72 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_73 = { 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_74 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_75 = { C1 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 86 }
- $block_76 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_77 = { 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_78 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_79 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_80 = { 5? A1 ?? ?? ?? ?? 8B ?? ?? FF D? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_81 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_82 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_83 = { 4? C1 ?? ?? 8D ?? ?? ?? 0F B7 ?? 33 ?? 66 ?? ?? 0F 83 }
- $block_84 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_85 = { 4? 0F B7 ?? 0F B7 ?? 0F B7 ?? ?? ?? BA ?? ?? ?? ?? 8D }
- $block_86 = { 0F B7 ?? 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 66 ?? ?? 73 }
- $block_87 = { 8B ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 82 }
- $block_88 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 0F 86 }
- $block_89 = { 0F B6 ?? 83 ?? ?? C1 ?? ?? 4? 0F AF ?? 4? 85 ?? 75 }
- $block_90 = { 83 ?? ?? 5? 8B ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_91 = { 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_92 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_93 = { 4? 99 2B ?? D1 ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 79 }
- $block_94 = { 4? 0F B7 ?? 0F B7 ?? C1 ?? ?? 33 ?? 85 ?? 0F 8E }
- $block_95 = { 8B ?? ?? ?? ?? ?? ?? 0F BF ?? 66 ?? ?? ?? ?? 77 }
- $block_96 = { 8D ?? ?? ?? ?? ?? ?? 6A ?? 5? FF D? 85 ?? 0F 84 }
- $block_97 = { 8B ?? ?? ?? D1 ?? 8D ?? ?? ?? 8B ?? 3B ?? 0F 83 }
- $block_98 = { C6 ?? ?? ?? ?? ?? ?? 80 B? ?? ?? ?? ?? ?? 0F 85 }
- $block_99 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "df5cc17e0efb2e4c2a85494a1f60672f3191820ef2caea81bcb031970c3f412e" or
- hash.sha256(0, filesize) == "1cc5a57c19dc68342d1676fe759ab509df3eeff797cdbbf43e3c16c305ab162c" or
- hash.sha256(0, filesize) == "a59222bf08fb3ef323b813c4f884b995c8831210d7f947f6d8778d587ce76045" or
- hash.sha256(0, filesize) == "fe73c1b35c624fb62c24fcd8c251723337eed4bbc8fa8bc12d2df621e8908604" or
- hash.sha256(0, filesize) == "80ed95992ad658a48480a895b1d07bd786bbdabc04e91c060896e3a06647c191" or
- hash.sha256(0, filesize) == "63658c331ac38322935d6dcde8bd892aa99084a0cea91bbef3b7789b02bf8d0e" or
- hash.sha256(0, filesize) == "03479db12f2d1948193ee22cbea216705d5f3dba6416c5d1e2b3aab3f269d4c1" or
- hash.sha256(0, filesize) == "303de69b0bc23556fc5dd63a184e5f59556b72fa1f6e3967584f4f18e2a604ec" or
- hash.sha256(0, filesize) == "05dc66031e4276bc20010743d8cd0ee36e4064cf087b6b4617fefb86a4702873" or
- hash.sha256(0, filesize) == "bae62f7f96c4cc300ec685f42eb451388cf50a13aa624b3f2a019d071fddaeb1" or
- hash.sha256(0, filesize) == "cf5e73c4517c8547732f01a6fd614f9ad1aa628b9fc6a82d3b2f222f7b2a0433" or
- hash.sha256(0, filesize) == "cb993d5b90d9a5bd569177ee60e71e3b4639019f46ddd2a9fb8e890565335f66" or
- hash.sha256(0, filesize) == "9e9fbc3085a126405185e7e028889a39640e3c924d2384b2428454fd475a1860" or
- hash.sha256(0, filesize) == "fd3829e670125d22c74ce0c989808f6bb1da32e4645d6ae3de672678d2060101" or
- hash.sha256(0, filesize) == "c0de0fec34da3e9ca92c47bfadf723ab75c90fe02ceb3455d74155badfcb3380" or
- hash.sha256(0, filesize) == "6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4" or
- hash.sha256(0, filesize) == "d49f2aa4db1972b5e6a9ab81a1fb28eb43cf5c2a714a5d6caddd91fcbfc2e332" or
- hash.sha256(0, filesize) == "89db8a69ff030600f26d5c875785d20f15d45331d007733be9a2422261d16cea" or
- hash.sha256(0, filesize) == "3a6c1aa367476ea1a6809814cf534e094035f88ac5fb759398b783f3929a0db2" or
- hash.sha256(0, filesize) == "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96" or
- hash.sha256(0, filesize) == "529d08b500a7687bb973c757fbfbc2c2790fbee52f060ca0575b8caf57ab0bf1" or
- hash.sha256(0, filesize) == "d401aec6175aa34c773dee269cb881d00a8868b75a8fd6437d3b86cc2db8180d" or
- hash.sha256(0, filesize) == "15580d72045b0806d99cde386e42bf3f078746c4194b0932efc6fcdb9104898d" or
- hash.sha256(0, filesize) == "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e" or
- hash.sha256(0, filesize) == "636106ef35adeddfb60763b0316d67d11ef6845fcc6879adc23465cb20ed97c5" or
- hash.sha256(0, filesize) == "7c08e72dc458191de61d5245ecfdc9e6b7c1f1f0ad8e4a7c04ab114503f88114" or
- hash.sha256(0, filesize) == "730b196431d4953cd5e3c4468637429a05b350f7d508c3ec0a982bec4c60d5ab" or
- hash.sha256(0, filesize) == "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49" or
- hash.sha256(0, filesize) == "69690f609140db503463daf6a3699f1bf3e2a5a6049cefe7e6437f762040e548" or
- hash.sha256(0, filesize) == "211ebdbf5821f69f40bc8d37c1bd7c52e6cae42126d48ffbcb09c046054ae2d1" or
- hash.sha256(0, filesize) == "0e3f899dcb2328fa8b2be2c4fcc3fbe5f62d0f8728f23e306ebec1c4c94c9180" or
- 12 of them
-}
-
-rule Kazuar {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 89 ?? B8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? FF D? 83 ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_1 = { 4? C7 ?? ?? ?? ?? ?? ?? ?? 4? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 8D ?? ?? ?? ?? ?? 4? 8D ?? ?? ?? 4? 89 ?? E8 ?? ?? ?? ?? 4? 8D ?? ?? ?? ?? ?? 4? 89 ?? E8 ?? ?? ?? ?? 31 ?? 4? 89 ?? ?? ?? 4? 89 ?? ?? ?? 4? 89 ?? 4? 31 ?? 4? FF D? 3D ?? ?? ?? ?? 89 ?? 0F 85 }
- $block_2 = { 8B ?? ?? 4? 01 ?? 4? 01 ?? 0F B7 ?? ?? 8B ?? ?? 4? 8D ?? ?? 8B ?? ?? 4? 01 ?? EB }
- $block_3 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 5? 5? 0F 94 }
- $block_4 = { E8 ?? ?? ?? ?? 0F BE ?? 4? FF C? 4? 31 ?? 4? 69 ?? ?? ?? ?? ?? EB }
- $block_5 = { E8 ?? ?? ?? ?? 0F B7 ?? 4? FF C? 4? 31 ?? 4? 69 ?? ?? ?? ?? ?? EB }
-
- condition:
- hash.sha256(0, filesize) == "49e0356272b9f8a30ec24a6e271f94e11668d7a48704bb9aed64f61b4b9b343c" or
- hash.sha256(0, filesize) == "743b3347dc86b4a4aa6510648076eeca9eec0ff23c1294b3931263c990bcb5e6" or
- 6 of them
-}
-
-rule OutlookBackdoor {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 0F B6 ?? ?? 8B ?? C6 ?? ?? C1 ?? ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 4? 83 ?? ?? 8A ?? ?? ?? ?? ?? EB }
- $block_1 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 39 ?? ?? ?? 0F 84 }
- $block_2 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? ?? 5? 5? 0F B7 ?? 5? 66 ?? ?? 0F 84 }
- $block_3 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_4 = { 5? 83 ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 39 ?? ?? ?? ?? ?? 0F 84 }
- $block_5 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 5? F7 ?? 5? 1B ?? 23 ?? ?? 5? 8B ?? 75 }
- $block_6 = { 5? FF 1? ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_7 = { 8B ?? 8D ?? ?? ?? 5? 33 ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? 8B ?? 5? FF 5? ?? 39 ?? ?? ?? 0F 84 }
- $block_8 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_9 = { FF 7? ?? 8B ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 33 ?? BF ?? ?? ?? ?? AB AB AB 83 ?? ?? AB 33 }
- $block_10 = { 68 ?? ?? ?? ?? FF 7? ?? FF D? 83 ?? ?? ?? 89 ?? ?? 8D ?? ?? 5? 6A ?? FF D? 83 ?? ?? 0F 85 }
- $block_11 = { 5? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 }
- $block_12 = { 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_13 = { 8D ?? ?? 5? 88 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_14 = { 0F B6 ?? ?? C1 ?? ?? 0B ?? 8A ?? ?? ?? ?? ?? 88 ?? 4? FF 4? ?? 80 E? ?? C0 ?? ?? EB }
- $block_15 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_16 = { 6A ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_17 = { 5? 33 ?? 33 ?? 38 ?? ?? 5? 0F 94 ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 38 ?? ?? 75 }
- $block_18 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 83 ?? ?? C9 C2 }
- $block_19 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? 83 ?? ?? C9 C2 }
- $block_20 = { 5? 8B ?? 83 ?? ?? 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A5 A4 33 ?? 5? 89 ?? ?? 5? }
- $block_21 = { 0F B6 ?? ?? 8B ?? C1 ?? ?? 0B ?? 8A ?? ?? ?? ?? ?? 88 ?? 4? FF 4? ?? 3B ?? ?? 73 }
- $block_22 = { 8D ?? ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 85 }
- $block_23 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_24 = { 0F B7 ?? 8B ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? C1 ?? ?? 66 ?? ?? 4? 4? 4? 0F B7 ?? 75 }
- $block_25 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 4? 5? 5? 5? 0F 84 }
- $block_26 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 9? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_27 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 }
- $block_28 = { 8B ?? ?? ?? 8B ?? 6A ?? FF 1? 8B ?? FF 4? ?? ?? 8B ?? FF 5? ?? 39 ?? ?? ?? 0F 82 }
- $block_29 = { 01 ?? ?? ?? 8B ?? ?? ?? 0F B6 ?? 8B ?? 29 ?? ?? ?? 5? 8B ?? FF 5? ?? 84 ?? 74 }
- $block_30 = { 6A ?? 5? 5? FF 7? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 2B ?? ?? ?? 0F 84 }
- $block_31 = { 8B ?? ?? ?? 0F B6 ?? ?? 33 ?? 5? 4? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B }
- $block_32 = { 89 ?? ?? ?? 8D ?? ?? 99 6A ?? 5? F7 ?? 8B ?? ?? ?? 8D ?? ?? C1 ?? ?? 3B ?? 7E }
- $block_33 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 }
- $block_34 = { 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 }
- $block_35 = { 6A ?? 5? 2B ?? 8B ?? ?? 2B ?? 01 ?? ?? C6 ?? ?? 83 ?? ?? 4? 39 ?? ?? 0F 8D }
- $block_36 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 33 ?? 83 ?? ?? ?? 89 ?? ?? 0F 85 }
- $block_37 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? 5? 0F B7 ?? C1 ?? ?? 5? 0B ?? 5? C3 }
- $block_38 = { 88 ?? 83 ?? ?? 6A ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_39 = { 8D ?? ?? ?? ?? ?? 5? 33 ?? E8 ?? ?? ?? ?? 66 ?? 0F B7 ?? 66 ?? ?? ?? 5? 7E }
- $block_40 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 5? 8D ?? ?? 5? 5? 89 ?? ?? FF D? 85 ?? 0F 85 }
- $block_41 = { 5? 8B ?? 5? 8B ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 79 }
- $block_42 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_43 = { 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? ?? 0F B7 ?? C1 ?? ?? 0B ?? C9 C3 }
- $block_44 = { 8B ?? ?? 8A ?? ?? ?? 88 ?? ?? 0F BE ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 74 }
- $block_45 = { 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 39 ?? ?? 0F 84 }
- $block_46 = { 0F 94 ?? 22 ?? 88 ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? BB ?? ?? ?? ?? EB }
- $block_47 = { 89 ?? ?? ?? 8D ?? ?? 99 6A ?? 5? F7 ?? 8D ?? ?? C1 ?? ?? 3B ?? 7E }
- $block_48 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_49 = { 8B ?? ?? 33 ?? 4? D3 ?? 8B ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 }
- $block_50 = { FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_51 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 }
- $block_52 = { A1 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 6A ?? 99 5? F7 ?? 85 ?? 0F 86 }
- $block_53 = { 8B ?? 83 ?? ?? 6A ?? 99 5? 2B ?? F7 ?? 4? 0F AF ?? 03 ?? 5? }
- $block_54 = { 33 ?? 4? D3 ?? 8B ?? ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 }
- $block_55 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_56 = { E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 }
- $block_57 = { 8B ?? ?? 8A ?? ?? 99 6A ?? 5? F7 ?? 0F B6 ?? 83 ?? ?? 74 }
- $block_58 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 }
- $block_59 = { 5? 8B ?? 83 ?? ?? 0F B7 ?? 5? 33 ?? 5? 8B ?? 66 ?? ?? 74 }
- $block_60 = { 8B ?? ?? 83 ?? ?? 6A ?? C1 ?? ?? 5? 89 ?? ?? 3B ?? 0F 86 }
- $block_61 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_62 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? FF 5? ?? 3B ?? 0F 85 }
- $block_63 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 84 }
- $block_64 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 85 }
- $block_65 = { FF 4? ?? ?? FF 4? ?? ?? FF 4? ?? ?? 39 ?? ?? ?? 0F 8F }
- $block_66 = { 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? 83 ?? ?? C9 C3 }
- $block_67 = { 8B ?? ?? ?? 03 ?? 89 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 83 }
- $block_68 = { 80 7? ?? ?? 0F 94 ?? 83 ?? ?? ?? 22 ?? 8A ?? 3C ?? 75 }
- $block_69 = { 8B ?? ?? 5? 33 ?? 5? 4? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_70 = { 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? 83 ?? ?? C9 C2 }
- $block_71 = { 4? C1 ?? ?? 8D ?? ?? ?? 0F B7 ?? 33 ?? 66 ?? ?? 0F 83 }
- $block_72 = { 8B ?? ?? 6A ?? 5? 8D ?? ?? ?? ?? ?? F3 ?? 5? 5? C9 C3 }
- $block_73 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_74 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? 5? 83 ?? ?? 0F 84 }
- $block_75 = { 8B ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? C9 C3 }
- $block_76 = { 8B ?? ?? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_77 = { 8B ?? ?? 8B ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_78 = { 8B ?? ?? 5? 5? 33 ?? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_79 = { 8B ?? ?? 5? 5? 8B ?? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 }
- $block_80 = { 8B ?? ?? 5? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 }
- $block_81 = { 5? 5? 0F B6 ?? ?? ?? 8D ?? ?? 25 ?? ?? ?? ?? 5? 79 }
- $block_82 = { 8B ?? ?? 5? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 }
- $block_83 = { 8B ?? ?? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 }
- $block_84 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_85 = { 8B ?? ?? 8B ?? 8B ?? 89 ?? ?? FF 5? ?? 85 ?? 0F 86 }
- $block_86 = { 83 ?? ?? ?? 80 3? ?? 0F 94 ?? ?? 80 7? ?? ?? 74 }
- $block_87 = { 8B ?? ?? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_88 = { 8B ?? ?? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 }
- $block_89 = { 0F B6 ?? ?? 8B ?? 5? 8B ?? FF 5? ?? 84 ?? 0F 84 }
- $block_90 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 89 ?? 5? C9 C3 }
- $block_91 = { 4? 99 2B ?? D1 ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 79 }
- $block_92 = { 8B ?? E8 ?? ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 86 }
- $block_93 = { 8B ?? ?? ?? 8B ?? 5? FF 5? ?? 39 ?? ?? ?? 0F 84 }
- $block_94 = { 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? 83 ?? ?? C9 C3 }
-
- condition:
- hash.sha256(0, filesize) == "863f298f367a82853a58f9dad4c477956f48fdd9328a93e1aeee1df22da80493" or
- hash.sha256(0, filesize) == "f1998b3c322e35006b6a6ba1c23807a3f9bc8058ee50efea059278a06fa4a4eb" or
- 25 of them
-}
-
-rule Gazer {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 68 ?? ?? ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 85 }
- $block_1 = { 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_2 = { FF 3? ?? ?? ?? ?? 21 ?? ?? ?? 21 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 86 }
- $block_3 = { 5? 8D ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_4 = { FF 3? ?? ?? ?? ?? FF 4? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 39 ?? ?? ?? ?? ?? 0F 86 }
- $block_5 = { 8B ?? ?? 5? 5? 83 ?? ?? 5? 5? 6A ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_6 = { 8B ?? ?? 8B ?? 6A ?? 5? 5? FF 5? ?? 8B ?? 8B ?? ?? 8B ?? 5? FF 5? ?? FF 5? ?? 3B ?? 0F 8C }
- $block_7 = { FF 7? ?? FF D? 01 ?? ?? FF 4? ?? 0F BF ?? ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? 5? }
- $block_8 = { 6A ?? 5? 66 ?? ?? ?? 8D ?? ?? ?? 5? 5? 6A ?? C7 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_9 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_10 = { 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_11 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_12 = { 8D ?? ?? 5? FF 7? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_13 = { 8B ?? ?? ?? FF 4? ?? ?? 8B ?? ?? ?? ?? ?? 4? 33 ?? F7 ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 82 }
- $block_14 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_15 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? 8B ?? 8B ?? ?? 8B ?? 5? FF 5? ?? 3B ?? 0F 8C }
- $block_16 = { E8 ?? ?? ?? ?? FF 7? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 }
- $block_17 = { 6A ?? 5? 01 ?? ?? 01 ?? ?? 01 ?? ?? 01 ?? ?? 0F B7 ?? ?? FF 4? ?? 39 ?? ?? 72 }
- $block_18 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 3B ?? 0F 84 }
- $block_19 = { 6A ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_20 = { 5? 6A ?? E8 ?? ?? ?? ?? 5? 5? 0F BE ?? 83 ?? ?? 0F AF ?? 03 ?? 4? 4? 3B ?? 72 }
- $block_21 = { 0F B7 ?? ?? 0F B7 ?? ?? 2B ?? 5? FF 1? ?? ?? ?? ?? 33 ?? F7 ?? ?? 5? 85 ?? 74 }
- $block_22 = { 8D ?? ?? 5? 89 ?? ?? 8B ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_23 = { 8D ?? ?? ?? 5? FF 7? ?? ?? 5? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_24 = { 5? FF 7? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_25 = { 6A ?? 5? 01 ?? ?? 01 ?? ?? 01 ?? ?? 03 ?? 0F B7 ?? ?? FF 4? ?? 39 ?? ?? 72 }
- $block_26 = { 8B ?? ?? FF 4? ?? 8B ?? ?? ?? ?? ?? 4? 33 ?? F7 ?? 89 ?? ?? 39 ?? ?? 0F 82 }
- $block_27 = { 8D ?? ?? ?? 5? 6A ?? 6A ?? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_28 = { 5? 5? 5? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_29 = { FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 0F AF ?? FF 4? ?? 39 ?? ?? 7C }
- $block_30 = { 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_31 = { 8D ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_32 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_33 = { FF 3? ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_34 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 5? 38 ?? ?? 0F 84 }
- $block_35 = { FF 7? ?? 8B ?? ?? ?? ?? ?? 6A ?? FF 3? FF D? 8B ?? ?? 0F B7 ?? 4? 74 }
- $block_36 = { A1 ?? ?? ?? ?? FF 7? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 }
- $block_37 = { 8D ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D? 85 ?? 0F 85 }
- $block_38 = { 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 5? 66 ?? ?? ?? 5? 4? FF D? 3B ?? 7E }
- $block_39 = { FF 4? ?? ?? 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_40 = { 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_41 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? 85 ?? 0F 84 }
- $block_42 = { 5? 5? 8D ?? ?? 5? BF ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_43 = { FF 3? ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_44 = { 8B ?? ?? A1 ?? ?? ?? ?? C1 ?? ?? 03 ?? 89 ?? ?? 39 ?? ?? 0F 84 }
- $block_45 = { 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_46 = { 5? 8B ?? ?? ?? ?? ?? 6A ?? FF 3? FF D? 8B ?? ?? 0F B7 ?? 4? 74 }
- $block_47 = { 0F B7 ?? ?? 83 ?? ?? ?? 33 ?? 8D ?? ?? ?? 66 ?? ?? ?? 0F 83 }
- $block_48 = { 5? 8D ?? ?? 5? 6A ?? 8D ?? ?? 5? FF 7? ?? FF D? 85 ?? 0F 84 }
- $block_49 = { 8D ?? ?? 5? BF ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_50 = { 5? FF 1? ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? ?? 33 ?? 4? 85 ?? 7E }
- $block_51 = { 5? 8B ?? ?? ?? ?? ?? 5? FF 3? FF D? 8B ?? ?? 0F B7 ?? 4? 74 }
- $block_52 = { 83 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F 86 }
- $block_53 = { 8B ?? ?? 8D ?? ?? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_54 = { 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? FF 7? ?? 85 ?? 0F 84 }
- $block_55 = { FF 3? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_56 = { FF 7? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_57 = { 8B ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 2B ?? 2B }
- $block_58 = { 8B ?? 5? 5? 5? FF D? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_59 = { FF 7? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_60 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_61 = { 68 ?? ?? ?? ?? FF D? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_62 = { 8B ?? 6A ?? 5? 33 ?? D1 ?? 89 ?? ?? F6 ?? ?? 0F 84 }
- $block_63 = { 5? 6A ?? FF 3? FF D? 8B ?? ?? ?? 0F B7 ?? 4? 0F 84 }
- $block_64 = { 6A ?? 6A ?? FF 7? ?? FF D? 89 ?? ?? 3B ?? 0F 84 }
- $block_65 = { FF 7? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_66 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 8A ?? 5? C9 C3 }
- $block_67 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 39 ?? ?? 0F 84 }
- $block_68 = { 5? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 }
- $block_69 = { FF 7? ?? 5? FF 7? ?? FF D? 5? 5? 33 ?? 5? C9 C2 }
-
- condition:
- hash.sha256(0, filesize) == "2007aa72dfe0c6c93beb44f737b85b6cd487175e7abc6b717dae9344bed46c6c" or
- hash.sha256(0, filesize) == "364593bebe015945002f6affec90154a69cb051d59ac7557f076930375fb054f" or
- hash.sha256(0, filesize) == "29e80fbdd60e723f69d111d72d3436b84d835add2fff26f52d426b5a8f4e17d1" or
- hash.sha256(0, filesize) == "02e28a176dd2ad9507e8d76b739af6fa2f1f7c373e70adbd70a44e8b137e58f8" or
- hash.sha256(0, filesize) == "4a941b881e917cd41477e2d4549fc8e217cd883773f2c703186e5525dc4d6c07" or
- 12 of them
-}
-
-rule PenquinTurla {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 89 ?? ?? BE ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_1 = { 89 ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 83 ?? ?? ?? 89 ?? 89 ?? C1 ?? ?? 8B ?? ?? C1 ?? ?? 30 ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 39 ?? 74 }
- $block_3 = { 5? 31 ?? B9 ?? ?? ?? ?? 5? 5? 83 ?? ?? 8D ?? ?? ?? FC 8B ?? ?? ?? F3 ?? A1 ?? ?? ?? ?? 85 ?? 75 }
- $block_4 = { C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 31 ?? 85 ?? 0F 84 }
- $block_5 = { 0F B7 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 83 ?? ?? 3D ?? ?? ?? ?? 66 ?? ?? ?? ?? 7E }
- $block_6 = { 89 ?? 89 ?? 8B ?? D3 ?? 83 ?? ?? 0F B6 ?? ?? ?? 89 ?? D3 ?? 09 ?? 89 ?? 83 ?? ?? FF 4? ?? ?? 75 }
- $block_7 = { 5? 89 ?? 5? 31 ?? 5? 31 ?? 5? 83 ?? ?? 89 ?? 89 ?? ?? 4? 8D ?? ?? C6 ?? ?? ?? 0F BE ?? 85 ?? 74 }
- $block_8 = { 01 ?? 8D ?? ?? 01 ?? 89 ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? FF 5? ?? BA ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 89 ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? 31 ?? 29 ?? 8B ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_10 = { 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_11 = { FF 4? ?? 89 ?? 89 ?? C1 ?? ?? 8B ?? ?? C1 ?? ?? 30 ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 39 ?? 0F 84 }
- $block_12 = { E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? E9 }
- $block_13 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 86 }
- $block_14 = { F6 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? 0F 85 }
- $block_15 = { 0F B7 ?? ?? C1 ?? ?? 25 ?? ?? ?? ?? 0F 95 ?? ?? ?? ?? ?? 89 ?? 80 8? ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_16 = { 8B ?? ?? 88 ?? 80 E? ?? 0F B6 ?? ?? ?? ?? ?? 24 ?? 08 ?? 88 ?? ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? E9 }
- $block_17 = { 0F B6 ?? ?? ?? 89 ?? 4? 30 ?? ?? ?? ?? ?? 31 ?? 81 F? ?? ?? ?? ?? 0F 9D ?? 4? 4? 21 ?? 39 ?? 7C }
- $block_18 = { 8B ?? ?? FF 4? ?? 8B ?? ?? 89 ?? ?? 0F B6 ?? 88 ?? ?? ?? 8B ?? ?? 4? 8B ?? ?? 89 ?? ?? 39 ?? 72 }
- $block_19 = { 0F B6 ?? 31 ?? 31 ?? 89 ?? ?? ?? 31 ?? 4? 89 ?? ?? ?? 31 ?? BD ?? ?? ?? ?? 89 ?? ?? ?? 88 ?? E9 }
- $block_20 = { FF 8? ?? ?? ?? ?? 31 ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 95 ?? 85 ?? 8D ?? ?? ?? 0F 84 }
- $block_21 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 41 ?? ?? ?? 75 }
- $block_22 = { 48 ?? ?? ?? ?? ?? ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_23 = { 41 ?? 5? 5? 48 ?? ?? BE ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_24 = { 64 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_25 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_26 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_27 = { 48 ?? ?? E8 ?? ?? ?? ?? 29 ?? 8D ?? ?? 83 ?? ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? ?? 4D ?? ?? 0F 84 }
- $block_28 = { 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? F3 ?? B9 ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 0F 84 }
- $block_29 = { 48 ?? 49 ?? ?? FF C? 48 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 0F 85 }
- $block_30 = { BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 89 ?? ?? ?? ?? ?? 0F 88 }
- $block_31 = { 48 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 05 C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 89 }
- $block_32 = { 4C ?? ?? 48 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 05 48 ?? ?? ?? ?? ?? 76 }
- $block_33 = { 0F BE ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 40 ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 74 }
- $block_34 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 39 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 84 }
- $block_35 = { 89 ?? ?? ?? 8B ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_36 = { 89 ?? ?? 31 ?? 31 ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 5? ?? 85 ?? 0F 84 }
- $block_37 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_38 = { C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_39 = { C7 ?? ?? ?? ?? ?? ?? 31 ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 }
- $block_40 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_41 = { 89 ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 29 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_42 = { 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_43 = { C7 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_44 = { 89 ?? ?? ?? 8B ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_45 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_46 = { 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 31 ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 8D }
- $block_47 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_48 = { 8D ?? ?? 89 ?? 89 ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 0F B7 ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F 86 }
- $block_49 = { 8B ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 88 }
- $block_50 = { 89 ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_51 = { FF 4? ?? 4? 0F BE ?? 0F B6 ?? 83 ?? ?? 89 ?? ?? 0F BE ?? 8D ?? ?? 88 ?? 88 ?? 2C ?? 3C ?? 77 }
- $block_52 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_53 = { 89 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? 89 ?? ?? 0F 85 }
- $block_54 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? 89 ?? ?? 0F 88 }
- $block_55 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_56 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? 29 ?? 8B ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_57 = { 89 ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_58 = { 48 ?? ?? E8 ?? ?? ?? ?? 89 ?? 48 ?? ?? ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_59 = { 41 ?? 49 ?? ?? 5? 48 ?? ?? ?? 5? 8B ?? ?? 48 ?? ?? C6 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 87 }
- $block_60 = { 44 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_61 = { 41 ?? 4C ?? ?? ?? 5? 48 ?? ?? 5? 8B ?? ?? 48 ?? ?? C6 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 87 }
- $block_62 = { 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? F0 ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 48 ?? ?? 0F 83 }
- $block_63 = { 44 ?? ?? BA ?? ?? ?? ?? FC 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? F3 ?? ?? 40 ?? ?? ?? 74 }
- $block_64 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 44 ?? ?? E8 ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_65 = { 48 ?? ?? ?? ?? ?? 0F 94 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? 41 ?? ?? ?? 44 ?? ?? 0F 84 }
- $block_66 = { 49 ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 41 ?? ?? 41 ?? ?? 0F 84 }
- $block_67 = { C6 ?? ?? BF ?? ?? ?? ?? 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? C6 ?? ?? B9 ?? ?? ?? ?? FC F3 ?? 74 }
- $block_68 = { FC 89 ?? C1 ?? ?? 89 ?? F3 ?? 8B ?? ?? ?? ?? ?? 80 8? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E9 }
- $block_69 = { 5? 89 ?? 5? 89 ?? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_70 = { C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_71 = { 8B ?? 83 ?? ?? 89 ?? 8B ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? 8B ?? ?? ?? 85 ?? 0F 84 }
- $block_72 = { 5? 31 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 85 ?? 0F 8E }
- $block_73 = { 8B ?? ?? 8B ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 95 ?? 0F B6 ?? 4? 21 ?? ?? 9? }
- $block_74 = { 8D ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_75 = { C7 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_76 = { 89 ?? ?? ?? 31 ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_77 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 }
- $block_78 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_79 = { 4C ?? ?? ?? ?? 4D ?? ?? 4C ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? FF D? 83 ?? ?? 0F 84 }
- $block_80 = { 4C ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 4A ?? ?? ?? 48 ?? ?? 48 ?? ?? 49 ?? ?? 0F 89 }
- $block_81 = { 44 ?? ?? 44 ?? ?? 41 ?? ?? B9 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_82 = { 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 80 3? ?? 0F 84 }
- $block_83 = { 48 ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? ?? 0F 85 }
- $block_84 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_85 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 49 ?? ?? ?? 0F 88 }
- $block_86 = { 89 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_87 = { 4D ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 41 ?? ?? ?? 0F 8F }
- $block_88 = { 4C ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 87 }
- $block_89 = { 48 ?? ?? ?? ?? 49 ?? ?? 89 ?? 4C ?? ?? 44 ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 0F 84 }
- $block_90 = { 8B ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 01 ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 87 }
- $block_91 = { 8B ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 }
- $block_92 = { BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 0F 84 }
- $block_93 = { BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 0F 85 }
- $block_94 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_95 = { FF 4? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? FF C? 0F 84 }
- $block_96 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 8B ?? ?? 48 ?? ?? ?? 5? 41 ?? 41 ?? 41 ?? 41 ?? C9 C3 }
- $block_97 = { 49 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 4C ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 8E }
- $block_98 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_99 = { 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 41 ?? ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0" or
- hash.sha256(0, filesize) == "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667" or
- hash.sha256(0, filesize) == "1eee1d0f736f3b796ab8da66bb16a68c7600e9a0c0cc8de0b640bc53beb9a90a" or
- hash.sha256(0, filesize) == "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc" or
- hash.sha256(0, filesize) == "3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4" or
- hash.sha256(0, filesize) == "5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8" or
- 12 of them
-}
-
-rule Wipbot {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 4? 0F B7 ?? 4? 8B ?? 4? 89 ?? 4? 01 ?? C1 ?? ?? 4? 81 E? ?? ?? ?? ?? 4? 01 ?? 66 ?? ?? ?? 75 }
- $block_1 = { D9 ?? FB 5? 1A ?? ?? 3C ?? CC 04 ?? 18 ?? A4 02 ?? ?? BE ?? ?? ?? ?? 15 ?? ?? ?? ?? 5? EB }
- $block_2 = { BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 4? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 85 ?? 0F 84 }
- $block_3 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_4 = { 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { FF C? 89 ?? 0F BE ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 31 ?? 69 ?? ?? ?? ?? ?? 85 ?? 75 }
- $block_6 = { FF C? 69 ?? ?? ?? ?? ?? 89 ?? 0F BE ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 31 ?? 85 ?? 75 }
- $block_7 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_8 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 83 ?? ?? ?? 0F 94 ?? ?? 85 ?? 0F 94 ?? 0A ?? ?? 74 }
- $block_9 = { 5? 5? 5? 4? 81 E? ?? ?? ?? ?? 8B ?? ?? 31 ?? 4? 01 ?? 66 ?? ?? ?? ?? 0F 84 }
- $block_10 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_11 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 01 ?? 66 ?? ?? ?? ?? 0F 84 }
- $block_12 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 }
- $block_13 = { BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 85 ?? 4? 89 ?? 0F 84 }
- $block_14 = { 5? 89 ?? 5? 5? 31 ?? 5? 89 ?? 83 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_15 = { 03 ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_16 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 }
- $block_17 = { 4? 8D ?? ?? 4? 0F B7 ?? ?? 4? 8D ?? ?? 4? 8B ?? ?? 4? 01 ?? EB }
- $block_18 = { 5? 5? 5? 4? 83 ?? ?? 31 ?? 4? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_19 = { A6 BE ?? ?? ?? ?? 4? B9 ?? ?? ?? ?? 18 ?? A6 85 ?? ?? 18 ?? 7E }
- $block_20 = { 89 ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_21 = { 4? 8D ?? ?? ?? ?? ?? ?? 4? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_22 = { BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 85 ?? 0F 84 }
- $block_23 = { 4? 85 ?? 89 ?? 0F 94 ?? 85 ?? 0F 94 ?? 4? 01 ?? 08 ?? 74 }
- $block_24 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_25 = { E8 ?? ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 94 ?? 0F B6 ?? EB }
- $block_26 = { 83 ?? ?? 0F 9F ?? 0F B6 ?? 4? 81 C? ?? ?? ?? ?? 5? 5? C3 }
- $block_27 = { 4? 85 ?? 4? 0F 94 ?? 4? 85 ?? 0F 94 ?? 4? 08 ?? 74 }
- $block_28 = { 8D ?? ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_29 = { 85 ?? 0F 94 ?? 85 ?? 0F 94 ?? 08 ?? 8D ?? ?? 74 }
- $block_30 = { 5? 5? 5? 5? 4? 83 ?? ?? 4? 85 ?? 4? 89 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "895a97bb6340a0ede31b2376fecb605c7d91a3fcc588a31bc4ff3c39d1cd12c9" or
- hash.sha256(0, filesize) == "d76ce236f12c7f964dd72727e27f9444f62fcf72ce9de356a3bbbf32c23189e2" or
- hash.sha256(0, filesize) == "8ce2bdb1680ac8eafcb2adce7acb89ea741ac9cd6e6c1b3a551b521e2ab9a1c5" or
- hash.sha256(0, filesize) == "e74faa35ed394f666e02de1b7f26665eb9a70dd3c355ef9d9e2d26a4d8a96f7e" or
- hash.sha256(0, filesize) == "0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab" or
- hash.sha256(0, filesize) == "d2505d073b948b309c65b2f613afba06584d22b4b07181c58e0f4a4893d3f9b1" or
- hash.sha256(0, filesize) == "1a6beed80ce6d2dee4445a5e0eb5a3f13675f461f9d975b6c6ef6cba5e916949" or
- hash.sha256(0, filesize) == "44748d0ea4c2927a58b3e4c8090fb5b7bdfe41a4f00f8e5de2952a76312c3aa2" or
- hash.sha256(0, filesize) == "57ec50ea2c1735d535dbf62df964190e21fbc21aca3c4cf34bd455f9ab3dd76d" or
- hash.sha256(0, filesize) == "7fbe1f25b25da7d1dd187bcaeb1d1b13a48ffef136bba9af3d3c6cd2e6bf3e90" or
- hash.sha256(0, filesize) == "fae51b0649a3c99e7c3054e584acca4359aae140d621f4a02e4f4e1fe441ea12" or
- hash.sha256(0, filesize) == "c558b2ee059ef8140788cbaefd648aad7879c34dc3b61d966229dba5afd36122" or
- hash.sha256(0, filesize) == "ecaa89e4a358c33ac20e9a397a67cecba620d30d77dd7ec27ef92316d9264f3d" or
- hash.sha256(0, filesize) == "966610c19fb620f90de6d7f35f469662824bad66c3091e0df1de1fd903df04c9" or
- hash.sha256(0, filesize) == "d48aa85bc434a30463e3b258899efb0d94b30a1609a18ba094153806cdacbf30" or
- hash.sha256(0, filesize) == "fcd50490bf5498f9204519077f312930a1d689c8a07a1b30a90e0f2969416a1f" or
- hash.sha256(0, filesize) == "0c02e49d3924b04c6bc42515cc926e59bf319f42f55afcc0b0da14d228bcbd7a" or
- hash.sha256(0, filesize) == "a5afb65975b5dddeda124b0151a14df5706c42ca50cbc68b34ca4c8b25f1e54e" or
- hash.sha256(0, filesize) == "4eba5182826becfc842315a0ce85f9e03aada8cc73d1e54ed0b55754ab89d9e0" or
- 12 of them
-}
-
-rule PNGDropper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? ?? 6A ?? 6A ?? 03 ?? 8D ?? ?? 5? 03 ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_1 = { 49 ?? ?? 44 ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_2 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 01 ?? ?? 0F B7 ?? ?? 83 ?? ?? 83 ?? ?? FF 4? ?? 39 ?? ?? 72 }
- $block_3 = { 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_4 = { 8B ?? ?? 03 ?? 6A ?? 6A ?? 89 ?? ?? 8D ?? ?? 5? 03 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_5 = { 8B ?? ?? 2B ?? ?? 2B ?? 99 2B ?? 8B ?? 8B ?? ?? 2B ?? 2B ?? 99 2B ?? D1 ?? 03 ?? ?? D1 ?? 03 }
- $block_6 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_7 = { 5? 6A ?? 8D ?? ?? 5? 5? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_8 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? 73 }
- $block_9 = { 8D ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 95 ?? 80 B? ?? ?? ?? ?? ?? 75 }
- $block_10 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 6A ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_11 = { C6 ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? 81 C? ?? ?? ?? ?? 3B ?? 0F 82 }
- $block_12 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 5? 8D ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 2B ?? 0F 84 }
- $block_13 = { FF B? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_14 = { 0F B7 ?? ?? 68 ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_15 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_16 = { 6A ?? E8 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_17 = { 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_18 = { 8B ?? ?? A5 A5 A5 8D ?? ?? 5? A5 E8 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 75 }
- $block_19 = { 5? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 5? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_20 = { 5? 33 ?? 33 ?? 0F A2 5? 8D ?? ?? 89 ?? 89 ?? ?? 6A ?? 89 ?? ?? 5? 89 ?? ?? 39 ?? ?? 7D }
- $block_21 = { 89 ?? ?? 89 ?? ?? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_22 = { 8B ?? ?? DD ?? 8B ?? ?? DD ?? DD ?? DD ?? DD ?? 8B ?? ?? 89 ?? 8B ?? ?? 89 ?? ?? C9 C3 }
- $block_23 = { 4C ?? ?? 48 ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 48 ?? ?? ?? 0F 44 ?? 8B }
- $block_24 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? A1 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_25 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 33 ?? 3B ?? 0F 84 }
- $block_26 = { 8B ?? ?? A5 A5 A5 A5 83 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? C2 }
- $block_27 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_28 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 01 ?? ?? 0F B7 ?? ?? 83 ?? ?? 83 ?? ?? 4? 3B ?? 72 }
- $block_29 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? 73 }
- $block_30 = { 8B ?? ?? 8B ?? ?? 6A ?? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_31 = { 5? E8 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_32 = { 6A ?? 6A ?? 8D ?? ?? 5? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 33 ?? 3B ?? 0F 85 }
- $block_33 = { 8B ?? ?? 8B ?? ?? 5? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_34 = { 8B ?? ?? 03 ?? ?? 8B ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_35 = { 5? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_36 = { 5? 5? 8B ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_37 = { 83 ?? ?? ?? 68 ?? ?? ?? ?? 5? 0F 94 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_38 = { 5? 8B ?? 8B ?? ?? 8B ?? ?? 03 ?? 0F B7 ?? ?? 8D ?? ?? ?? 0F B7 ?? ?? 4? 74 }
- $block_39 = { 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_40 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 39 ?? ?? 73 }
- $block_41 = { 33 ?? 0F A2 8D ?? ?? 89 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 4? }
- $block_42 = { 5? 5? FF 7? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_43 = { 8B ?? 2B ?? 99 B9 ?? ?? ?? ?? F7 ?? 33 ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? 7D }
- $block_44 = { 8B ?? ?? 8B ?? ?? 89 ?? F7 ?? 1B ?? 25 ?? ?? ?? ?? 05 ?? ?? ?? ?? C9 C3 }
- $block_45 = { 8D ?? ?? ?? 0F B7 ?? ?? 8B ?? 25 ?? ?? ?? ?? 03 ?? C1 ?? ?? 83 ?? ?? 74 }
- $block_46 = { 5? 6A ?? 8D ?? ?? 5? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 }
- $block_47 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? 66 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? E9 }
- $block_48 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? 66 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? EB }
- $block_49 = { 8B ?? ?? 03 ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_50 = { 5? 8B ?? 8B ?? ?? 8B ?? 5? 8B ?? ?? 2B ?? 5? 99 2B ?? 8B ?? D1 ?? 79 }
- $block_51 = { 8B ?? ?? 8B ?? A5 A5 A5 A5 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_52 = { 6A ?? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 33 ?? 3B ?? 0F 85 }
- $block_53 = { FF 8? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C }
- $block_54 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? EB }
- $block_55 = { 0F B7 ?? ?? 33 ?? 8D ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 73 }
- $block_56 = { 2B ?? 8B ?? ?? ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_57 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 33 ?? 89 ?? 8B ?? ?? 5? 5? 3B ?? 0F 84 }
- $block_58 = { 68 ?? ?? ?? ?? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_59 = { 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? A5 A5 A5 A5 EB }
- $block_60 = { 6A ?? 5? 03 ?? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 8D ?? ?? ?? 3B ?? 7F }
- $block_61 = { E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8E }
- $block_62 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? 8B ?? C1 ?? ?? 03 ?? 3B ?? 0F 9F }
- $block_63 = { 8D ?? ?? ?? ?? ?? ?? 9? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_64 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 88 ?? ?? EB }
- $block_65 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_66 = { 5? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_67 = { 5? 5? 8B ?? ?? 8B ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_68 = { C6 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 8F }
- $block_69 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 80 7? ?? ?? 0F 85 }
- $block_70 = { 8B ?? ?? 8B ?? ?? 2B ?? 2B ?? ?? 0F AF ?? 8B ?? ?? 3B ?? 7E }
- $block_71 = { BF ?? ?? ?? ?? 89 ?? ?? 45 ?? ?? 41 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_72 = { 0F BE ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 75 }
- $block_73 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 8B ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_74 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_75 = { 0F B7 ?? ?? 03 ?? 8B ?? ?? 4? 83 ?? ?? 89 ?? ?? 3B ?? 72 }
- $block_76 = { 8D ?? ?? 5? 03 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_77 = { 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 80 B? ?? ?? ?? ?? ?? 0F 84 }
- $block_78 = { 83 ?? ?? D1 ?? 0F B7 ?? 33 ?? 89 ?? ?? 89 ?? ?? 85 ?? 74 }
- $block_79 = { 38 ?? ?? ?? ?? ?? 0F 94 ?? 89 ?? ?? 5? 3A ?? 8B ?? 0F 84 }
- $block_80 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_81 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 8C }
- $block_82 = { C6 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 8E }
- $block_83 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 5? 3B ?? 0F 84 }
- $block_84 = { 83 ?? ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 8E }
- $block_85 = { 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 38 ?? ?? ?? ?? ?? 0F 84 }
- $block_86 = { 8B ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_87 = { 0F BE ?? E8 ?? ?? ?? ?? 88 ?? ?? 48 ?? ?? 48 ?? ?? 75 }
- $block_88 = { 2B ?? ?? 0F B7 ?? 89 ?? ?? 0F B7 ?? 3B ?? ?? 0F 87 }
- $block_89 = { E8 ?? ?? ?? ?? 33 ?? 8B ?? 39 ?? ?? ?? ?? ?? 0F 8E }
- $block_90 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 }
- $block_91 = { 2B ?? ?? 0F B7 ?? 89 ?? ?? 0F B7 ?? 3B ?? ?? 0F 83 }
- $block_92 = { 0F B7 ?? ?? ?? ?? ?? ?? 8B ?? 48 ?? ?? 49 ?? ?? 72 }
- $block_93 = { 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_94 = { 83 ?? ?? D1 ?? 0F B7 ?? 33 ?? 89 ?? ?? 85 ?? 74 }
- $block_95 = { 5? C6 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 94 ?? 88 }
- $block_96 = { 03 ?? 6A ?? 99 5? F7 ?? 39 ?? ?? ?? ?? ?? 0F 9F }
- $block_97 = { 66 ?? ?? 0F 95 ?? ?? 33 ?? 66 ?? ?? 66 ?? ?? 74 }
- $block_98 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_99 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "b52285393bd75897662c662bcfef0d3e3a0b185fd297c325ffe283abafa93f65" or
- hash.sha256(0, filesize) == "1950d2e706fbc6263d376c0c4f16bd5acfd543248ee072657ba3dd62da8427eb" or
- hash.sha256(0, filesize) == "eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158" or
- hash.sha256(0, filesize) == "ff22dbefce16adfc684fb79f4b8cd441a7f08fa34ba1d9b28724e7b32dbd62b4" or
- hash.sha256(0, filesize) == "3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3" or
- hash.sha256(0, filesize) == "10bca4fbbd39a86211d8b18622de1760992e81d4a45c1b45c8062faf30bbb7f8" or
- hash.sha256(0, filesize) == "69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290" or
- hash.sha256(0, filesize) == "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27" or
- hash.sha256(0, filesize) == "80cf8753ef6e1efd55f5f7afb20571472030e589ceb9423f91384dae51dfca36" or
- 12 of them
-}
-
-rule CarbonDropper_v3_77_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_2 = { 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 }
- $block_4 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 }
- $block_5 = { 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_6 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 }
- $block_7 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_8 = { 0F B7 ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 }
- $block_9 = { 48 ?? ?? ?? 33 ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_10 = { 0F B7 ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 }
- $block_11 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? 66 ?? ?? 75 }
- $block_12 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c" or
- 12 of them
-}
-
-rule GazerCommunicationModule_x64_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 44 ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 4C ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? 45 ?? ?? ?? 41 ?? ?? 49 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_1 = { 8B ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 0F 85 }
- $block_2 = { 8B ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 0F 85 }
- $block_3 = { 8B ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 49 ?? ?? 0F 85 }
- $block_4 = { 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 41 ?? 41 ?? 44 ?? ?? ?? 0F B6 ?? ?? 49 ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? 48 ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? BD ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 23 ?? 44 ?? ?? C1 ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 0F B7 ?? 44 ?? ?? C1 ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 41 ?? ?? 4C ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 44 ?? ?? 45 ?? ?? 41 ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? 45 ?? ?? 41 ?? ?? 45 ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? ?? 41 ?? ?? 41 }
- $block_5 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 5? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? 4C ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 44 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 }
- $block_6 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? B1 ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 88 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? B1 ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 88 ?? ?? FF 1? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? 48 ?? ?? ?? ?? 4C ?? ?? 80 E? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 88 ?? ?? FF 1? ?? ?? ?? ?? C0 ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 8A ?? 4C ?? ?? E8 ?? ?? ?? ?? 4D ?? ?? C6 ?? ?? ?? 88 ?? ?? B8 ?? ?? ?? ?? 45 ?? ?? ?? 45 ?? ?? F7 ?? 8B ?? C1 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6B ?? ?? 2B ?? 89 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 48 ?? ?? ?? ?? 99 2B ?? D1 ?? 8D ?? ?? 89 }
- $block_7 = { 41 ?? ?? 44 ?? ?? C1 ?? ?? 41 ?? ?? ?? 44 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? 47 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 44 ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? ?? 41 ?? ?? 41 ?? ?? 4C ?? ?? ?? 33 ?? 89 ?? 43 ?? ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? C1 ?? ?? 33 ?? 49 ?? ?? 48 ?? ?? ?? 33 ?? 43 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 4D ?? ?? 49 ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 45 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 45 ?? ?? 0F 84 }
- $block_8 = { 41 ?? ?? 44 ?? ?? C1 ?? ?? 41 ?? ?? ?? 44 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? 47 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? ?? ?? C1 ?? ?? 41 ?? ?? 41 ?? ?? 33 ?? 41 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 8B ?? C1 ?? ?? 4D ?? ?? C1 ?? ?? 49 ?? ?? ?? 33 ?? 48 ?? ?? ?? 33 ?? 43 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 4D ?? ?? 49 ?? ?? 4D ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 45 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? 8B ?? ?? F7 ?? 41 ?? ?? ?? ?? ?? ?? 83 ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 45 ?? ?? 0F 84 }
- $block_9 = { 4C ?? ?? 33 ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 8B ?? 41 ?? ?? 44 ?? ?? ?? C1 ?? ?? 41 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 8B ?? 0F B6 ?? 41 ?? ?? C1 ?? ?? C1 ?? ?? 41 ?? ?? C1 ?? ?? 0F B6 ?? 03 ?? 48 ?? ?? ?? ?? ?? ?? 03 ?? 41 ?? ?? ?? 41 ?? ?? ?? 03 ?? B8 ?? ?? ?? ?? 03 ?? 41 ?? ?? F7 ?? 41 ?? ?? 41 ?? ?? ?? C1 ?? ?? 41 ?? ?? 03 ?? 41 ?? ?? 41 ?? ?? 6B ?? ?? 2B ?? F7 ?? 41 ?? ?? C1 ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? F7 ?? C1 ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? FF 1? ?? ?? ?? ?? 49 ?? ?? ?? BA ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? B3 }
-
- condition:
- hash.sha256(0, filesize) == "93e36c336b5b20b3c33b7d0f8844572ddcc10046d1fe91b7b106d78c7fea932c" or
- 10 of them
-}
-
-rule Nautilus {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 48 ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 0F 8A }
- $block_1 = { 44 ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 8D ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_2 = { 49 ?? ?? 48 ?? ?? 48 ?? ?? A8 ?? 0F 95 ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 44 ?? ?? 85 ?? 75 }
- $block_3 = { 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 48 ?? ?? 44 ?? ?? E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? E8 }
- $block_4 = { 8B ?? 8B ?? C1 ?? ?? 83 ?? ?? 0F B6 ?? 4C ?? ?? 4D ?? ?? 4D ?? ?? 4B ?? ?? ?? 83 ?? ?? 0F 8F }
- $block_5 = { 48 ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_6 = { 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_7 = { 44 ?? ?? ?? 48 ?? ?? 41 ?? ?? F6 ?? 41 ?? ?? F6 ?? 0F B6 ?? 48 ?? ?? ?? 4C ?? ?? 49 ?? ?? 72 }
- $block_8 = { 41 ?? ?? ?? 4D ?? ?? 33 ?? 8B ?? 89 ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 4C ?? ?? ?? ?? 4D ?? ?? 48 ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_10 = { 8B ?? 41 ?? ?? 4D ?? ?? ?? 24 ?? F6 ?? 8D ?? ?? 1B ?? 83 ?? ?? 33 ?? 0F B6 ?? 4C ?? ?? 75 }
- $block_11 = { 48 ?? ?? ?? 0F B6 ?? ?? C7 ?? ?? ?? ?? ?? ?? FF C? 83 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? EB }
- $block_12 = { FF 0? ?? ?? ?? ?? 45 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_13 = { B8 ?? ?? ?? ?? 41 ?? ?? 44 ?? ?? 41 ?? ?? ?? 44 ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? ?? 0F 8F }
- $block_14 = { 0F B6 ?? 44 ?? ?? 44 ?? ?? 44 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? 89 ?? ?? ?? 48 ?? ?? ?? ?? 48 }
- $block_15 = { 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_16 = { 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_17 = { A8 ?? 8B ?? 48 ?? ?? 0F 95 ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 44 ?? ?? 85 ?? 0F 85 }
- $block_18 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? FF C? 81 F? ?? ?? ?? ?? 89 ?? ?? 0F 44 ?? 89 }
- $block_19 = { 48 ?? ?? ?? 41 ?? ?? F6 ?? 41 ?? ?? C0 ?? ?? E8 ?? ?? ?? ?? 33 ?? 44 ?? ?? 85 ?? 0F 85 }
- $block_20 = { FF 0? ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_21 = { FF 0? ?? ?? ?? ?? 4D ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_22 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 }
- $block_23 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? 40 ?? ?? ?? 0F 84 }
- $block_24 = { 4C ?? ?? ?? ?? 8B ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 85 }
- $block_25 = { 48 ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_26 = { FF 0? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_27 = { FF 0? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_28 = { 0F 10 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? F3 ?? ?? ?? 48 ?? ?? ?? 5? C3 }
- $block_29 = { 41 ?? ?? ?? 45 ?? ?? ?? 4D ?? ?? C1 ?? ?? 44 ?? ?? ?? ?? 49 ?? ?? 49 ?? ?? ?? 0F 8C }
- $block_30 = { 0F B6 ?? ?? E8 ?? ?? ?? ?? 88 ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? 72 }
- $block_31 = { 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_32 = { 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 }
- $block_33 = { 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_34 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_35 = { 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_36 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? FE ?? 0F B6 ?? FF 1? ?? ?? ?? ?? 8B ?? 89 }
- $block_37 = { BA ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_38 = { 4D ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_39 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_40 = { 44 ?? ?? ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? 85 ?? 7E }
- $block_41 = { BA ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_42 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 85 }
- $block_43 = { 41 ?? ?? ?? ?? ?? ?? 48 ?? ?? 8D ?? ?? 41 ?? ?? 48 ?? ?? ?? 3B ?? 0F 8C }
- $block_44 = { 48 ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 80 7? ?? ?? ?? 0F 85 }
- $block_45 = { 8A ?? ?? B9 ?? ?? ?? ?? 40 ?? ?? C0 ?? ?? 41 ?? ?? D2 ?? 84 ?? 0F 85 }
- $block_46 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 }
- $block_47 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_48 = { 44 ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 3B ?? 0F 8C }
- $block_49 = { 4C ?? ?? ?? 4D ?? ?? 49 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_50 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_51 = { 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 4C ?? ?? 72 }
- $block_52 = { 4B ?? ?? ?? 03 ?? 48 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? 0F 8F }
- $block_53 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_54 = { 0F 28 ?? ?? BE ?? ?? ?? ?? 48 ?? ?? ?? ?? 44 ?? ?? ?? 0F 11 }
- $block_55 = { 0F B6 ?? 3B ?? 0F 4F ?? 3B ?? 0F 4C ?? 48 ?? ?? 48 ?? ?? 75 }
- $block_56 = { 48 ?? ?? ?? BB ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_57 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_58 = { 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_59 = { 0F 28 ?? ?? 41 ?? ?? ?? 45 ?? ?? ?? 48 ?? ?? ?? ?? 0F 11 }
- $block_60 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 }
- $block_61 = { 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 4D ?? ?? ?? 4C ?? ?? 0F 82 }
- $block_62 = { 4C ?? ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_63 = { 49 ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 }
- $block_64 = { 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_65 = { 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_66 = { 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_67 = { 45 ?? ?? ?? 4D ?? ?? 66 ?? ?? ?? ?? 41 ?? ?? ?? 0F 8C }
- $block_68 = { 49 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_69 = { 49 ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_70 = { 41 ?? ?? 41 ?? ?? 44 ?? ?? 45 ?? ?? 45 ?? ?? 0F 8F }
- $block_71 = { 49 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 49 ?? ?? ?? 0F 86 }
- $block_72 = { 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_73 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 10 ?? F3 }
- $block_74 = { 49 ?? ?? ?? 8B ?? 8B ?? C1 ?? ?? 0F B6 ?? 85 ?? 7E }
- $block_75 = { 4C ?? ?? ?? 44 ?? ?? ?? 44 ?? ?? ?? 44 ?? ?? 0F 84 }
- $block_76 = { 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_77 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_78 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 87 }
- $block_79 = { 48 ?? ?? ?? 48 ?? ?? B8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_80 = { 83 ?? ?? ?? 8B ?? ?? 4C ?? ?? ?? 49 ?? ?? 0F 85 }
- $block_81 = { 41 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? 44 ?? ?? 0F 8C }
- $block_82 = { 49 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "cefc5cf4d46abb86fb0f7c81549777cf1a2a5bfbe1ce9e7d08128ab8bfc978f8" or
- 24 of them
-}
-
-rule CarbonOrchestrator_v3_81_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? 48 ?? ?? ?? ?? 8B ?? ?? 2B ?? 8B ?? 89 ?? ?? ?? EB }
- $block_1 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_2 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_3 = { 4C ?? ?? ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_4 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_5 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_6 = { 66 ?? ?? ?? 6A ?? 8D ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_7 = { 89 ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_8 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 }
- $block_9 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 66 ?? ?? ?? EB }
- $block_10 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_11 = { FF 7? ?? ?? 8B ?? ?? ?? FF 7? ?? ?? E8 ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? ?? 39 ?? ?? ?? 0F 85 }
- $block_12 = { 5? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? FF D? 5? 5? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_13 = { FF 7? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_14 = { 0F BE ?? ?? ?? BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 7C }
- $block_15 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_16 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 }
- $block_17 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_18 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? EB }
- $block_19 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_20 = { FF 1? ?? ?? ?? ?? FF 7? ?? 8B ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 }
- $block_21 = { 8B ?? ?? 89 ?? ?? 8D ?? ?? 5? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_22 = { 8B ?? 99 F7 ?? 83 ?? ?? ?? 8A ?? 83 ?? ?? ?? 33 ?? 4? 89 ?? ?? 88 ?? ?? 89 ?? ?? 85 ?? 7E }
- $block_23 = { 8B ?? ?? 6A ?? 8D ?? ?? ?? 5? 5? 5? FF 7? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_24 = { 8B ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_25 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_26 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 75 }
- $block_27 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? C7 }
- $block_28 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_29 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_30 = { 0F B6 ?? 23 ?? ?? 8B ?? ?? D3 ?? 8B ?? ?? D2 ?? 0A ?? FF 4? ?? 83 ?? ?? ?? 8B ?? ?? 7C }
- $block_31 = { 6A ?? 8D ?? ?? ?? 5? 5? FF 7? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_32 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 73 }
- $block_33 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 }
- $block_34 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_35 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 0F 85 }
- $block_36 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_37 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? E9 }
- $block_38 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_39 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? EB }
- $block_40 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 0F 82 }
- $block_41 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_42 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_43 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_44 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_45 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_46 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_47 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 }
- $block_48 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_49 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_50 = { 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 85 ?? 74 }
- $block_51 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 66 ?? ?? ?? ?? EB }
- $block_52 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_53 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? ?? ?? 0F 87 }
- $block_54 = { 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 8B ?? 88 }
- $block_55 = { 8B ?? ?? ?? ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 }
- $block_56 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 }
- $block_57 = { 48 ?? ?? ?? ?? 8B ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 39 ?? ?? ?? 7E }
- $block_58 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 77 }
- $block_59 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_60 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 3D ?? ?? ?? ?? 0F 8C }
- $block_61 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_62 = { 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 85 ?? 0F 84 }
- $block_63 = { 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 75 }
- $block_64 = { 8B ?? ?? ?? FF C? 89 ?? ?? ?? 0F B7 ?? ?? ?? 39 ?? ?? ?? 0F 83 }
- $block_65 = { 48 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_66 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_67 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 }
- $block_68 = { 8B ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 }
- $block_69 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 }
- $block_70 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7D }
- $block_71 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_72 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7F }
- $block_73 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 85 }
- $block_74 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_75 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 8E }
- $block_76 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_77 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 83 }
- $block_78 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 }
- $block_79 = { B2 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_80 = { 8B ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_81 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_82 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 74 }
- $block_83 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 }
- $block_84 = { 33 ?? 8B ?? ?? ?? F7 ?? ?? ?? FF C? 0F AF ?? ?? ?? 89 }
- $block_85 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 85 }
- $block_86 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_87 = { 0F B7 ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_88 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 3B ?? 7D }
- $block_89 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 39 ?? ?? ?? 0F 85 }
- $block_90 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_91 = { 48 ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_92 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 75 }
- $block_93 = { 8B ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 }
- $block_94 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_95 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 }
- $block_96 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 }
- $block_97 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_98 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 }
- $block_99 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D }
-
- condition:
- hash.sha256(0, filesize) == "d1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19" or
- hash.sha256(0, filesize) == "e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed" or
- hash.sha256(0, filesize) == "7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452" or
- 24 of them
-}
-
-rule CarbonCommunicationLibrary_v4_00_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_1 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 }
- $block_2 = { 89 ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_3 = { 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? 5? 6A ?? 89 ?? ?? FF D? 5? 5? 85 ?? 74 }
- $block_4 = { 66 ?? ?? ?? 6A ?? 8D ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_5 = { 8B ?? ?? 4F ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_6 = { FF 7? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_7 = { 48 ?? ?? ?? ?? 5? 5? 5? 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 83 ?? ?? 0F 8E }
- $block_8 = { 8B ?? 99 F7 ?? 83 ?? ?? ?? 8A ?? 83 ?? ?? ?? 33 ?? 4? 89 ?? ?? 88 ?? ?? 89 ?? ?? 85 ?? 7E }
- $block_9 = { 8B ?? ?? 89 ?? ?? 8D ?? ?? 5? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_10 = { 8B ?? ?? 6A ?? 8D ?? ?? ?? 5? 5? 5? FF 7? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_11 = { 8B ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_12 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_13 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_14 = { 0F B6 ?? 23 ?? ?? 8B ?? ?? D3 ?? 8B ?? ?? D2 ?? 0A ?? FF 4? ?? 83 ?? ?? ?? 8B ?? ?? 7C }
- $block_15 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 85 }
- $block_16 = { FF 7? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_17 = { FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_18 = { 6A ?? 8D ?? ?? 5? 6A ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_19 = { 5? FF 7? ?? E8 ?? ?? ?? ?? 01 ?? ?? 0F B7 ?? ?? 83 ?? ?? 83 ?? ?? FF 4? ?? 39 ?? ?? 72 }
- $block_20 = { 6A ?? 8D ?? ?? ?? 5? 5? FF 7? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_21 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_22 = { 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_23 = { 44 ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_24 = { 41 ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? 49 ?? ?? ?? 44 ?? ?? 0F B7 ?? ?? 44 ?? ?? 72 }
- $block_25 = { 5? FF 7? ?? FF 1? ?? ?? ?? ?? 4? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 85 }
- $block_26 = { 8B ?? ?? 03 ?? ?? 03 ?? ?? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_27 = { 89 ?? ?? FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 85 }
- $block_28 = { FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 8B ?? ?? 85 ?? 0F 85 }
- $block_29 = { 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? 44 ?? ?? ?? 45 ?? ?? 89 ?? ?? 85 ?? 0F 8E }
- $block_30 = { 48 ?? ?? ?? ?? 44 ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_31 = { 89 ?? FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 85 }
- $block_32 = { 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF D? 5? 5? 85 ?? 0F 84 }
- $block_33 = { 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? ?? ?? 5? FF D? }
- $block_34 = { 6A ?? 8D ?? ?? 5? 6A ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_35 = { 41 ?? ?? 48 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 }
- $block_36 = { 48 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_37 = { 38 ?? ?? 0F 94 ?? ?? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_38 = { 8A ?? ?? 8B ?? ?? 21 ?? ?? 88 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_39 = { 38 ?? ?? 0F 94 ?? ?? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 0F 85 }
- $block_40 = { FF 7? ?? 5? 5? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_41 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_42 = { FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_43 = { 48 ?? ?? ?? 48 ?? ?? ?? FF 1? ?? ?? ?? ?? BF ?? ?? ?? ?? 85 ?? 0F 44 ?? 8B }
- $block_44 = { 48 ?? ?? ?? 48 ?? ?? ?? FF 1? ?? ?? ?? ?? BB ?? ?? ?? ?? 85 ?? 0F 44 ?? 8B }
- $block_45 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_46 = { FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? 3B ?? 0F 85 }
- $block_47 = { 38 ?? ?? 0F 94 ?? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? 85 ?? 0F 85 }
- $block_48 = { 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 0F 84 }
- $block_49 = { 8D ?? ?? 5? 8B ?? ?? 4? 5? FF 1? ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_50 = { 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 03 ?? 8B ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 }
- $block_51 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_52 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_53 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_54 = { 44 ?? ?? 48 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_55 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 25 ?? ?? ?? ?? 03 ?? C1 ?? ?? 83 ?? ?? 74 }
- $block_56 = { FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_57 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 86 }
- $block_58 = { 4C ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_59 = { FF 7? ?? 8D ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 3B ?? 0F 85 }
- $block_60 = { 83 ?? ?? ?? 83 ?? ?? D1 ?? 0F B7 ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 74 }
- $block_61 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 5? 8B ?? ?? 89 ?? 89 ?? ?? 39 ?? 0F 84 }
- $block_62 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 5? 89 ?? 89 ?? ?? 39 ?? 0F 84 }
- $block_63 = { 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 89 ?? ?? 83 ?? ?? 0F 8C }
- $block_64 = { 8B ?? 99 F7 ?? ?? 33 ?? 33 ?? 89 ?? ?? 89 ?? ?? 32 ?? 39 ?? ?? 7E }
- $block_65 = { 8B ?? ?? 03 ?? ?? 5? 99 2B ?? 5? 8B ?? ?? 8B ?? D1 ?? 5? 3B ?? 7D }
- $block_66 = { FF 7? ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_67 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 5? FF 1? ?? ?? ?? ?? EB }
- $block_68 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_69 = { 8B ?? ?? 8B ?? ?? 03 ?? 0F B7 ?? ?? BE ?? ?? ?? ?? 66 ?? ?? 75 }
- $block_70 = { 5? 8B ?? A1 ?? ?? ?? ?? 83 ?? ?? 5? 5? 33 ?? 33 ?? 3B ?? 0F 84 }
- $block_71 = { 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_72 = { 2B ?? ?? ?? 0F B7 ?? 89 ?? ?? ?? 0F B7 ?? 3B ?? ?? ?? 0F 87 }
- $block_73 = { 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 0F 85 }
- $block_74 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF D? 89 ?? ?? 3B ?? 0F 84 }
- $block_75 = { 8B ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 0F 85 }
- $block_76 = { 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 }
- $block_77 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_78 = { 68 ?? ?? ?? ?? 6A ?? 5? FF D? A3 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_79 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 2B ?? 2B }
- $block_80 = { 2B ?? ?? ?? C6 ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? 0F 87 }
- $block_81 = { FF 3? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? B0 ?? C9 C3 }
- $block_82 = { 5? 6A ?? 8D ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_83 = { FF 7? ?? A1 ?? ?? ?? ?? FF 5? ?? 8B ?? ?? 3B ?? ?? 0F 82 }
- $block_84 = { 68 ?? ?? ?? ?? 5? FF D? 5? 5? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_85 = { FF 3? FF 1? ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 85 ?? 0F 84 }
- $block_86 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? 3B ?? 0F 85 }
- $block_87 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 }
- $block_88 = { FF 3? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 }
- $block_89 = { 68 ?? ?? ?? ?? 5? FF D? 5? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_90 = { 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 84 ?? 0F 85 }
- $block_91 = { FF 3? ?? ?? ?? ?? FF B? ?? ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_92 = { FF 0? 03 ?? 89 ?? 89 ?? ?? 89 ?? ?? 3B ?? ?? 0F 8C }
- $block_93 = { 8B ?? ?? 2B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 0F 85 }
- $block_94 = { 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 }
- $block_95 = { FF 7? ?? 5? 5? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_96 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_97 = { FF 3? ?? ?? ?? ?? FF 7? ?? FF D? 5? 5? 85 ?? 0F 85 }
- $block_98 = { 2B ?? ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? ?? ?? 0F 82 }
- $block_99 = { C6 ?? ?? ?? ?? 0F B7 ?? ?? 89 ?? ?? ?? 39 ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47" or
- hash.sha256(0, filesize) == "e959e1fa1993f906cd1d8f014c82025b2eb77a67a3e0dc0f44be685700cdb76b" or
- hash.sha256(0, filesize) == "d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db" or
- hash.sha256(0, filesize) == "995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16" or
- hash.sha256(0, filesize) == "c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47" or
- 12 of them
-}
-
-rule CarbonLoader_v3_81_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? 0F 84 }
- $block_1 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_2 = { 0F B7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 83 ?? ?? 6A ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_3 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? 8B ?? FF D? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_4 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_5 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_6 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 }
-
- condition:
- hash.sha256(0, filesize) == "0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65" or
- 7 of them
-}
-
-rule ComRAT {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_1 = { 83 ?? ?? 5? 5? 5? 5? 8B ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_2 = { 66 ?? ?? ?? D1 ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 }
- $block_3 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_4 = { 33 ?? 44 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3D ?? ?? ?? ?? 0F 8D }
- $block_5 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 }
- $block_6 = { 0F B7 ?? 89 ?? ?? 33 ?? 66 ?? ?? 5? 0F 95 ?? 5? 5? 5? 4? 83 ?? ?? 83 ?? ?? 0F B7 ?? 83 ?? ?? C3 }
- $block_7 = { 3B ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 }
- $block_8 = { 8B ?? ?? ?? 8B ?? 0F B7 ?? 5? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 }
- $block_9 = { E8 ?? ?? ?? ?? 33 ?? F7 ?? 8B ?? 03 ?? 9B 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? 5? C2 }
- $block_10 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 8D }
- $block_11 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 80 C? ?? 88 ?? ?? ?? ?? ?? ?? 4? 81 F? ?? ?? ?? ?? 72 }
- $block_12 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 3B ?? 0F 84 }
- $block_13 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 85 ?? 75 }
- $block_14 = { 8B ?? ?? ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? 0F 86 }
- $block_15 = { 6A ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 }
- $block_16 = { 0F B7 ?? 8B ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 66 ?? ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 0F B7 ?? 75 }
- $block_17 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 }
- $block_18 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 8D }
- $block_19 = { 8D ?? ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 }
- $block_20 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? 8B ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 85 }
- $block_21 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_22 = { 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_23 = { 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_24 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? FF D? 83 ?? ?? 0F 84 }
- $block_25 = { 8D ?? ?? 8B ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 8B ?? ?? ?? C1 ?? ?? 03 ?? 3B ?? 0F 8C }
- $block_26 = { 8D ?? ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_27 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? 33 ?? 5? C1 ?? ?? 5? 0B ?? 5? 5? C3 }
- $block_28 = { 8B ?? ?? ?? 33 ?? 66 ?? ?? ?? 5? 0F 95 ?? 5? 5? 5? 4? 83 ?? ?? 83 ?? ?? 83 ?? ?? C3 }
- $block_29 = { 8B ?? ?? 0F B7 ?? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 74 }
- $block_30 = { 0F B6 ?? ?? 0F B6 ?? ?? 83 ?? ?? 03 ?? 03 ?? C1 ?? ?? 0B ?? 0F BE ?? ?? ?? ?? ?? EB }
- $block_31 = { 8D ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_32 = { 33 ?? 0F B7 ?? 8B ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? F3 ?? 33 ?? EB }
- $block_33 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? C3 }
- $block_34 = { 40 ?? 5? 41 ?? 48 ?? ?? ?? 49 ?? ?? 4C ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_35 = { 68 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_36 = { 0F B7 ?? 8B ?? 5? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 }
- $block_37 = { 0F BE ?? ?? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 8D }
- $block_38 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_39 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? 0F AF ?? 4? 99 F7 ?? 4? 03 ?? 81 F? ?? ?? ?? ?? 7C }
- $block_40 = { C6 ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 83 ?? ?? 0F 82 }
- $block_41 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 }
- $block_42 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 85 }
- $block_43 = { 8D ?? ?? ?? 5? 5? 89 ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_44 = { E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8D }
- $block_45 = { 85 ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 }
- $block_46 = { 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 0F B7 ?? 79 }
- $block_47 = { 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 33 ?? 8D ?? ?? ?? 0F AF ?? 85 ?? 76 }
- $block_48 = { 8D ?? ?? 5? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 85 ?? 0F 84 }
- $block_49 = { 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_50 = { 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_51 = { 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? 5? C3 }
- $block_52 = { 5? 8B ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 79 }
- $block_53 = { DF ?? ?? ?? DF ?? ?? ?? D8 ?? DC ?? ?? ?? ?? ?? DF ?? F6 ?? ?? 0F 85 }
- $block_54 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 85 ?? 0F 85 }
- $block_55 = { 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_56 = { 48 ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 88 ?? ?? ?? FF C? 89 ?? ?? ?? EB }
- $block_57 = { BA ?? ?? ?? ?? D3 ?? 8B ?? ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 }
- $block_58 = { 8A ?? ?? 0F BE ?? 34 ?? 03 ?? 88 ?? ?? 0F BE ?? 03 ?? 4? 3B ?? 72 }
- $block_59 = { 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 3B ?? 0F 84 }
- $block_60 = { 8D ?? ?? 5? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_61 = { 8B ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 }
- $block_62 = { 68 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_63 = { 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_64 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? FF D? 83 ?? ?? 0F 85 }
- $block_65 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_66 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_67 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_68 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_69 = { 8B ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_70 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? 3B ?? 0F 85 }
- $block_71 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_72 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 }
- $block_73 = { 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_74 = { A1 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_75 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_76 = { C1 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 86 }
- $block_77 = { 5? A1 ?? ?? ?? ?? 8B ?? ?? FF D? 39 ?? ?? ?? ?? ?? 0F 85 }
- $block_78 = { 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 5? 5? 5? 85 ?? 0F 84 }
- $block_79 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_80 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_81 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_82 = { 4? C1 ?? ?? 8D ?? ?? ?? 0F B7 ?? 33 ?? 66 ?? ?? 0F 83 }
- $block_83 = { 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 83 ?? ?? C9 C3 }
- $block_84 = { 2B ?? D1 ?? 8D ?? ?? 89 ?? ?? 0F B7 ?? ?? 89 ?? ?? E9 }
- $block_85 = { 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_86 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 0F 86 }
- $block_87 = { 8B ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 39 ?? ?? ?? 0F 85 }
- $block_88 = { 8B ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 82 }
- $block_89 = { 0F B7 ?? 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 66 ?? ?? 73 }
- $block_90 = { 0F B6 ?? 83 ?? ?? C1 ?? ?? 4? 0F AF ?? 4? 85 ?? 75 }
- $block_91 = { 83 ?? ?? 5? 8B ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_92 = { 8D ?? ?? ?? ?? ?? ?? 6A ?? 5? FF D? 85 ?? 0F 84 }
- $block_93 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_94 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_95 = { 4? 99 2B ?? D1 ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 79 }
- $block_96 = { 4? 0F B7 ?? 0F B7 ?? C1 ?? ?? 33 ?? 85 ?? 0F 8E }
- $block_97 = { 8B ?? ?? ?? ?? ?? ?? 0F BF ?? 66 ?? ?? ?? ?? 77 }
- $block_98 = { 8B ?? 8B ?? 8B ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 74 }
- $block_99 = { 8B ?? ?? ?? D1 ?? 8D ?? ?? ?? 8B ?? 3B ?? 0F 83 }
-
- condition:
- hash.sha256(0, filesize) == "be44044d4bfeb43a6ba5608fe911be7d83bee4faf2b13a16d9690c8ac5f62aa3" or
- hash.sha256(0, filesize) == "bd865c5d092832d6b55484ec430440540d1bbb77c533fad21f10330b526aaca9" or
- hash.sha256(0, filesize) == "5e0165b3af7f5d4ef0c6fcb62e53e4e408ffb290967a65f042442c7d638ceef7" or
- hash.sha256(0, filesize) == "cfebcc3aa8217abaedcc856d7ec32d1d66398807819afd9902420f24959e27c6" or
- hash.sha256(0, filesize) == "a1b2016cb9f9d9a57e1ce3465bdfa5b4e01674c85499a10c1545ab9e90fd32d4" or
- hash.sha256(0, filesize) == "de8954dc69d3f3b5d1423479ef5f1054a9b0df9085b1926ca939a4d3d11c49ee" or
- hash.sha256(0, filesize) == "e42b9c5df92299e17581c52972516b24d2ccc872d780f6d9ecc3af2b0683631d" or
- hash.sha256(0, filesize) == "1fad246cb0a0a0cda8d77e8dd417a380d133229ffba6d38ed32edcc3718a39da" or
- hash.sha256(0, filesize) == "02e218f14ca02878ed75183e42d79948a6d8c99495a09d9b1897f6bb70b84087" or
- hash.sha256(0, filesize) == "37e8ae6d5fb27b003441d73a2dc995b5672d47a82ddb3d8751a31697f3d3fc9b" or
- hash.sha256(0, filesize) == "80013a27dc3a51dffe6427745a09403d9680561bfc28548401fefb35e99c211d" or
- hash.sha256(0, filesize) == "172072b2f5b2888fd3c9d3f28b1acb5f5bd57dc24ad8d2d1b62321b156b4cfdb" or
- hash.sha256(0, filesize) == "0e0045d2c4bfff4345d460957a543e2e7f1638de745644f6bf58555c1d287286" or
- hash.sha256(0, filesize) == "32395c102c5dbc7b881869c8d6c2bf949c02774acb4a785d41cb46ff878572e4" or
- hash.sha256(0, filesize) == "d585936aac6120718be1582a393c35157422a2e83ba9f60d6ac1e68a39fb2dc9" or
- hash.sha256(0, filesize) == "dd140d9bac962cdb91b00cb123f69e6b1fb55b94fb93591802fd45222357de86" or
- hash.sha256(0, filesize) == "208f0339fb6cd0c2a10bda7e42deb9938ab279f56db28a017d27269dfc0802a8" or
- hash.sha256(0, filesize) == "5a7f334d6580e95a692943a5c9d73e8ae2342927604ddc5839849c4f77804e39" or
- hash.sha256(0, filesize) == "06b0bfbd69a2e2ee50d7066fe0a5261c85c32494557b6df1383038583902a1db" or
- hash.sha256(0, filesize) == "a36a04fa6a23a6d6cc1be52e5f05c7f5802c5007bc9900e5c17f6d2c3e03afb8" or
- hash.sha256(0, filesize) == "fa249ee039e0b2d41d27b8f3590a87c1abc65487fe55dea791f804ae5636d884" or
- hash.sha256(0, filesize) == "a89f27758bb6e207477f92527b2174090012e2ac23dfc44cdf6effd539c15ada" or
- hash.sha256(0, filesize) == "43871bb12c446a589eedcd8faae94d60734f595f04e52fc754b89d407249af21" or
- hash.sha256(0, filesize) == "5ec8a86a0ab982d016153bd318602cfa2ee39c1f0a962c86168a5284afce169d" or
- hash.sha256(0, filesize) == "08d69145a78f99ab04154aa5e80e9bd28835dade0b95017d5033a0fa6391b1e1" or
- hash.sha256(0, filesize) == "dc68688aa61102f18b958346bcab167b22e307ecdf2bb05e05d5f19e8fc41f5b" or
- hash.sha256(0, filesize) == "0977898deb6e5ebd16b1db80ff904a4818fe7ba8039b7f23f0fe329ade03d65b" or
- hash.sha256(0, filesize) == "7759a16584847737c650b7051514c1aa58c957cbfaaa4bc609b288a87d55f2ce" or
- hash.sha256(0, filesize) == "7923ead3971a6e8dd4df5c87f22fd3edcb78c48714fa19d01e900eeb10ae13fd" or
- hash.sha256(0, filesize) == "a777049f779a7c42842568a681030305209b57cc93dc9604a48682df5e9429b6" or
- hash.sha256(0, filesize) == "2a625986f5761b59ee4967ea5255e895a6cdd64763696bc7d378c609228d70b6" or
- hash.sha256(0, filesize) == "bc90772a93b7a54645b3e3df205f59a98166df5245cbf86c4e3d417b15aa6bd3" or
- hash.sha256(0, filesize) == "39a8cf3f2916daea03f8b8600e202725101b338a67fc4a7d1b9c48ff5239293f" or
- hash.sha256(0, filesize) == "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426" or
- hash.sha256(0, filesize) == "9751b5c3645f33677e31aafd4ff04a8e61d529a30d2f324a4ea73a519599f5e2" or
- hash.sha256(0, filesize) == "a7f9e42680cf6f46af48987384ea13aff9dd5df5835a9c214ee9697a63c3d8c9" or
- hash.sha256(0, filesize) == "d932551bb748cafb13a5825233e24c2b1ba0b17098dddfe569943e431c45efe4" or
- hash.sha256(0, filesize) == "60fd95d9b415ecd8d3e799f22b54e5fbd0117d22cf3fce172a65d05167715df8" or
- hash.sha256(0, filesize) == "90876ed03885118da45bad0c5acccc8c5ce6940d6e239fe0ad254a996e9b1e97" or
- hash.sha256(0, filesize) == "514b4db0717fb282f8071d55a75b387c053b6d183e2180f5f4e47c34b16d545d" or
- hash.sha256(0, filesize) == "e5c187392b8376352880470a5068eeeb1a00926a9f06a5100a5d8426509291c6" or
- hash.sha256(0, filesize) == "bb4ea71368dd7fed4f19cb64a51c9a21cf2e7e19111a2fccf161837a7ec97751" or
- hash.sha256(0, filesize) == "d002e2eaee5a47af4f779e5210fd35cc1cb339efd6e9cebb57b233a7e9e62005" or
- hash.sha256(0, filesize) == "300cb016ef9666bcc3672c2ee14a8516566a8c4982bdcac78501a9ad79e4e094" or
- hash.sha256(0, filesize) == "0cf936dd2adcd6bf575b85e51961d72bbbf8b3d3f2db9e8e378ded5ec60c2f55" or
- hash.sha256(0, filesize) == "87d4edd9d833a41b776bbbbb2ecde0513ae0aa3d228caf3c85d2298c9977e89f" or
- hash.sha256(0, filesize) == "9d3c846d37eff281e30954ed0b7b52030574367b793330ff7e2eeced52ea68b4" or
- hash.sha256(0, filesize) == "14f04ff36d4c571d2cc7e2fc0b31f9666d687c61d05d8646cf5e56b4240f5592" or
- hash.sha256(0, filesize) == "bca6e6aa3bc8092e4b85f22a223fd67e80c1bd80afc9aa3fd9192338c8d9b982" or
- hash.sha256(0, filesize) == "3a4a0c6585d160e42d40f3ba343af5d45469597d452ea311465029e115e470ae" or
- hash.sha256(0, filesize) == "22350671a2b605351839a3e22437de71d58efbfce24a1b562bedc7e6f3c0154c" or
- hash.sha256(0, filesize) == "b51aa5c5e8e783ef7a55f29205a989223f0ef8bfee47ab9274acf37e39f2834f" or
- hash.sha256(0, filesize) == "5d2a8d367ea383a8cc3d4389a1858bb645cef2a2217c65f7fcf9d3eecb0e8255" or
- hash.sha256(0, filesize) == "035e51a1575ecb21353166287530840b3c2c54c237acda4223f1c45e6b47d3b2" or
- hash.sha256(0, filesize) == "4bc2a21aba604dc22af1322a661d8929587f558ab3ffe3d6cb946cadfe7f6570" or
- hash.sha256(0, filesize) == "22b9f9bbddec318700f46ba778bb61f2bb07bd3560af98501b030ff7160db062" or
- hash.sha256(0, filesize) == "a1d26fc17409a30ca48337306317863e8c4064e36c060158885322bb71dc9069" or
- hash.sha256(0, filesize) == "e092a2ec64a264779ca8211483693789f4a1f14e42c2f65df15833583f964b81" or
- hash.sha256(0, filesize) == "9c9d5540cd2902e941f34887ea546d214120d92ab0bbc1e38bbcc8805a5589d8" or
- hash.sha256(0, filesize) == "193844bd22c37e2725927fa0bcddc199932f1dc3536b97da250b77ef68c66d63" or
- hash.sha256(0, filesize) == "50067ebcc2d2069b3613a20b81f9d61f2cd5be9c85533c4ea34edbefaeb8a15f" or
- hash.sha256(0, filesize) == "67a283a8ddd2ca7976e46010505a1c3ca699405bb9a77f7129c1ac8219995e5f" or
- 12 of them
-}
-
-rule KSL0TKeylogger {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 3B ?? 75 }
- $block_1 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8D ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 2B ?? 8A ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_2 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? E9 }
- $block_3 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8D ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 2B ?? 8A ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_4 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8D ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 2B ?? 8A ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_5 = { 0F B6 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? BD ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? 2B ?? 83 ?? ?? 2B ?? 89 ?? ?? ?? C7 }
- $block_6 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 6A ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? 5? FF 1? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 6A ?? 8B ?? 5? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? }
- $block_7 = { B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? 03 ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 2B ?? 0F B6 ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 75 }
- $block_8 = { B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? 03 ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 75 }
- $block_9 = { 5? 8B ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? 5? 83 ?? ?? 5? 5? 5? A1 ?? ?? ?? ?? 31 ?? ?? 33 ?? 5? 8D ?? ?? 64 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "4f724e8ecf781fe1c160581d7b35d1eb951f7abf079e7ec8aa79783ec44e9d1a" or
- hash.sha256(0, filesize) == "13dcbab502b7a291c4e56396ea369729c57268c099c59fc76a1eb6eb9ed3f0b4" or
- hash.sha256(0, filesize) == "3b7060063814ff7dbdda98b30d35282a5686e0b965e79ee89b1d9d279b5c125a" or
- hash.sha256(0, filesize) == "740b27fc5552e5ac3c3655e9c598ed5711cfce442cc64e39af7dca8c468aad09" or
- hash.sha256(0, filesize) == "800fa6a256a1c026a905ccd650d818929e749bbae1129d309f40c7227449450c" or
- 10 of them
-}
-
-rule MosquitoInstaller {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_1 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_2 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_3 = { E8 ?? ?? ?? ?? 10 ?? 00 ?? ?? 6C 65 ?? 06 8B ?? 01 ?? 8B ?? 8B ?? ?? 3D ?? ?? ?? ?? 84 ?? ?? 75 }
- $block_4 = { 08 ?? ?? ?? ?? ?? F7 ?? 4? 4? FF C? FF 7? ?? 3A ?? 80 7? ?? ?? CC CC CC CC CC CC CC CC CC CC CC }
- $block_5 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_6 = { 5? 68 ?? ?? ?? ?? 10 ?? ?? 68 ?? ?? ?? ?? 4? 61 68 ?? ?? ?? ?? 8B ?? 5? 85 ?? 8C ?? ?? 00 ?? E9 }
- $block_7 = { 8B ?? ?? 03 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 0F B7 ?? ?? 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_8 = { 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 23 ?? ?? 81 F? ?? ?? ?? ?? 0F 86 }
- $block_9 = { F1 C4 ?? ?? 85 ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? ?? ?? 20 ?? FF 0? 4? 00 ?? ?? FF B? ?? ?? ?? ?? 72 }
- $block_10 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 }
- $block_11 = { EC 07 80 8? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? ?? ?? ?? ?? CC FF 1? ?? ?? ?? ?? 24 ?? 8B ?? 5? 5? 79 }
- $block_12 = { EC 83 ?? ?? 83 ?? ?? 83 ?? ?? ?? 33 ?? 8B ?? ?? 5? 5? 8D ?? ?? ?? AB AB AB 8B ?? ?? 3B ?? ?? 72 }
- $block_13 = { 8B ?? 5? 8B ?? 83 ?? ?? 5? 5? 5? 33 ?? 89 ?? ?? 8B ?? 89 ?? ?? 8B ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_14 = { F8 10 ?? ?? ?? ?? ?? 63 ?? 00 ?? ?? ?? ?? ?? 8B ?? 4? 08 ?? E8 ?? ?? ?? ?? 10 ?? 5? 5? EC 5? 74 }
- $block_15 = { FF 5? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? FF 4? ?? 08 ?? 8D ?? ?? ?? 02 ?? 9D 4? 16 02 ?? E9 }
- $block_16 = { 69 ?? ?? ?? ?? ?? ?? 0F 74 ?? ?? 00 ?? ?? 4? 08 ?? ?? 89 ?? ?? 88 ?? ?? ?? ?? ?? 00 ?? ?? C9 74 }
- $block_17 = { 00 ?? ?? 5? 4? 24 ?? E8 ?? ?? ?? ?? 00 ?? ?? 0F 20 ?? 8D ?? ?? ?? ?? ?? 00 ?? ?? ?? 85 ?? 0F 85 }
- $block_18 = { 15 ?? ?? ?? ?? 00 ?? ?? 4? 6C 00 ?? E8 ?? ?? ?? ?? 00 ?? ?? 5? CE E8 ?? ?? ?? ?? CC 8B ?? ?? 79 }
- $block_19 = { 4? C0 ?? ?? ?? ?? C9 00 ?? ?? ?? ?? ?? 4? FC 07 8B ?? ?? 10 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 70 }
- $block_20 = { CC B8 ?? ?? ?? ?? FF 7? ?? ?? 9D 4? 5? FF F? 0F 10 ?? ?? ?? ?? ?? 5? FF 8? ?? ?? ?? ?? FF C? 74 }
- $block_21 = { 8B ?? 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 33 ?? 5? 5? 8D ?? ?? 89 ?? ?? AB AB AB 8B ?? ?? 85 ?? 75 }
- $block_22 = { 8B ?? ?? 23 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_23 = { 8B ?? 04 ?? 00 ?? 6F 62 ?? ?? 68 ?? ?? ?? ?? 3F 4? 29 ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 72 }
- $block_24 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 3D ?? ?? ?? ?? 0F 83 }
- $block_25 = { 89 ?? 61 F6 ?? ?? 6A ?? 00 ?? ?? FF 8? ?? ?? ?? ?? 3C ?? 00 ?? 8D ?? ?? ?? ?? ?? 00 ?? ?? 74 }
- $block_26 = { 63 ?? ?? 89 ?? ?? ?? ?? ?? FF 8? ?? ?? ?? ?? 8B ?? 0E 00 ?? ?? ?? ?? ?? 15 ?? ?? ?? ?? 0F 85 }
- $block_27 = { EC 83 ?? ?? ?? 15 ?? ?? ?? ?? 8B ?? 24 ?? 00 ?? ?? ?? FF 5? ?? 14 ?? C9 FF C? FF 5? ?? 4? EF }
- $block_28 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? FF 0? 65 ?? ?? 6A ?? 83 ?? ?? ?? 33 ?? 16 02 ?? ?? ?? ?? ?? 14 }
- $block_29 = { 00 ?? ?? B8 ?? ?? ?? ?? 5? FF 0? 00 ?? ?? ?? ?? ?? FC C0 ?? ?? ?? 00 ?? 00 ?? ?? 00 ?? 5? 72 }
- $block_30 = { FF 9? ?? ?? ?? ?? FF 0? 8D ?? ?? A1 ?? ?? ?? ?? 5? 8B ?? CC CC 13 ?? ?? 8B ?? ?? 00 ?? ?? 75 }
- $block_31 = { 3C ?? 65 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? 85 ?? 0F 33 F6 ?? ?? EC 83 ?? ?? 8B ?? ?? 8B ?? ?? 72 }
- $block_32 = { 8B ?? 8B ?? 8B ?? 5? E8 ?? ?? ?? ?? 01 ?? 8D ?? ?? 08 ?? ?? FC 8B ?? ?? 89 ?? ?? ?? ?? ?? 89 }
- $block_33 = { 4? FC 85 ?? C7 ?? ?? ?? ?? ?? ?? 0F 67 ?? 6C 00 ?? 6B ?? ?? ?? 24 ?? 0C ?? 02 ?? ?? 5? FF 5? }
- $block_34 = { 64 ?? ?? 8B ?? ?? ?? ?? ?? 5? 00 ?? ?? E8 ?? ?? ?? ?? 5? FF 0? 00 ?? ?? 4? F8 83 ?? ?? FF 2? }
- $block_35 = { 00 ?? 68 ?? ?? ?? ?? 30 ?? 63 ?? 69 ?? ?? ?? ?? ?? ?? 6E 8B ?? 69 ?? ?? ?? ?? ?? 00 ?? 74 }
- $block_36 = { 61 9? 10 ?? 00 ?? 29 ?? ?? 4? 6F EC 8B ?? ?? EC 8B ?? 9? 00 ?? ?? 24 ?? E8 ?? ?? ?? ?? 70 }
- $block_37 = { E8 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 ?? ?? FC 33 ?? 33 ?? 3F 4? 10 ?? ?? 5? F3 ?? ?? 5? 73 }
- $block_38 = { 68 ?? ?? ?? ?? 24 ?? 4? FC F4 05 ?? ?? ?? ?? 29 ?? 61 63 ?? 04 ?? 69 ?? ?? ?? ?? ?? ?? 5? }
- $block_39 = { 0E 00 ?? ?? 01 ?? 89 ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 00 ?? ?? F8 63 ?? 5? 5? 00 ?? ?? 74 }
- $block_40 = { CC CC CC CC CC CC CC CC CC CC CC CC 8B ?? 5? 8B ?? 5? 5? 8B ?? 33 ?? 5? 8B ?? 85 ?? 0F 84 }
- $block_41 = { 30 ?? 8D ?? ?? 00 ?? 5? 5? 8D ?? ?? ?? ?? ?? CC B8 ?? ?? ?? ?? FF 0? 00 ?? ?? ?? ?? ?? 75 }
- $block_42 = { 5? 5? F6 ?? ?? 00 ?? D6 8B ?? 85 ?? 4? 24 ?? 65 ?? ?? ?? ?? 02 ?? 8B ?? ?? 85 ?? 8B ?? 75 }
- $block_43 = { F6 ?? ?? 4? FF 0? 61 FF 1? ?? ?? ?? ?? 07 8B ?? ?? ?? ?? ?? 5? 0E 00 ?? 83 ?? ?? 14 ?? 79 }
- $block_44 = { FF C? F4 05 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 4? 4? 69 ?? ?? ?? ?? ?? ?? CC 63 ?? 74 }
- $block_45 = { 03 ?? ?? ?? ?? ?? E4 ?? 4? FC E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? C6 ?? ?? ?? 85 ?? 74 }
- $block_46 = { EC 00 ?? 8D ?? ?? 24 ?? 00 ?? ?? 6E 61 2E ?? BC ?? ?? ?? ?? 04 ?? 24 ?? 2F 13 ?? 74 }
- $block_47 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 01 ?? 13 ?? ?? 3D ?? ?? ?? ?? 24 ?? 8B ?? 61 74 }
- $block_48 = { 6C 65 ?? 8B ?? FF 5? ?? 00 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? F4 24 ?? FF 0? 20 ?? ?? 74 }
- $block_49 = { 0C ?? 0E F0 ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 6A ?? 83 ?? ?? 5? 3B ?? 76 }
- $block_50 = { 00 ?? ?? 1C ?? 8B ?? ?? 00 ?? ?? B8 ?? ?? ?? ?? FF 5? ?? 8B ?? ?? EC 8B ?? ?? 70 }
- $block_51 = { 01 ?? ?? ?? 6F 02 ?? FB FF 7? ?? 00 ?? 8B ?? 00 ?? ?? 00 ?? ?? ?? 5? 00 ?? ?? 72 }
- $block_52 = { FB FF 5? ?? C6 ?? ?? ?? FF 7? ?? 00 ?? ?? 00 ?? ?? 6F 61 69 ?? ?? ?? ?? ?? ?? 70 }
- $block_53 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? A5 C7 ?? ?? ?? ?? ?? ?? A5 A5 A5 }
- $block_54 = { FB FF 6? ?? ?? 24 ?? 68 ?? ?? ?? ?? 64 ?? ?? 6E 8D ?? ?? ?? ?? ?? 13 ?? ?? 74 }
- $block_55 = { 6E 64 ?? ?? ?? E8 ?? ?? ?? ?? 13 ?? ?? 10 ?? ?? ?? 6D 6D 00 ?? ?? ?? ?? ?? 74 }
- $block_56 = { 8B ?? 6F 6E 5? FF 5? ?? 05 ?? ?? ?? ?? 20 ?? E8 ?? ?? ?? ?? FF 6? ?? 8B ?? 10 }
- $block_57 = { F6 ?? 6A ?? 24 ?? 8B ?? ?? 85 ?? A5 A5 9? 10 ?? 3A ?? ?? 33 ?? 00 ?? 5? 5? 6D }
- $block_58 = { 00 ?? 4? 4? 61 08 ?? 00 ?? F6 ?? ?? ?? 08 ?? 9? 10 ?? 00 ?? ?? ?? ?? ?? E9 }
- $block_59 = { 00 ?? 00 ?? ?? 00 ?? ?? 02 ?? C8 ?? ?? ?? BC ?? ?? ?? ?? 04 ?? 6C 63 ?? 74 }
- $block_60 = { 29 ?? 00 ?? 00 ?? ?? ?? ?? ?? 84 ?? ?? 6C 8B ?? 04 ?? 00 ?? ?? 85 ?? FF 6? }
- $block_61 = { 4? 4? 10 ?? ?? 1C ?? 05 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? FB 2E ?? 61 74 }
- $block_62 = { 8D ?? ?? ?? ?? ?? ?? FC 13 ?? ?? 5? F4 05 ?? ?? ?? ?? C0 ?? ?? ?? ?? 75 }
- $block_63 = { 5? 3A ?? 5? 8B ?? EC 8B ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 65 ?? ?? ?? 00 }
- $block_64 = { 00 ?? 00 ?? 65 ?? ?? 00 ?? ?? 00 ?? FF 6? ?? 63 ?? 6A ?? 3A ?? CC 6F 70 }
- $block_65 = { 8B ?? 0C ?? 6F 6D 00 ?? ?? 8B ?? 01 ?? 01 ?? 4? 4? 00 ?? ?? ?? ?? ?? 70 }
- $block_66 = { 2F 4? 65 ?? ?? ?? ?? ?? ?? 5? 3A ?? ?? 64 ?? 5? 5? BC ?? ?? ?? ?? 6F 63 }
- $block_67 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 86 }
- $block_68 = { 8B ?? ?? 6A ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_69 = { 04 ?? 4? 04 ?? 4? 04 ?? 5? 04 ?? 05 ?? ?? ?? ?? 0E 8B ?? ?? 3B ?? 75 }
- $block_70 = { 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 }
- $block_71 = { 6D 6D 00 ?? ?? 00 ?? ?? ?? ?? ?? 00 ?? ?? ?? 20 ?? 20 ?? ?? 0C ?? 74 }
- $block_72 = { 02 ?? 2F 62 ?? ?? 10 ?? 8B ?? 20 ?? 2E ?? ?? 85 ?? 6F 6E 0C ?? 6D }
- $block_73 = { 4? 61 10 ?? 08 ?? 4? 61 00 ?? ?? ?? 5? 24 ?? 5? 00 ?? 00 ?? ?? 20 }
- $block_74 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_75 = { CC 00 ?? ?? ?? ?? ?? 10 ?? ?? ?? ?? ?? 06 8B ?? ?? ?? ?? ?? 61 74 }
- $block_76 = { FD FF 0? C6 ?? ?? 3F 4? 00 ?? ?? 15 ?? ?? ?? ?? 5? 61 63 ?? ?? 70 }
- $block_77 = { 8B ?? ?? 33 ?? 6B ?? ?? 03 ?? 8B ?? AB AB AB AB AB 5? 85 ?? 74 }
- $block_78 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_79 = { A5 6C 65 ?? ?? 00 ?? ?? 4? 69 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? 84 }
- $block_80 = { 24 ?? 69 ?? ?? ?? ?? ?? 8B ?? ?? 00 ?? ?? 00 ?? ?? A5 A5 61 72 }
- $block_81 = { 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_82 = { 5? 8B ?? ?? ?? FF 5? ?? 61 69 ?? ?? ?? ?? ?? ?? ?? ?? ?? 2F }
- $block_83 = { F7 ?? ?? ?? ?? ?? 6A ?? 4? 06 8B ?? ?? ?? ?? ?? 01 ?? ?? C2 }
- $block_84 = { 24 ?? 08 ?? ?? ?? ?? ?? 01 ?? 2F 00 ?? 6A ?? 6C CC 8B ?? 8D }
- $block_85 = { 10 ?? ?? 00 ?? 4? 00 ?? 8D ?? 2F 5? 61 63 ?? 08 ?? ?? FF 6? }
- $block_86 = { 8B ?? ?? 8D ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? A5 A5 A5 A5 33 }
- $block_87 = { FC E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? C6 ?? ?? ?? 85 ?? 74 }
- $block_88 = { FF C? 3D ?? ?? ?? ?? 6D 08 ?? ?? ?? ?? ?? 29 ?? 33 ?? 70 }
- $block_89 = { 8B ?? 5? 8B ?? 5? 5? 8B ?? 33 ?? 5? 8B ?? 85 ?? 0F 84 }
- $block_90 = { 69 ?? ?? ?? ?? ?? ?? 5? 0C ?? 65 ?? ?? 2E ?? ?? 6F 72 }
- $block_91 = { 8B ?? ?? 0F AF ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? EB }
- $block_92 = { 00 ?? 3D ?? ?? ?? ?? 4? 1C ?? 00 ?? 4? 08 ?? ?? 06 70 }
- $block_93 = { FF 8? ?? ?? ?? ?? 00 ?? ?? 08 ?? ?? 5? 5? F7 ?? 6F 72 }
- $block_94 = { 00 ?? ?? ?? ?? ?? 00 ?? ?? 61 10 ?? 5? 4? 3A ?? 06 8B }
- $block_95 = { 8B ?? ?? 5? 5? 5? 8B ?? FF 5? ?? 8B ?? 85 ?? 0F 88 }
- $block_96 = { 0F B7 ?? ?? 0F B7 ?? ?? 66 ?? ?? 0F 92 ?? 84 ?? 75 }
- $block_97 = { CC CC CC 8B ?? 5? 8B ?? 83 ?? ?? 8B ?? ?? 5? 5? 75 }
- $block_98 = { 6D 62 ?? ?? 5? 24 ?? 6C 00 ?? 61 6E 8B ?? ?? 72 }
- $block_99 = { 69 ?? ?? ?? ?? ?? F7 ?? FF 1? ?? 08 ?? ?? CC 72 }
-
- condition:
- hash.sha256(0, filesize) == "b362b235539b762734a1833c7e6c366c1b46474f05dc17b3a631b3bff95a5eec" or
- hash.sha256(0, filesize) == "2e6dba522e5ca03c5ca5bc60ecec212177482898c7ec81a0871b19a67cf124e8" or
- hash.sha256(0, filesize) == "f667680df596631fba58754c16c3041fae12ed6bf25d6068e6981ee68a6c9d0a" or
- hash.sha256(0, filesize) == "fc9961e78890f044c5fc769f74d8440fcecf71e0f72b4d33ce470e920a4a24c3" or
- hash.sha256(0, filesize) == "2a61b4d0a7c5d7dc13f4f1dd5e0e3117036a86638dbafaec6ae96da507fb7624" or
- hash.sha256(0, filesize) == "ecfa113838c5542f6db62dbe8b27d4ff099afe711048ccf76924799044dd4ab6" or
- hash.sha256(0, filesize) == "5e0dd729c21cd507bdb2a40954917685628f83171280bd34120cfe20c51ce4bf" or
- hash.sha256(0, filesize) == "b295032919143f5b6b3c87ad22bcf8b55ecc9244aa9f6f88fc28f36f5aa2925e" or
- 12 of them
-}
-
-rule CarbonOrchestrator_v3_77_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_1 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? 48 ?? ?? ?? ?? 8B ?? ?? 2B ?? 8B ?? 89 ?? ?? ?? EB }
- $block_2 = { 4C ?? ?? ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_3 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_4 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 }
- $block_5 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 66 ?? ?? ?? EB }
- $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? EB }
- $block_7 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_8 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_10 = { 0F BE ?? ?? ?? BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 7C }
- $block_11 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 }
- $block_12 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_13 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 75 }
- $block_14 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? C7 }
- $block_15 = { 8B ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_16 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_17 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_18 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 }
- $block_19 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_20 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 73 }
- $block_21 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_22 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? EB }
- $block_23 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_24 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? E9 }
- $block_25 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_26 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_27 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_28 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_29 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_30 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_31 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 0F 85 }
- $block_32 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_33 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 }
- $block_34 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_35 = { 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 85 ?? 74 }
- $block_36 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_37 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 66 ?? ?? ?? ?? EB }
- $block_38 = { 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 8B ?? 88 }
- $block_39 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? ?? ?? 0F 87 }
- $block_40 = { 8B ?? ?? ?? ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 }
- $block_41 = { 48 ?? ?? ?? ?? 8B ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 39 ?? ?? ?? 7E }
- $block_42 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 }
- $block_43 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 3D ?? ?? ?? ?? 0F 8C }
- $block_44 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 77 }
- $block_45 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_46 = { 8B ?? ?? ?? FF C? 89 ?? ?? ?? 0F B7 ?? ?? ?? 39 ?? ?? ?? 0F 83 }
- $block_47 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_48 = { 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 75 }
- $block_49 = { 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 85 ?? 0F 84 }
- $block_50 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_51 = { 48 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_52 = { 8B ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 }
- $block_53 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 }
- $block_54 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 }
- $block_55 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 85 }
- $block_56 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_57 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7F }
- $block_58 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_59 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7D }
- $block_60 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 8E }
- $block_61 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_62 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 }
- $block_63 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 74 }
- $block_64 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_65 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 83 }
- $block_66 = { B2 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_67 = { 8B ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_68 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 }
- $block_69 = { 33 ?? 8B ?? ?? ?? F7 ?? ?? ?? FF C? 0F AF ?? ?? ?? 89 }
- $block_70 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 3B ?? 7D }
- $block_71 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 85 }
- $block_72 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_73 = { 48 ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_74 = { 0F B7 ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_75 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 39 ?? ?? ?? 0F 85 }
- $block_76 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_77 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 }
- $block_78 = { 8B ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 }
- $block_79 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_80 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 75 }
- $block_81 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 }
- $block_82 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D }
- $block_83 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 }
- $block_84 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
-
- condition:
- hash.sha256(0, filesize) == "af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4" or
- 24 of them
-}
-
-rule MosquitoBackdoor {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? 23 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_1 = { 5? FF F? 02 ?? 89 ?? ?? ?? ?? ?? 04 ?? 6E 00 ?? ?? 10 ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 02 ?? CC 8B }
- $block_2 = { 8B ?? ?? 33 ?? 6A ?? 4? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? 5? 72 }
- $block_3 = { F4 64 ?? 00 ?? ?? 00 ?? ?? 8B ?? ?? EC 83 ?? ?? 08 ?? ?? ?? 5? 68 ?? ?? ?? ?? 6E 83 ?? ?? 72 }
- $block_4 = { 08 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 5? 0C ?? CC 8B ?? 68 ?? ?? ?? ?? 8B ?? 10 ?? 00 ?? ?? 73 }
- $block_5 = { 5? 05 ?? ?? ?? ?? 00 ?? 6D CC 8B ?? ?? ?? ?? ?? 8B ?? 8D ?? ?? ?? ?? ?? FF 1? 83 ?? ?? 4? 73 }
- $block_6 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 5? 8B ?? 5? 5? 5? 8B ?? ?? 5? 8B ?? 5? 8B ?? ?? 3B ?? 0F 82 }
- $block_7 = { E8 ?? ?? ?? ?? 5? FF 7? ?? 8B ?? 8B ?? 68 ?? ?? ?? ?? FF 5? ?? 8B ?? ?? 2B ?? 83 ?? ?? 0F 82 }
- $block_8 = { FF 7? ?? ?? 39 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 0F 43 ?? ?? ?? 6A ?? 5? 5? FF 7? ?? ?? FF 1? }
- $block_9 = { 89 ?? FF 7? ?? ?? 68 ?? ?? ?? ?? 4? FC 30 ?? FF 8? ?? ?? ?? ?? 5? 5? 15 ?? ?? ?? ?? 5? 74 }
- $block_10 = { 00 ?? CC 00 ?? ?? EC 8B ?? ?? 5? 00 ?? 8B ?? 85 ?? 00 ?? 63 ?? 5? A1 ?? ?? ?? ?? 01 ?? 70 }
- $block_11 = { EC 8B ?? ?? A3 ?? ?? ?? ?? 5? 8B ?? ?? 00 ?? ?? 00 ?? ?? ?? 31 ?? 68 ?? ?? ?? ?? 04 ?? 75 }
- $block_12 = { C6 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 8D ?? ?? ?? 0F 43 ?? ?? ?? 5? 5? E9 }
- $block_13 = { 6A ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 7? ?? ?? FF D? 85 ?? 0F 85 }
- $block_14 = { 83 ?? ?? ?? ?? 5? 0F 43 ?? ?? ?? 5? 6A ?? 6A ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 74 }
- $block_15 = { 00 ?? ?? 0F C1 ?? 00 ?? 32 ?? ?? 4? 04 ?? FC 00 ?? ?? 10 ?? ?? 00 ?? ?? ?? 89 ?? ?? 9? }
- $block_16 = { 8B ?? 5? FF 7? ?? 8B ?? FF 5? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 3B ?? ?? 0F 85 }
- $block_17 = { 5? 89 ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? FF 6? ?? EC 6E 00 ?? ?? 74 }
- $block_18 = { 83 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_19 = { 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_20 = { EC 83 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 80 7? ?? ?? 5? B1 ?? 5? 8B ?? 88 ?? ?? 75 }
- $block_21 = { 8B ?? ?? ?? ?? ?? 8B ?? 83 ?? ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 8B ?? 5? FF 5? }
- $block_22 = { CC 8B ?? ?? ?? 00 ?? ?? 85 ?? 4? 4? 8B ?? 8D ?? ?? 15 ?? ?? ?? ?? 8B ?? ?? 74 }
- $block_23 = { 6A ?? 5? 6A ?? 5? 8D ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_24 = { 2B ?? 33 ?? D1 ?? 8D ?? ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 5? 89 }
- $block_25 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_26 = { 8B ?? ?? 0F AF ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 8B ?? ?? 89 }
- $block_27 = { 8B ?? 2B ?? 5? 8B ?? ?? 3B ?? 0F 42 ?? 83 ?? ?? 2B ?? ?? 2B ?? 3B ?? 0F 86 }
- $block_28 = { 4? 04 ?? 9? 00 ?? 3F 24 ?? 00 ?? 61 64 ?? ?? 01 ?? ?? 00 ?? ?? ?? 4? 73 }
- $block_29 = { 6A ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_30 = { E8 ?? ?? ?? ?? CC 5? 8B ?? 5? 8B ?? 5? 5? 8B ?? ?? 3D ?? ?? ?? ?? 0F 83 }
- $block_31 = { 4? 68 ?? ?? ?? ?? 89 ?? ?? F4 64 ?? ?? ?? 00 ?? 20 ?? CC 85 ?? FF 1? }
- $block_32 = { 8B ?? CC 5? 5? A3 ?? ?? ?? ?? 89 ?? 00 ?? ?? ?? ?? ?? 4? 3F 24 ?? 75 }
- $block_33 = { 84 ?? ?? 00 ?? 10 ?? 00 ?? 01 ?? 33 ?? 06 03 ?? ?? ?? ?? ?? 4? 6F }
- $block_34 = { 8B ?? 64 ?? ?? ?? ?? ?? 00 ?? ?? ?? 00 ?? CC 8B ?? 8B ?? 8B ?? 75 }
- $block_35 = { E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 8D ?? ?? ?? 0F 43 ?? ?? ?? 5? FF 7? }
- $block_36 = { 83 ?? ?? ?? ?? 0F 43 ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? EB }
- $block_37 = { 8B ?? ?? 23 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_38 = { 4? C4 ?? ?? C0 ?? ?? ?? ?? ?? ?? 31 ?? 0C ?? 4? CC CC CC CC CC }
- $block_39 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? FF 4? ?? 0F 85 }
- $block_40 = { EC 5? 8D ?? ?? 89 ?? ?? ?? ?? ?? F4 64 ?? 00 ?? C1 ?? ?? 75 }
- $block_41 = { 63 ?? 00 ?? 4? FC 8B ?? 08 ?? ?? ?? ?? ?? 6A ?? 00 ?? 5? }
- $block_42 = { 8B ?? ?? ?? 89 ?? ?? D2 ?? ?? ?? ?? ?? 00 ?? 6C 0F 84 }
- $block_43 = { 8D ?? ?? 16 00 ?? ?? F4 89 ?? ?? 4? 8B ?? ?? 00 ?? 72 }
- $block_44 = { EC 1D ?? ?? ?? ?? 00 ?? 8B ?? ?? ?? ?? ?? D0 ?? ?? 8B }
- $block_45 = { 5? 8B ?? 5? 8B ?? 5? 5? 8B ?? ?? 3D ?? ?? ?? ?? 0F 83 }
- $block_46 = { 00 ?? ?? 83 ?? ?? 89 ?? CC CE FF 6? ?? 00 ?? ?? 5? }
- $block_47 = { 8B ?? ?? CE C5 ?? ?? 4? 10 ?? ?? ?? 00 ?? ?? 5? 6E }
- $block_48 = { 4? 61 00 ?? ?? C7 ?? ?? ?? ?? ?? ?? C9 02 ?? 4? }
- $block_49 = { 89 ?? ?? 64 ?? 0C ?? CE 64 ?? ?? 0F 40 ?? ?? CF }
- $block_50 = { 8B ?? ?? 10 ?? C1 ?? ?? 4? 30 ?? 00 ?? 4? FC 74 }
- $block_51 = { FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_52 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "b79cdf929d4a340bdd5f29b3aeccd3c65e39540d4529b64e50ebeacd9cdee5e9" or
- hash.sha256(0, filesize) == "e7fd14ca45818044690ca67f201cc8cfb916ccc941a105927fc4c932c72b425d" or
- 12 of them
-}
-
-rule Uroburos {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { FF 7? ?? 8B ?? 69 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 03 ?? 8D ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 75 }
- $block_1 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? 2B ?? 8B ?? ?? 88 ?? ?? 8B ?? ?? C6 ?? ?? ?? 33 ?? 75 }
- $block_2 = { 8B ?? ?? ?? ?? ?? ?? 33 ?? 39 ?? ?? ?? ?? ?? 5? 5? 0F 94 ?? 5? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 }
- $block_3 = { 8B ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 85 }
- $block_4 = { 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? ?? 5? 8B ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_5 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 75 }
- $block_6 = { 0F B6 ?? ?? C1 ?? ?? 05 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? EB }
- $block_7 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? C1 ?? ?? 81 C? ?? ?? ?? ?? 8B ?? ?? 89 }
- $block_8 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 }
- $block_9 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? F7 ?? 1B ?? 83 ?? ?? 83 ?? ?? 8B ?? ?? 88 ?? ?? ?? ?? ?? E9 }
- $block_10 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_11 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_12 = { D9 ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? DB ?? ?? ?? D9 ?? D8 ?? D8 ?? DF ?? F6 ?? ?? 0F 8B }
- $block_13 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_14 = { 8B ?? ?? 6B ?? ?? 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? 8D ?? ?? 89 ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_15 = { 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? 85 ?? 75 }
- $block_16 = { 8B ?? ?? 0F B7 ?? 5? 8B ?? ?? 5? 8B ?? ?? 81 C? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 }
- $block_17 = { 0F B6 ?? ?? F7 ?? 1B ?? 83 ?? ?? 88 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 }
- $block_18 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_19 = { 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 75 }
- $block_20 = { 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 88 ?? ?? 0F B6 ?? ?? 83 ?? ?? 0F 85 }
- $block_21 = { 0F B7 ?? ?? 83 ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 75 }
- $block_22 = { 8B ?? 8B ?? 8B ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? 8B ?? 8B ?? 33 ?? 85 ?? 0F 94 ?? 89 }
- $block_23 = { 8B ?? ?? ?? C1 ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? 89 ?? ?? ?? 0F 8E }
- $block_24 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_25 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 8D ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 7C }
- $block_26 = { 8A ?? ?? 5? 8B ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? EB }
- $block_27 = { 0F B6 ?? ?? F7 ?? 1B ?? 83 ?? ?? 88 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 74 }
- $block_28 = { 8B ?? ?? 0F AF ?? ?? 8B ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? EB }
- $block_29 = { 6A ?? 6A ?? 6A ?? 6A ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 }
- $block_30 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 }
- $block_31 = { 8B ?? ?? ?? 5? 5? 8B ?? ?? ?? 5? 8B ?? ?? ?? 8B ?? 5? C1 ?? ?? 0F B7 ?? 2B ?? C7 }
- $block_32 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_33 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_34 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 85 }
- $block_35 = { 8B ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? ?? 81 F? ?? ?? ?? ?? 75 }
- $block_36 = { 8B ?? ?? ?? 8B ?? 0B ?? 89 ?? ?? ?? 5? 23 ?? 5? 33 ?? 85 ?? 5? 0F 95 ?? 5? C3 }
- $block_37 = { 83 ?? ?? 5? 8B ?? ?? ?? 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? ?? 5? 89 ?? ?? ?? 0F 8D }
- $block_38 = { 83 ?? ?? ?? 83 ?? ?? D1 ?? 0F B7 ?? 0F B7 ?? 85 ?? 8D ?? ?? ?? 89 ?? ?? 76 }
- $block_39 = { 2B ?? ?? 8B ?? ?? 89 ?? ?? 33 ?? 85 ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 0F 86 }
- $block_40 = { 0F B7 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 39 ?? ?? 73 }
- $block_41 = { 6A ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 74 }
- $block_42 = { 8B ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? 7C }
- $block_43 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 95 ?? 83 ?? ?? 8B ?? EB }
- $block_44 = { 8B ?? ?? 0F B6 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 77 }
- $block_45 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 1B ?? 83 ?? ?? 83 ?? ?? EB }
- $block_46 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_47 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? F7 ?? 1B ?? 83 ?? ?? 83 ?? ?? 8B ?? ?? 88 }
- $block_48 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 }
- $block_49 = { 8B ?? ?? 8B ?? ?? 2B ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 8B ?? ?? 3B ?? ?? 76 }
- $block_50 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_51 = { D9 ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? D8 ?? 89 ?? ?? ?? DF ?? F6 ?? ?? 0F 84 }
- $block_52 = { 8B ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 }
- $block_53 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_54 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 25 ?? ?? ?? ?? 03 ?? C1 ?? ?? 83 ?? ?? 74 }
- $block_55 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 }
- $block_56 = { 8B ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_57 = { 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_58 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? C1 ?? ?? 0B ?? FF 4? ?? 4? 89 ?? ?? 75 }
- $block_59 = { 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 }
- $block_60 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 0F BE ?? 83 ?? ?? 74 }
- $block_61 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 75 }
- $block_62 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 74 }
- $block_63 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? 72 }
- $block_64 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_65 = { 0F B6 ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 }
- $block_66 = { 8B ?? ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 }
- $block_67 = { 5? 8B ?? 5? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? 3B ?? 74 }
- $block_68 = { 8D ?? ?? 99 83 ?? ?? 03 ?? 8B ?? C1 ?? ?? 03 ?? 03 ?? 85 ?? 7E }
- $block_69 = { 8B ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? 99 F7 ?? 89 ?? ?? ?? 3B ?? 7D }
- $block_70 = { 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 89 }
- $block_71 = { 8D ?? ?? 99 83 ?? ?? 03 ?? 8B ?? C1 ?? ?? 3B ?? ?? ?? ?? ?? 7E }
- $block_72 = { 8B ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? 99 F7 ?? 89 ?? ?? ?? 3B ?? 7C }
- $block_73 = { 5? 6A ?? 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_74 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? ?? ?? 89 ?? ?? ?? 0F 8C }
- $block_75 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_76 = { 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? A3 ?? ?? ?? ?? 0F 85 }
- $block_77 = { 6A ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 }
- $block_78 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_79 = { 33 ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? 8D ?? ?? 83 ?? ?? 0F 82 }
- $block_80 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 2B ?? 2B }
- $block_81 = { 8B ?? ?? 2B ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 3B ?? ?? 76 }
- $block_82 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 3D ?? ?? ?? ?? 7F }
- $block_83 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 }
- $block_84 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 }
- $block_85 = { 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_86 = { 83 ?? ?? 83 ?? ?? ?? ?? 5? 5? 5? 5? 8B ?? 8B ?? 0F 8E }
- $block_87 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_88 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_89 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 }
- $block_90 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? 0F 85 }
- $block_91 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 75 }
- $block_92 = { 0F B6 ?? ?? C1 ?? ?? 81 C? ?? ?? ?? ?? 8B ?? ?? 89 }
- $block_93 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? C1 ?? ?? 74 }
- $block_94 = { E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_95 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? ?? ?? 0F 84 }
- $block_96 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_97 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 }
- $block_98 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 83 }
- $block_99 = { 5? 8B ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
-
- condition:
- hash.sha256(0, filesize) == "0d1fe4ab3b074b5ef47aca88c5d1b8262a1293d51111d59c4e563980a873c5a6" or
- hash.sha256(0, filesize) == "bb975dc17d871535ddeadfb6ec34089ba02eef3f2432e7a4f37065b53d67c00a" or
- hash.sha256(0, filesize) == "9897d726cfccefd8f444c167cfaa34949449104a1a343a047dda2c257c4c9a31" or
- hash.sha256(0, filesize) == "615b0bdff7cfa88cd55f5629505ed6212e7e8c022e00b33fc12e5f33356d5872" or
- hash.sha256(0, filesize) == "b34cf1c74d4c4ce873543d41fc03be06a403b4872bcd1adbe16cfaa4201df115" or
- hash.sha256(0, filesize) == "4c8b2e001dbf9e8b285c79514319e0a14dbb839998dd4d643d51fb11767d0cf9" or
- hash.sha256(0, filesize) == "3b903a93f1fd2bd81b7b73daefd2d298a2fbb0137b786449e07176abd5cdde74" or
- hash.sha256(0, filesize) == "7e2ae0a57bc676aab0926babe934cc2c89ef194a1660ee175182237f837c45eb" or
- hash.sha256(0, filesize) == "43b8ce99af9c59376d3b077a87ce7afe720022987f3cf62f51504d22330a516b" or
- hash.sha256(0, filesize) == "93742b415f28f57c61e7ce7d55208f71d5c4880dc66616da52f3c274b20b43b0" or
- hash.sha256(0, filesize) == "30fc7f6e8623ee65e56fd4514169a2b01d1e35af06dda347ff4efe94c3d2329f" or
- hash.sha256(0, filesize) == "e8044c11f46b204a7dec5600cf3a0a5252951b9a026a9a41abcce96e0f1adf90" or
- hash.sha256(0, filesize) == "2fc6bc0683f9e9f20aae1fb257a1a05be63ddbbc600876bff6cd622879518d6e" or
- hash.sha256(0, filesize) == "50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed" or
- hash.sha256(0, filesize) == "09bc2a5f3de9dbcf54eb94e0f3a67c846403b34ad11dff23c9c8627bb9a16529" or
- hash.sha256(0, filesize) == "c55fa19ac18710c56045e39724f3b6a83a916508ae23a14bb2a108e71eac64a0" or
- hash.sha256(0, filesize) == "2956ef7470a504a8ea7aab211442febee740b3a0d39bb4fae1a2e578689167d6" or
- hash.sha256(0, filesize) == "152c867667517a0ec0b3231beece8ff46ff954bfc2493ca3bdfdfc6ea6b1bde9" or
- hash.sha256(0, filesize) == "85e6ab75e96dc7df18dd97d7c0eaeb0ed8d4fa33a4ecc09c196b9cf4795ca368" or
- hash.sha256(0, filesize) == "92c2023095420de3ca7d53a55ed689e7c0086195dc06a4369e0ee58a803c17bb" or
- hash.sha256(0, filesize) == "3de0ba77fa2d8b26e4226fd28edc3ab8448434d851f6b2b268ec072c5da92ade" or
- hash.sha256(0, filesize) == "6e9bf792c8247e612d3a8dfc5ea139c624e1d6c8bf116ff5ce280e7dc07ec4d4" or
- hash.sha256(0, filesize) == "655f1fdcd8b60425426dd4c22e50e79374b9790d44415cb9c0e51f64e73d4de4" or
- hash.sha256(0, filesize) == "f4554db7998e0a3467fa35d6a4fee1e34ae9db6381751e45f889fcaacd95c985" or
- hash.sha256(0, filesize) == "67bc775cc1a58930201ef247ace86cc5c8569057d4911a8e910ac2263c8eb880" or
- hash.sha256(0, filesize) == "846bdce641d7acbfaf28891d0351620fec954e02b2145cb7cd13aa6bdc8fe647" or
- hash.sha256(0, filesize) == "8c0e21756d659b383e206d603dfd3be41f0ea2d8277dae7bc1b6a2e1dc64e5c6" or
- hash.sha256(0, filesize) == "7fabb245a35ad61406627bac9a2c232e5990da5ec5f144d43af59167200f971a" or
- hash.sha256(0, filesize) == "e4ff7d8c1cdf48039640454025ff17cbe0f7e79bd561bd5ad8ff1e7aa5073754" or
- hash.sha256(0, filesize) == "c6b9ade2f5885ccebff30c4e7b279e17d981ff153936735d75874f52735ad556" or
- hash.sha256(0, filesize) == "cf1b968a37fb4ac317e4ec89c57974ae4ce88c6f9119bd9343bbb4834ea8d2f3" or
- hash.sha256(0, filesize) == "bf1cfc65b78f5222d35dc3bd2f0a87c9798bce5a48348649dd271ce395656341" or
- hash.sha256(0, filesize) == "e2e5cc06f3814c48a14af0a587c947eb098f3803383fe8ac3162ab1027f991f9" or
- hash.sha256(0, filesize) == "5e72cdb489133c984ae3b807bffbc788d14ceefb2385b5f2dff3618d85ffffd8" or
- hash.sha256(0, filesize) == "a5d557e91716997925119dfb7dd007732e37a21d9abba2282565ce583b5d6eca" or
- hash.sha256(0, filesize) == "61bd32dbe2d08c31a23094dee2a2920c1fc3e9b4fbfbe2d3341b8dfed62cfab4" or
- hash.sha256(0, filesize) == "f3e4e1dece0a14bedbd02b123996316d90a99b8ba581dd1c45b52f33ee56f2e5" or
- hash.sha256(0, filesize) == "8931663da74657c87ce2bf76ba501a3dd9cb7a952063d6122996d1dbc6227093" or
- hash.sha256(0, filesize) == "a10a0c729e5100c979d446b5f87251b0743fd108a305d9f9ea85832729ced6a8" or
- hash.sha256(0, filesize) == "b262292e049ee75d235164df98fa8ed09a9e2a30c5432623856bafd4bd44d801" or
- hash.sha256(0, filesize) == "5d21324eddb511fd4630a46d78673d73777383d62fc3ac2c966fd922f7f21256" or
- hash.sha256(0, filesize) == "831ea1e478093409733708256086529f8971e7ed8849d4d146d8fe28602f1d2a" or
- hash.sha256(0, filesize) == "b7aeb8b1bbcf9db4c6a37ceecb0a29f0a5efe8dda72b4563f547e0b18afb0a50" or
- hash.sha256(0, filesize) == "e943923f6b2d5c915cc34d1ca81498a64329d7151fd7c42ca92a315f97e8ce82" or
- hash.sha256(0, filesize) == "ba15a26408613936c6bc192f1b143e15914cd578074e91ba4fcff6a042c4f9e7" or
- hash.sha256(0, filesize) == "d5757c6f93b94fb3819363b4c2b3046a2e714968652a5992a6756f180d30cd25" or
- hash.sha256(0, filesize) == "20f7a38a5e3c4fec43978be3a4c4ea91ecbb94ccc0151dd770cda3100dc79d99" or
- hash.sha256(0, filesize) == "fea3d7271bf2ad43e2534e8be050b6f8830991375e301403817d4d57e87ed624" or
- hash.sha256(0, filesize) == "2b30fc3afac6220d1e4b0f87ec23681ef27b617d5724421803a3e8d4e7135f60" or
- hash.sha256(0, filesize) == "e2bbb2b9bb5cd97371150d8ae64efeca90a6e7162cd0080613854d1b189fd5a6" or
- hash.sha256(0, filesize) == "1d93015012993265d64c9f5494ca40ff75a8c850ea57357f0a8668d56bf6b160" or
- hash.sha256(0, filesize) == "fc68026b83392aa227e9adf9c71289cb51ba03427f6de67a73ae872e19ef6ff9" or
- hash.sha256(0, filesize) == "89ead864cb4117eb5ec548ead783a292db5aec8c2ddbb7873e81de7ce73f570a" or
- hash.sha256(0, filesize) == "b8c477c2f8c38b7d726b18e925f5b15a7fa2dd8ec19a73eb688844f40f50b914" or
- hash.sha256(0, filesize) == "0ac463de10eaf57cfcf2d41bdfbc827844dd7b8d908905fca9bc105c200c9362" or
- hash.sha256(0, filesize) == "b9620603662fe681ce714f78905d806c946b599b44505e0a6e4a14e97e2c973a" or
- hash.sha256(0, filesize) == "c8bee88458f89f6aee9bb213c397ef1b9ff4588169b1bba5bec7b840879170fc" or
- hash.sha256(0, filesize) == "dc06a54b55edf5ae48d3721c038a3e57d92e321505bed80a0e22defdf1312f76" or
- hash.sha256(0, filesize) == "71b3b876702f2405832444b761c6b3bdb854a77aea0bf650d1fee346479fa6ff" or
- hash.sha256(0, filesize) == "93c8db29ec3707f13bf5a96d5b8a3dc33c2f5b870acd3df07292c724ce10a13f" or
- hash.sha256(0, filesize) == "bb2b25b2a161914a23d1f3d68e852b5305a27e827431b538703735e6199d518d" or
- hash.sha256(0, filesize) == "168f8c29c14880a5f1b13b24c11f4707c40bbd24593b90908b44192f73b6c2d6" or
- hash.sha256(0, filesize) == "0e3842bd092db5c0c70c62e8351649d6e3f75e97d39bbfd0c0975b8c462a65ca" or
- hash.sha256(0, filesize) == "3a6ade7e2278d39ea74ef86144b256780d76e4db29431873e9271b20e4614696" or
- hash.sha256(0, filesize) == "100bd3acec48872863523ecc25731d647f9c1baeb9c320aa89cc1f9dfb57b3db" or
- hash.sha256(0, filesize) == "4f18b90cd644ea28bcb964622855145afca6a34e2381a10d731ec0f1bb46dd3b" or
- hash.sha256(0, filesize) == "f28f406c2fcd5139d8838b52da703fc6ffb8e5c00261d86aec90c28a20cfaa5b" or
- hash.sha256(0, filesize) == "a7701723cddf597309f9c5813cb962e74751c80203db31d14e2e05971ac6378c" or
- hash.sha256(0, filesize) == "9fd6dadb312d9d9d2dd3c151c7c58103e0e0062162428f578de95c2f192aa8b0" or
- hash.sha256(0, filesize) == "8fb20f80f0ee6ba3bb60e05079aceb05cbad17d73659665db21ce78b6898ce88" or
- hash.sha256(0, filesize) == "6b9419b2e6ea7dbe2054b4b2568bd5c61c08706f33788c55649fd4991a28c476" or
- hash.sha256(0, filesize) == "1321c78aa2abefd7f59994376b02159e5c2c81665f01b6a18707bd4fc3861116" or
- hash.sha256(0, filesize) == "d9498b9a806a8c7e706020dab600b1842eaa4bf3909e69144a8410db1f5e6e83" or
- hash.sha256(0, filesize) == "f85f66e45cc232223e8db39ac0b1cec1332b6267e0d2505926fe4c07427ff0d6" or
- hash.sha256(0, filesize) == "369b23b794f487653ab5d410c35c26a72c9affe0a4e49062f034b4d08e254d77" or
- hash.sha256(0, filesize) == "a15c351b940046bc80c8d0a69b8d5f6c4198cb20f68ad830dc3b1036ba8d34e4" or
- hash.sha256(0, filesize) == "0f5ec3b9535d4f956330351c5310626ffaa17f146ff51a8b3b10ea0a7039eadc" or
- hash.sha256(0, filesize) == "d2bef8242f3295c1815fb7ee32228a221b0e59f0be43259e4f41bd18c7e7dcf1" or
- hash.sha256(0, filesize) == "7032c7bb7ebd3f8b886aa175d2c52138ef00fc3313b61dae87cfc80d1c8a7ec3" or
- hash.sha256(0, filesize) == "2f5aa8a71df89858b6681cddbe72d30dded5c808e6018ff723c4660ab53b1a93" or
- hash.sha256(0, filesize) == "253c92fee41941aaef4dfe269240ff7025cf902cae3d8b3318eeb6c7f31742aa" or
- hash.sha256(0, filesize) == "f56b1248cdecffd25dbf8a2895105fec38f0a4ce03241571c8eb8daafc9a168f" or
- hash.sha256(0, filesize) == "39050386f17b2d34bdbd118eec62ed6b2f386e21500a740362454ed73ea362e8" or
- hash.sha256(0, filesize) == "571633025b6ff979a946186b892d9217be26c4078e7911b2ebccaa4dcda6aeab" or
- hash.sha256(0, filesize) == "ca69e85a5752d4a5ffe88c3d45d0d14f329e518aab56e8fc948138db23810233" or
- hash.sha256(0, filesize) == "99ac651da4a17a667a0b05009bafde945cbcd93ada8f241d9c3ad8654095fcc4" or
- hash.sha256(0, filesize) == "47247719f62f8409aae68867d9750e8c2a792b241efea1c1eac58baca3f146ee" or
- hash.sha256(0, filesize) == "09bd85c522a23396e1ab57680eb515ff29f4dd72baa5ba49637020ae2336b6b1" or
- hash.sha256(0, filesize) == "746a3aa794e77a83806747649de68109baca26fe7bdd985af1b73a2285a7df10" or
- hash.sha256(0, filesize) == "43e71b993d6e7c977caaf2ed7610a71758734d87ec2ceb20a84e573ea05a01b3" or
- hash.sha256(0, filesize) == "11016f63ca3c35ae4bcba8705854a787420af27d3d6953b1c563cf694f1811c5" or
- hash.sha256(0, filesize) == "79cdaebb65c04758a5fce3bbd19973af21de4cc0c4cf659ece8cc153f441fc19" or
- hash.sha256(0, filesize) == "b3746bf1c21b70a367c1b9de9f5d8c7f1a4803a014e0e6300ddd4adeb45feeff" or
- hash.sha256(0, filesize) == "ea4b2d5e2c47ba8ce92a90b6e2fe6a48d22dbafd6ec4dab7465c8cef28e19515" or
- hash.sha256(0, filesize) == "35ed1d87b31d238b3bdcffb13b5902cceba3c25aebfd9f54789d79d33bc6ce7a" or
- hash.sha256(0, filesize) == "9611d0b1837e933b9d938e19791b757aa56669ec75b8fd671bdd1371eede03bb" or
- hash.sha256(0, filesize) == "57b8c2f5cfeaca97da58cfcdaf10c88dbc2c987c436ddc1ad7b7ed31879cb665" or
- hash.sha256(0, filesize) == "e534a8c4c126dfa35dd5c0a34582f244a51c08e446e9ffd5ccde9f5a37564c03" or
- hash.sha256(0, filesize) == "caa22575a53cbd65b5b6b22132279f1817f26a832612e854cb08dd50f93790c2" or
- hash.sha256(0, filesize) == "cced33b6fe42e56355118a7dbae8bc2fded8d218615616f2edbbf0f6795a1473" or
- hash.sha256(0, filesize) == "5bda2aefda5802d716c8a849c409af40f78f7208222f3e08c9323c5eea76e5a9" or
- hash.sha256(0, filesize) == "36494d7f0aeaf36bd6fa49e08636ffe6f20fdd60c13a0dc1bfc97e4d9d4e54ba" or
- hash.sha256(0, filesize) == "129380c4955be84330ead54c8939dfb55c91d9f08a9964a73434692fb6bf9d74" or
- hash.sha256(0, filesize) == "c14c04f8c41407e1ddb100f1b6c5f2af5d1815edd9f024e9b76686ddf8b368bc" or
- hash.sha256(0, filesize) == "36e44ea38c8d48a34df0dc88cf1e1203f8f97bd52f035eccd338112e57f6f9f3" or
- hash.sha256(0, filesize) == "12be398511efb74fb99b496229fce2648a71c5bccd85b45adfd14f5af5b7dbda" or
- hash.sha256(0, filesize) == "4c49c9d601ebf16534d24d2dd1cab53fde6e03902758ef6cff86be740b720038" or
- hash.sha256(0, filesize) == "a6bf9cc1f64ac190e42cfce47564ef71492a788543d438408b522e40a716610c" or
- hash.sha256(0, filesize) == "77e68d7aa595231067597d9a1c176fe2f3c4f53ae3f6509f11e2c314d286f4e6" or
- hash.sha256(0, filesize) == "ff2a292ef76b5040fda8635ca95a652ff81ff57bb602a229ff7c74da31fe4d8b" or
- hash.sha256(0, filesize) == "94f05acb7e004e66875c02f7f903f1874f7085a772742e351ea9c0237a1079e2" or
- hash.sha256(0, filesize) == "55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452" or
- hash.sha256(0, filesize) == "5a64928debca2d9f1ffa4194f541c9188b32430cad4bdabac8f5bbdc514a0685" or
- hash.sha256(0, filesize) == "527b6a2bf5a250c06378b8f0f2b0ba4a1a121bf460ac70ecb3bf8b41ac1b06b4" or
- hash.sha256(0, filesize) == "8c12da9df42c74afbefebfa5f601cd8e18cb4ef8eced56b319cb1011324ff198" or
- hash.sha256(0, filesize) == "07e29254c525f67a7c3c815440bb8ba4454faf1e7f502a3a5f27f813b97e6b11" or
- hash.sha256(0, filesize) == "dfb513ae1ae4d661194781c52e8135ea15a252e4df7130ed564e286d83a4ad11" or
- hash.sha256(0, filesize) == "33460a8f849550267910b7893f0867afe55a5a24452d538f796d9674e629acc4" or
- hash.sha256(0, filesize) == "54107d0498f12b53ae49e9311f3a599dbbc3c555358a26a33f9b797c0c5f377c" or
- hash.sha256(0, filesize) == "564ee49a4703de53bfa1bdc6a5b71f111ea23e38a6ff441e0bf2ff7c28d95525" or
- hash.sha256(0, filesize) == "f697aa0bb10ae7141fb1ee62e854616e1d650397121041fc7d502c091c4234eb" or
- hash.sha256(0, filesize) == "54d5a7313ec9522b76fea9759fce7193335b924d073c0513bc528bf6d86194aa" or
- hash.sha256(0, filesize) == "eb8d87c6684dcbbcbb49bf60724c1ab15942b9ba52bf7f866d33e07b4b82c905" or
- hash.sha256(0, filesize) == "bd48c953163785c5f682b742ea5b25a611b2bf551a1dd36fb8abb2c07d9189de" or
- hash.sha256(0, filesize) == "afb0ae6e0f130b9200949c191561b013c2762f392717b36c87964b0a34a0f632" or
- hash.sha256(0, filesize) == "ef444eaef804955cb7a5902e30b43201c3d45c0f35aaa0b0ea73f3af916688ae" or
- hash.sha256(0, filesize) == "583132e0aab63507f6bd15a5d37aa883279ded69fa18e04fd299b0c2df845d54" or
- hash.sha256(0, filesize) == "65fdaf08e562611ce58f1d427f198f8743d88a68e1c4d92afe6dc6251e8a3112" or
- hash.sha256(0, filesize) == "4a9e6fdafba6bddc8600f51aae4eb6119c0abe1f6ebdfc025a76627372e223a4" or
- hash.sha256(0, filesize) == "448df2684c495bb54ee87214bba4b3b6b4b8d0989bf698ced04962cbcc0865a8" or
- hash.sha256(0, filesize) == "d597e4a61d94180044dfb616701e5e539f27eeecfae827fb024c114e30c54914" or
- hash.sha256(0, filesize) == "9bcde3bb10a88644393bb598e3b2498b3522b68299bea6e4f24cc4eeb5cfe231" or
- hash.sha256(0, filesize) == "099ad10b55e74e1b99424d8e739107534004ba5b1e6c051cf8b942ed32dabca6" or
- hash.sha256(0, filesize) == "198388dc0f81a5915def5414b62f485f6f2a8e12c28592a810518059a2eb5a36" or
- hash.sha256(0, filesize) == "beac78638a18b7de1861845797ff3adfae22607dceee42b99e17d191045244ed" or
- 12 of them
-}
-
-rule CarbonOrchestrator_v3_79_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
- $block_1 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_2 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? 48 ?? ?? ?? ?? 8B ?? ?? 2B ?? 8B ?? 89 ?? ?? ?? EB }
- $block_3 = { 4C ?? ?? ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_4 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 }
- $block_5 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 66 ?? ?? ?? EB }
- $block_6 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 }
- $block_7 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_8 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_9 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 }
- $block_10 = { 0F BE ?? ?? ?? BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 7C }
- $block_11 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? EB }
- $block_12 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 }
- $block_13 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_14 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
- $block_15 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 75 }
- $block_16 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? C7 }
- $block_17 = { 8B ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_18 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 73 }
- $block_19 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 }
- $block_20 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_21 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_22 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 0F 85 }
- $block_23 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? E9 }
- $block_24 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_25 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? EB }
- $block_26 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_27 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_28 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_29 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_30 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 }
- $block_31 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 }
- $block_32 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_33 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 }
- $block_34 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? 0F 85 }
- $block_35 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 66 ?? ?? ?? ?? EB }
- $block_36 = { 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 85 ?? 74 }
- $block_37 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_38 = { 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 8B ?? 88 }
- $block_39 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? ?? ?? 0F 87 }
- $block_40 = { 8B ?? ?? ?? ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 }
- $block_41 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 77 }
- $block_42 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 3D ?? ?? ?? ?? 0F 8C }
- $block_43 = { 48 ?? ?? ?? ?? 8B ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 39 ?? ?? ?? 7E }
- $block_44 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_45 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 }
- $block_46 = { 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 75 }
- $block_47 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_48 = { 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 85 ?? 0F 84 }
- $block_49 = { 8B ?? ?? ?? FF C? 89 ?? ?? ?? 0F B7 ?? ?? ?? 39 ?? ?? ?? 0F 83 }
- $block_50 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_51 = { 8B ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 }
- $block_52 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 }
- $block_53 = { 48 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_54 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 }
- $block_55 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 }
- $block_56 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7F }
- $block_57 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 85 }
- $block_58 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 8E }
- $block_59 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_60 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7D }
- $block_61 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 74 }
- $block_62 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 }
- $block_63 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 }
- $block_64 = { 33 ?? 8B ?? ?? ?? F7 ?? ?? ?? FF C? 0F AF ?? ?? ?? 89 }
- $block_65 = { B2 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 }
- $block_66 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 83 }
- $block_67 = { 8B ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_68 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_69 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 }
- $block_70 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_71 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 3B ?? 7D }
- $block_72 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 39 ?? ?? ?? 0F 85 }
- $block_73 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 85 }
- $block_74 = { 0F B7 ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_75 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_76 = { 48 ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_77 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 }
- $block_78 = { 8B ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 }
- $block_79 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 75 }
- $block_80 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 }
- $block_81 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D }
- $block_82 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 }
- $block_83 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 }
- $block_84 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 }
-
- condition:
- hash.sha256(0, filesize) == "9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839" or
- 24 of them
-}
-
-rule UroburosCVE20083431 {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_1 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 }
- $block_2 = { 0F B6 ?? ?? 0F B6 ?? C1 ?? ?? C1 ?? ?? 03 ?? 2B ?? 83 ?? ?? 3B ?? 0F 84 }
- $block_3 = { 8B ?? 99 F7 ?? ?? ?? ?? ?? 4? 8A ?? ?? 30 ?? ?? ?? 3B ?? ?? ?? ?? ?? 72 }
- $block_4 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? ?? B8 ?? ?? ?? ?? 33 ?? 66 ?? ?? 0F 85 }
- $block_5 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_6 = { 5? 8B ?? 8B ?? ?? BA ?? ?? ?? ?? 83 ?? ?? 33 ?? 66 ?? ?? 0F 85 }
- $block_7 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 }
- $block_8 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 }
- $block_9 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? 66 ?? ?? ?? ?? 75 }
- $block_10 = { 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "8afa5f4d3cf330b44266b49c480ad4136c367fdb3c5bbca9db577a6ea6321aba" or
- hash.sha256(0, filesize) == "2233dd70fe18f92d398e0f9265714255af1f3431ed512fd5ea174c7630df1fe4" or
- hash.sha256(0, filesize) == "38b10be0618576f4a2285362b7576975f997980f1120e9d6470654f48503c179" or
- hash.sha256(0, filesize) == "8f4f4c3469235da8c371cdbf3de0d81e31f71d5648da1fdfc76ad2290178836a" or
- 11 of them
-}
-
-rule GazerOrchestrator_x32_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 8B ?? 05 ?? ?? ?? ?? 5? FF 3? 8B ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_1 = { 8B ?? ?? 4? 89 ?? ?? 8D ?? ?? 5? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_2 = { FF 3? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8A ?? ?? 83 ?? ?? 5? 5? C9 C3 }
- $block_3 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 5? C9 C3 }
- $block_4 = { 8B ?? ?? 83 ?? ?? ?? ?? 83 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { 5? FF 7? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_6 = { 2B ?? 33 ?? 8B ?? F7 ?? 8B ?? 0F AF ?? 2B ?? 0F B7 ?? ?? C1 ?? ?? 0B ?? 0F B7 ?? 8B ?? 0F AF }
- $block_7 = { 5? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_8 = { 8D ?? ?? 5? FF 7? ?? 8B ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 4? 83 ?? ?? 3B ?? 0F 86 }
- $block_9 = { 8B ?? ?? ?? ?? ?? 03 ?? 5? FF D? FF 1? ?? ?? ?? ?? 0F AF ?? 5? FF D? 5? 5? 5? B0 ?? 5? C9 C2 }
- $block_10 = { 0F B6 ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 8A ?? 5? C9 C2 }
- $block_11 = { 8B ?? 8B ?? ?? 83 ?? ?? 5? FF 3? 8B ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_12 = { FF 7? ?? FF D? 5? 8D ?? ?? ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_13 = { FF 7? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_14 = { 68 ?? ?? ?? ?? 6A ?? FF 7? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 }
- $block_15 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? BB ?? ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_16 = { 5? 8B ?? 5? 5? 5? 5? 8B ?? 8D ?? ?? 5? FF 7? ?? 33 ?? 89 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_17 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 87 }
- $block_18 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 5? C9 C2 }
- $block_19 = { 8B ?? ?? 83 ?? ?? 5? 6A ?? FF 3? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_20 = { 5? 5? 8B ?? ?? ?? ?? ?? BD ?? ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_21 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? 8B ?? 8B ?? ?? ?? 8B ?? 5? FF 5? ?? 3B ?? 0F 8C }
- $block_22 = { 8B ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 8B ?? A3 ?? ?? ?? ?? A5 FF 5? ?? 84 ?? 0F 84 }
- $block_23 = { 8B ?? ?? ?? 8B ?? 6A ?? 5? 5? FF 5? ?? 8B ?? 8B ?? ?? ?? 8B ?? 5? FF 5? ?? 3B ?? 0F 9D }
- $block_24 = { 8B ?? ?? FF 0? 8B ?? ?? 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_25 = { 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_26 = { 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_27 = { 8B ?? ?? ?? ?? ?? 8B ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 A5 FF 5? ?? 84 ?? 0F 84 }
- $block_28 = { 8B ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? A5 A5 A5 A5 89 ?? ?? 3B ?? 0F 85 }
- $block_29 = { 5? 5? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_30 = { 8B ?? ?? 8B ?? 8B ?? ?? FF 0? 6A ?? 6A ?? FF 3? FF D? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_31 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 89 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 83 }
- $block_32 = { FF 7? ?? ?? 8B ?? FF 3? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 5? ?? 84 ?? 0F 85 }
- $block_33 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 8B ?? 5? C9 C2 }
- $block_34 = { 0F B6 ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C9 C2 }
- $block_35 = { 8B ?? ?? ?? ?? ?? 8B ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 A5 FF 5? ?? 84 ?? 74 }
- $block_36 = { 83 ?? ?? ?? 83 ?? ?? ?? 5? FF 7? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_37 = { 8B ?? ?? 83 ?? ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 }
- $block_38 = { FF 7? ?? 8B ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 82 }
- $block_39 = { 8B ?? ?? ?? 8D ?? ?? ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 86 }
- $block_40 = { 8D ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_41 = { 8B ?? ?? 8B ?? ?? C1 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_42 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 }
- $block_43 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 5? 5? C9 C2 }
- $block_44 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_45 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 6A ?? FF 7? ?? FF D? 8B ?? 85 ?? 0F 84 }
- $block_46 = { 6A ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 }
- $block_47 = { 8B ?? ?? 03 ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 5? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_48 = { 8B ?? 6A ?? 8B ?? FF 1? 6A ?? 8D ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_49 = { 8B ?? ?? 03 ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_50 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 7? ?? FF D? 8B ?? 33 ?? 3B ?? 0F 84 }
- $block_51 = { 8D ?? ?? ?? 5? FF 7? ?? ?? 5? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_52 = { FF 4? ?? 81 6? ?? ?? ?? ?? ?? FF 4? ?? 29 ?? ?? 4? 83 ?? ?? ?? 89 ?? ?? 0F 8F }
- $block_53 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 3B ?? 0F 84 }
- $block_54 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? 89 ?? ?? 89 ?? ?? 0F 84 }
- $block_55 = { 8B ?? ?? 6A ?? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_56 = { 8D ?? ?? ?? 5? 6A ?? 6A ?? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_57 = { FF 7? ?? 8B ?? ?? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_58 = { 8B ?? ?? ?? FF 4? ?? FF 4? ?? ?? 8B ?? ?? ?? 8B ?? 8B ?? ?? ?? 3B ?? 0F 82 }
- $block_59 = { 8D ?? ?? 5? 6A ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_60 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 }
- $block_61 = { 8D ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_62 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_63 = { FF 3? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 }
- $block_64 = { FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 0F AF ?? FF 4? ?? 39 ?? ?? 7C }
- $block_65 = { 5? 8B ?? 83 ?? ?? 33 ?? 83 ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 84 }
- $block_66 = { 8B ?? ?? ?? ?? ?? FF 3? ?? ?? ?? ?? 8B ?? FF 9? ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_67 = { 5? 5? 8B ?? ?? 5? 8D ?? ?? A5 33 ?? 66 ?? 66 ?? ?? ?? 4? 66 ?? ?? ?? 75 }
- $block_68 = { FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_69 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_70 = { 5? 6A ?? FF 7? ?? FF D? 8B ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? 3B ?? ?? 0F 85 }
- $block_71 = { 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 89 ?? ?? 8B ?? A5 FF 5? ?? 84 ?? 75 }
- $block_72 = { 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_73 = { 8B ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? A5 A5 A5 8B ?? ?? ?? 33 ?? 2B ?? 0F 84 }
- $block_74 = { 8B ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 8E }
- $block_75 = { FF 4? ?? FF 7? ?? FF 1? ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 82 }
- $block_76 = { 89 ?? ?? 8B ?? 89 ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 8F }
- $block_77 = { 8B ?? ?? ?? 8B ?? 6A ?? 5? 5? FF 5? ?? 85 ?? 8B ?? ?? ?? 8B ?? 0F 88 }
- $block_78 = { 5? 5? 5? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 33 ?? 3B ?? 0F 84 }
- $block_79 = { 8B ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? A5 A5 A5 8B ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_80 = { 5? FF D? 5? 8D ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_81 = { FF 1? ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_82 = { 8D ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? A5 A5 A5 A5 8B ?? ?? ?? 33 ?? 4? }
- $block_83 = { 8B ?? ?? 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_84 = { 8B ?? ?? 8B ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? 85 ?? 0F 88 }
- $block_85 = { 8B ?? 89 ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? ?? 83 ?? ?? 8D ?? ?? 0F 86 }
- $block_86 = { FF D? 8B ?? FF D? 0F AF ?? 83 ?? ?? ?? 89 ?? ?? 8B ?? ?? 85 ?? 7E }
- $block_87 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 0F AF ?? 89 }
- $block_88 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? ?? 5? 5? 5? C6 ?? ?? ?? 0F 84 }
- $block_89 = { 8D ?? ?? 5? 8D ?? ?? 5? FF 7? ?? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_90 = { 8D ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 85 }
- $block_91 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_92 = { 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_93 = { FF 7? ?? FF 3? E8 ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 }
- $block_94 = { 8B ?? ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? 5? FF D? 83 ?? ?? 0F 84 }
- $block_95 = { 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? 0F 86 }
- $block_96 = { 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 }
- $block_97 = { 2B ?? 5? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 }
- $block_98 = { 68 ?? ?? ?? ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 }
- $block_99 = { 8B ?? ?? FF 4? ?? FF 4? ?? 8B ?? ?? 8B ?? 8B ?? ?? 3B ?? 0F 82 }
-
- condition:
- hash.sha256(0, filesize) == "09da9e80e4554be5c2734ced0e70a6a08eb9ddacb8c1d9155c44ad8f0cbad8d2" or
- 12 of them
-}
-
-rule CarbonOrchestrator_v3_71_ {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { E8 ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 85 }
- $block_1 = { BF ?? ?? ?? ?? 44 ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_2 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 }
- $block_3 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_4 = { 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 40 ?? ?? 0F 84 }
- $block_5 = { 45 ?? ?? 45 ?? ?? 48 ?? ?? 41 ?? ?? ?? 4C ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_6 = { 48 ?? ?? ?? ?? 49 ?? ?? ?? 41 ?? ?? ?? ?? ?? 4D ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_7 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F 8C }
- $block_8 = { 41 ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? 41 ?? ?? 2B ?? 83 ?? ?? 85 ?? 48 ?? ?? 7E }
- $block_9 = { 89 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 99 83 ?? ?? 03 ?? 83 ?? ?? 2B ?? 49 ?? ?? 8D ?? ?? ?? 75 }
- $block_10 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 8B ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_11 = { 44 ?? ?? ?? 8B ?? ?? ?? 49 ?? ?? 4C ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_12 = { 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_13 = { 41 ?? ?? 44 ?? ?? 41 ?? ?? 45 ?? ?? 41 ?? ?? 41 ?? ?? 0F 4C ?? 8B ?? 2B ?? 85 ?? 48 ?? ?? 7E }
- $block_14 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 0F 85 }
- $block_15 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 ?? ?? 0F 84 }
- $block_16 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 0F 84 }
- $block_17 = { 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 40 ?? ?? ?? 85 ?? 0F 44 ?? 40 ?? ?? 75 }
- $block_18 = { 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_19 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 0F BA ?? ?? 8B ?? 73 }
- $block_20 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_21 = { 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 84 }
- $block_22 = { 8B ?? 45 ?? ?? 45 ?? ?? 99 4C ?? ?? F7 ?? 41 ?? ?? ?? 44 ?? ?? 85 ?? 4C ?? ?? 4C ?? ?? 7E }
- $block_23 = { 8B ?? 33 ?? 45 ?? ?? 21 ?? ?? ?? 99 45 ?? ?? 45 ?? ?? 4D ?? ?? 41 ?? ?? 85 ?? 4C ?? ?? 7E }
- $block_24 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 29 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 85 }
- $block_25 = { 8D ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_26 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_27 = { 41 ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? 2B ?? 99 83 ?? ?? F7 ?? 8D ?? ?? 48 ?? ?? ?? ?? EB }
- $block_28 = { FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_29 = { 33 ?? 48 ?? ?? 49 ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 }
- $block_30 = { 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 95 ?? 89 }
- $block_31 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 44 ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? 0F 85 }
- $block_32 = { 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_33 = { 48 ?? ?? B8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 45 ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 83 }
- $block_34 = { 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_35 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_36 = { 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? 3B ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 8C }
- $block_37 = { 44 ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_38 = { 48 ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 85 }
- $block_39 = { 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? 33 ?? 48 ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 }
- $block_40 = { 45 ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_41 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_42 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_43 = { 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 0F B6 ?? ?? 2B ?? ?? ?? ?? ?? ?? 75 }
- $block_44 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 44 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_45 = { 49 ?? ?? ?? 33 ?? 48 ?? ?? 49 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 82 }
- $block_46 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_47 = { E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 }
- $block_48 = { 48 ?? ?? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 44 ?? 40 ?? ?? 0F 85 }
- $block_49 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_50 = { E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_51 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_52 = { 49 ?? ?? 8B ?? 48 ?? ?? ?? 83 ?? ?? 0F A3 ?? ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? 79 }
- $block_53 = { 33 ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 41 ?? ?? 8B ?? 48 ?? ?? 0F 86 }
- $block_54 = { 45 ?? ?? 49 ?? ?? 45 ?? ?? 49 ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? 0F 8E }
- $block_55 = { 48 ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_56 = { 48 ?? ?? ?? ?? ?? ?? 44 ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_57 = { 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 3C ?? 0F 85 }
- $block_58 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_59 = { 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_60 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_61 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? 0F 84 }
- $block_62 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? 0F 85 }
- $block_63 = { 4D ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? 8B ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_64 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_65 = { 41 ?? ?? B9 ?? ?? ?? ?? 2B ?? 3B ?? 0F 4C ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 }
- $block_66 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 84 }
- $block_67 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 48 ?? ?? 0F 85 }
- $block_68 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_69 = { 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? 45 ?? ?? 41 ?? ?? 48 ?? ?? 0F 84 }
- $block_70 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? 4C ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_71 = { 33 ?? 49 ?? ?? 48 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 49 ?? ?? 49 ?? ?? 0F 85 }
- $block_72 = { 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? 0F 85 }
- $block_73 = { 33 ?? 49 ?? ?? 48 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 49 ?? ?? 48 ?? ?? 0F 85 }
- $block_74 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 8F }
- $block_75 = { 49 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 }
- $block_76 = { 8B ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 99 33 ?? 2B ?? 3D ?? ?? ?? ?? 7F }
- $block_77 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 }
- $block_78 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 }
- $block_79 = { 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 8B ?? 0F 85 }
- $block_80 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 }
- $block_81 = { C6 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? ?? 75 }
- $block_82 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_83 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 }
- $block_84 = { 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_85 = { BA ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 }
- $block_86 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 85 }
- $block_87 = { 41 ?? ?? 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? 0F 84 }
- $block_88 = { 8B ?? ?? ?? 41 ?? ?? ?? ?? 0F BA ?? ?? 83 ?? ?? 41 ?? ?? 0F 8E }
- $block_89 = { 48 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 0F 84 }
- $block_90 = { 48 ?? ?? 33 ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 }
- $block_91 = { 4C ?? ?? ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8A ?? 3C ?? 0F 85 }
- $block_92 = { 48 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F 8F }
- $block_93 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 85 }
- $block_94 = { 8B ?? 85 ?? 0F 44 ?? C1 ?? ?? 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? 75 }
- $block_95 = { 48 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? 0F 82 }
- $block_96 = { 33 ?? 48 ?? ?? ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 }
- $block_97 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 85 }
- $block_98 = { 48 ?? ?? ?? ?? 48 ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 84 }
- $block_99 = { 4C ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45" or
- hash.sha256(0, filesize) == "1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72" or
- 24 of them
-}
-
-rule BadRabbitInstaller {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_1 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_2 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_3 = { 8D ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_4 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_5 = { 5? 2B ?? 8B ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_6 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? ?? 03 ?? 8D ?? ?? ?? 0F B7 ?? ?? 85 ?? 7E }
-
- condition:
- hash.sha256(0, filesize) == "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da" or
- 7 of them
-}
-
-rule BadRabbitWiper {
- meta:
- Author = "Intezer Analyze"
- Reference = "https://apt-ecosystem.com"
-
- strings:
- $block_0 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 0F A4 ?? ?? C1 ?? ?? 89 ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 }
- $block_1 = { 5? 5? 5? 6A ?? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 }
- $block_2 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 84 }
- $block_3 = { 69 ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? 5? 33 ?? 39 ?? ?? 0F 95 ?? 4? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_4 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 03 ?? 5? 8B ?? ?? ?? ?? ?? 03 ?? 0F 84 }
- $block_5 = { 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_6 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_7 = { 8B ?? ?? 8D ?? ?? 5? FF 7? ?? 0F B7 ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 74 }
- $block_8 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_9 = { 2B ?? D1 ?? 0F B7 ?? 68 ?? ?? ?? ?? 6A ?? 89 ?? ?? FF D? 5? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_10 = { 0F B7 ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 3B ?? 0F 87 }
- $block_11 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? 5? 6A ?? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_12 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 }
- $block_13 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_14 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 0F B7 ?? ?? 6A ?? 03 ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_15 = { 21 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_16 = { 8B ?? ?? 8B ?? ?? 8B ?? A5 A5 A5 A5 8B ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 33 ?? 66 ?? ?? ?? 75 }
- $block_17 = { 5? 8B ?? 83 ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? A3 ?? ?? ?? ?? 3B ?? 0F 84 }
- $block_18 = { 8B ?? ?? 8D ?? ?? 5? 6A ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_19 = { 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_20 = { A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_21 = { 5? 8B ?? 5? 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_22 = { 0F B6 ?? ?? 33 ?? BB ?? ?? ?? ?? F7 ?? 4? 8A ?? ?? ?? ?? ?? 88 ?? ?? ?? 83 ?? ?? 72 }
- $block_23 = { 5? 5? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 }
- $block_24 = { 8B ?? ?? 0F B7 ?? ?? FF 7? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 74 }
- $block_25 = { 5? 5? 8D ?? ?? 5? FF 7? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_26 = { 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_27 = { 8B ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? ?? 0F B7 ?? 89 ?? ?? 8B ?? 8D }
- $block_28 = { 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_29 = { 6A ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? BF ?? ?? ?? ?? 3B ?? 0F 83 }
- $block_30 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_31 = { 8D ?? ?? ?? 0F B6 ?? 33 ?? 6A ?? 5? F7 ?? 4? 8A ?? ?? ?? ?? ?? 88 ?? 83 ?? ?? 72 }
- $block_32 = { 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_33 = { 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_34 = { 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 33 ?? 0F B7 ?? 4? 66 ?? ?? 8B ?? 8D ?? ?? 75 }
- $block_35 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_36 = { 8D ?? ?? ?? ?? ?? ?? 8B ?? 2B ?? 0F B7 ?? 66 ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_37 = { 0F B7 ?? ?? 5? 89 ?? ?? 83 ?? ?? 5? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_38 = { 0F B7 ?? ?? 5? 83 ?? ?? 5? 6A ?? 89 ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_39 = { 6A ?? 6A ?? C6 ?? ?? C7 ?? ?? ?? ?? ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_40 = { 8D ?? ?? 5? 5? 5? 89 ?? ?? 8B ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_41 = { 8D ?? ?? 5? 8B ?? ?? 6A ?? FF 7? ?? 03 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_42 = { 0F B6 ?? 33 ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 33 ?? ?? ?? ?? ?? ?? 4? 4? 75 }
- $block_43 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_44 = { 6A ?? 6A ?? C6 ?? ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 33 ?? 3B ?? 0F 84 }
- $block_45 = { 6A ?? BF ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_46 = { 8B ?? ?? 8B ?? 0F B6 ?? ?? 6A ?? 5? 2B ?? 89 ?? ?? 33 ?? 4? 66 ?? ?? 75 }
- $block_47 = { 8D ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_48 = { 83 ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_49 = { 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_50 = { 8D ?? ?? 5? 8B ?? ?? 8B ?? ?? FF 3? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_51 = { 0F B7 ?? ?? 83 ?? ?? ?? 5? 5? 0F B7 ?? ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 7E }
- $block_52 = { 8D ?? ?? ?? ?? ?? ?? 9? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_53 = { 5? 5? FF 1? ?? ?? ?? ?? 5? FF 7? ?? 33 ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_54 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_55 = { 8D ?? ?? 5? 0F B7 ?? 5? 8D ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 74 }
- $block_56 = { 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_57 = { 2B ?? 5? 83 ?? ?? 5? 6A ?? 89 ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_58 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_59 = { 0F 31 89 ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 33 ?? EB }
- $block_60 = { 8B ?? ?? 8B ?? ?? 6A ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_61 = { 6A ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 88 }
- $block_62 = { 6A ?? 6A ?? C7 ?? ?? ?? ?? ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_63 = { FF 7? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 }
- $block_64 = { 8B ?? ?? 6A ?? 6A ?? 89 ?? ?? FF D? 5? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_65 = { FF 7? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_66 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 5? 8B ?? ?? 0F 8C }
- $block_67 = { 8B ?? ?? 5? 6A ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_68 = { 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 ?? ?? 0F 87 }
- $block_69 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 }
- $block_70 = { 5? 8B ?? 5? 5? 66 ?? ?? ?? ?? 5? 5? 5? 8B ?? C6 ?? ?? ?? 0F 82 }
- $block_71 = { 0F B7 ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? 33 ?? 66 ?? ?? ?? 75 }
- $block_72 = { 8B ?? ?? 6A ?? 6A ?? 89 ?? FF D? 5? FF D? 89 ?? ?? 85 ?? 0F 84 }
- $block_73 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_74 = { 0F B7 ?? ?? 33 ?? 83 ?? ?? 33 ?? 33 ?? 89 ?? ?? 3B ?? 0F 8C }
- $block_75 = { 8D ?? ?? 5? FF 7? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_76 = { FF 7? ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_77 = { 0F B6 ?? 8A ?? ?? ?? ?? ?? FE ?? F6 ?? 88 ?? ?? 80 F? ?? 72 }
- $block_78 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 84 }
- $block_79 = { 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_80 = { 0F B7 ?? ?? 03 ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 0F 85 }
- $block_81 = { 5? 68 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E }
- $block_82 = { 6A ?? 6A ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 }
- $block_83 = { 5? 6A ?? 6A ?? FF D? 5? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 }
- $block_84 = { 5? 68 ?? ?? ?? ?? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_85 = { 8B ?? ?? 83 ?? ?? 33 ?? 8B ?? F3 ?? 8B ?? ?? 0F 94 ?? 89 }
- $block_86 = { 0F B7 ?? ?? 83 ?? ?? ?? 2B ?? 4? 89 ?? ?? 8B ?? 32 ?? 8D }
- $block_87 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
- $block_88 = { 6A ?? 8D ?? ?? 5? 6A ?? 5? 5? FF 7? ?? FF D? 85 ?? 0F 85 }
- $block_89 = { 8B ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 }
- $block_90 = { 8B ?? ?? 33 ?? 85 ?? 0F 94 ?? 8B ?? 89 ?? 85 ?? 0F 84 }
- $block_91 = { 68 ?? ?? ?? ?? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
- $block_92 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 }
- $block_93 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 8B ?? 5? 5? C9 C2 }
- $block_94 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 }
- $block_95 = { 33 ?? 83 ?? ?? 0F 95 ?? 89 ?? ?? 4? 89 ?? 33 ?? EB }
- $block_96 = { 0F B7 ?? ?? 2B ?? 4? 83 ?? ?? ?? 89 ?? ?? 8B ?? 8D }
- $block_97 = { 5? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 }
- $block_98 = { 0F B7 ?? 66 ?? ?? 83 ?? ?? 83 ?? ?? 66 ?? ?? 75 }
- $block_99 = { 5? 6A ?? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 }
-
- condition:
- hash.sha256(0, filesize) == "579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648" or
- hash.sha256(0, filesize) == "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93" or
- 12 of them
-}
diff --git a/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar b/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar
deleted file mode 100644
index 8a49fb3..0000000
--- a/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule TeamViwer_backdoor
-{
-
-meta:
-date = "2019-04-14"
-description = "Detects malicious TeamViewer DLLs"
-reference = "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/"
-
-strings:
-
-// PostMessageW hook function
-$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}
-
-condition:
-uint16(0) == 0x5a4d and $x1
-}
diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar
deleted file mode 100644
index fcab6f7..0000000
--- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar
+++ /dev/null
@@ -1,14 +0,0 @@
-rule ZZ_breakwin_config {
- meta:
- description = "Detects the header of the encrypted config files, assuming known encryption key."
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
- hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
- hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
- strings:
- $conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
- condition:
- $conf_header at 0
-}
diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar
deleted file mode 100644
index 1bb9026..0000000
--- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule ZZ_breakwin_meteor_batch_files {
- meta:
- description = "Detect the batch files used in the attacks"
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- strings:
- $filename_0 = "mscap.bmp"
- $filename_1 = "mscap.jpg"
- $filename_2 = "msconf.conf"
- $filename_3 = "msmachine.reg"
- $filename_4 = "mssetup.exe"
- $filename_5 = "msuser.reg"
- $filename_6 = "msapp.exe"
- $filename_7 = "bcd.rar"
- $filename_8 = "bcd.bat"
- $filename_9 = "msrun.bat"
- $command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
- $command_line_1 = "start /b \"\" update.bat hackemall"
- condition:
- 4 of ($filename_*) or
- any of ($command_line_*)
-}
diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar
deleted file mode 100644
index cc93fa1..0000000
--- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule ZZ_breakwin_stardust_vbs {
- meta:
- description = "Detect the VBS files that where found in the attacks on targets in Syria"
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
- hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
- hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
- hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
- hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
- strings:
- $url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
- $compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
- $compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
- $uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
- $is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
- condition:
- any of them
-}
diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar
deleted file mode 100644
index cbd5058..0000000
--- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar
+++ /dev/null
@@ -1,120 +0,0 @@
-rule ZZ_breakwin_wiper {
- meta:
- description = "Detects the BreakWin wiper that was used in attacks in Syria"
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
- hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
- hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
- strings:
- $debug_str_meteor_1 = "the program received an invalid number of arguments" wide
- $debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
- $debug_str_meteor_0 = "failed to initialize configuration from file" wide
- $debug_str_meteor_3 = "Meteor is still alive." wide
- $debug_str_meteor_4 = "Exiting main function because of some error" wide
- $debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
- $debug_str_meteor_6 = "Meteor has started." wide
- $debug_str_meteor_7 = "Could not hide current console." wide
- $debug_str_meteor_8 = "Could not get the window handle used by the console." wide
- $debug_str_meteor_9 = "Failed to find base-64 data size" wide
- $debug_str_meteor_10 = "Running locker thread" wide
- $debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
- $debug_str_meteor_12 = "Wiper operation failed." wide
- $debug_str_meteor_13 = "Screen saver disable failed." wide
- $debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
- $debug_str_meteor_15 = "Failed to delete boot configuration" wide
- $debug_str_meteor_16 = "Could not delete all BCD entries." wide
- $debug_str_meteor_17 = "Finished deleting BCD entries." wide
- $debug_str_meteor_18 = "Failed to change lock screen" wide
- $debug_str_meteor_19 = "Boot configuration deleted successfully" wide
- $debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
- $debug_str_meteor_21 = "Changing passwords of all users to" wide
- $debug_str_meteor_22 = "Failed to change the passwords of all users" wide
- $debug_str_meteor_23 = "Failed to run the locker thread" wide
- $debug_str_meteor_24 = "Screen saver disabled successfully." wide
- $debug_str_meteor_25 = "Generating random password failed" wide
- $debug_str_meteor_26 = "Locker installation failed" wide
- $debug_str_meteor_27 = "Failed to set auto logon." wide
- $debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
- $debug_str_meteor_29 = "Succeeded setting auto logon for" wide
- $debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
- $debug_str_meteor_31 = "Failed disabling the first logon animation." wide
- $debug_str_meteor_32 = "Waiting for new winlogon process" wide
- $debug_str_meteor_33 = "Failed to isolate from domain" wide
- $debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
- $debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
- $debug_str_meteor_36 = "Failed adding new admin user." wide
- $debug_str_meteor_37 = "Failed changing settings for the created new user." wide
- $debug_str_meteor_38 = "Failed disabling recovery mode." wide
- $debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
- $debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
- $debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
- $debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
- $debug_str_meteor_43 = "Failed to log off all sessions" wide
- $debug_str_meteor_44 = "Failed to delete shadowcopies." wide
- $debug_str_meteor_45 = "Failed logging off session: " wide
- $debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
- $debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
- $debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
- $debug_str_meteor_49 = "Killing all winlogon processes" wide
- $debug_str_meteor_50 = "Logging off users in Windows 7" wide
- $debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
- $debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
- $debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
- $debug_str_meteor_54 = "Logging off users in Windows XP" wide
- $debug_str_meteor_55 = "Failed changing settings for the created new user." wide
- $debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
- $debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
- $debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
- $debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
- $debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
- $debug_str_meteor_61 = "Failed to wipe file %s" wide
- $debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
- $debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
- $debug_str_meteor_64 = "Failed to wipe file %s" wide
- $debug_str_meteor_65 = "failed to get configuration value with key %s" wide
- $debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
- $debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
- $debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
- $debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
- $debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
- $debug_str_meteor_71 = "failed to write message to log file %s" wide
- $debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
- $debug_str_stardust_0 = "Stardust has started." wide
- $debug_str_stardust_1 = "0Vy0qMGO" ascii wide
- $debug_str_comet_0 = "Comet has started." wide
- $debug_str_comet_1 = "Comet has finished." wide
- $str_lock_my_pc = "Lock My PC 4" ascii wide
- $config_entry_0 = "state_path" ascii
- $config_entry_1 = "state_encryption_key" ascii
- $config_entry_2 = "log_server_port" ascii
- $config_entry_3 = "log_file_path" ascii
- $config_entry_4 = "log_encryption_key" ascii
- $config_entry_5 = "log_server_ip" ascii
- $config_entry_6 = "processes_to_kill" ascii
- $config_entry_7 = "process_termination_timeout" ascii
- $config_entry_8 = "paths_to_wipe" ascii
- $config_entry_9 = "wiping_stage_logger_interval" ascii
- $config_entry_10 = "locker_exe_path" ascii
- $config_entry_11 = "locker_background_image_jpg_path" ascii
- $config_entry_12 = "auto_logon_path" ascii
- $config_entry_13 = "locker_installer_path" ascii
- $config_entry_14 = "locker_password_hash" ascii
- $config_entry_15 = "users_password" ascii
- $config_entry_16 = "locker_background_image_bmp_path" ascii
- $config_entry_17 = "locker_registry_settings_files" ascii
- $config_entry_18 = "cleanup_script_path" ascii
- $config_entry_19 = "is_alive_loop_interval" ascii
- $config_entry_20 = "cleanup_scheduled_task_name" ascii
- $config_entry_21 = "self_scheduled_task_name" ascii
- $encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
- $random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
- condition:
- uint16(0) == 0x5A4D and
- (
- 6 of them or
- $encryption_asm or
- $random_string_generation
- )
-}
diff --git a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar b/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar
deleted file mode 100644
index b5d06ac..0000000
--- a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar
+++ /dev/null
@@ -1,39 +0,0 @@
-rule apt3_bemstour_implant_byte_patch
-{
-meta:
-
-description = "Detects an implant used by Bemstour exploitation tool (APT3)"
-reference = "https://research.checkpoint.com/2019/upsynergy/"
-author = "Mark Lechtik"
-company = "Check Point Software Technologies LTD."
-date = "2019-06-25"
-sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
-
-/*
-
-0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55
-0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec
-0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b
-0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9
-0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c
-
-*/
-
-strings:
-
-$chunk_1 = {
-
-C7 45 ?? 55 8B EC 83
-C7 45 ?? EC 74 53 56
-C7 45 ?? 8B 75 08 33
-C7 45 ?? C9 57 C7 45
-C7 45 ?? 8C 4C 6F 61
-
-}
-
-condition:
- any of them
-}
-
-
-
diff --git a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar b/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar
deleted file mode 100644
index b0d0721..0000000
--- a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar
+++ /dev/null
@@ -1,169 +0,0 @@
-rule apt3_bemstour_implant_command_stack_variable
-{
-meta:
-
-description = "Detecs an implant used by Bemstour exploitation tool (APT3)"
-reference = "https://research.checkpoint.com/2019/upsynergy/"
-author = "Mark Lechtik"
-company = "Check Point Software Technologies LTD."
-date = "2019-06-25"
-sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
-
-
-strings:
-
-
-/*
-
-0x41ba18L C78534FFFFFF636D642E mov dword ptr [ebp - 0xcc], 0x2e646d63
-0x41ba22L C78538FFFFFF65786520 mov dword ptr [ebp - 0xc8], 0x20657865
-0x41ba2cL C7853CFFFFFF2F632063 mov dword ptr [ebp - 0xc4], 0x6320632f
-0x41ba36L C78540FFFFFF6F707920 mov dword ptr [ebp - 0xc0], 0x2079706f
-0x41ba40L C78544FFFFFF2577696E mov dword ptr [ebp - 0xbc], 0x6e697725
-0x41ba4aL C78548FFFFFF64697225 mov dword ptr [ebp - 0xb8], 0x25726964
-0x41ba54L C7854CFFFFFF5C737973 mov dword ptr [ebp - 0xb4], 0x7379735c
-0x41ba5eL C78550FFFFFF74656D33 mov dword ptr [ebp - 0xb0], 0x336d6574
-0x41ba68L C78554FFFFFF325C636D mov dword ptr [ebp - 0xac], 0x6d635c32
-0x41ba72L C78558FFFFFF642E6578 mov dword ptr [ebp - 0xa8], 0x78652e64
-0x41ba7cL C7855CFFFFFF65202577 mov dword ptr [ebp - 0xa4], 0x77252065
-0x41ba86L C78560FFFFFF696E6469 mov dword ptr [ebp - 0xa0], 0x69646e69
-0x41ba90L C78564FFFFFF72255C73 mov dword ptr [ebp - 0x9c], 0x735c2572
-0x41ba9aL C78568FFFFFF79737465 mov dword ptr [ebp - 0x98], 0x65747379
-0x41baa4L C7856CFFFFFF6D33325C mov dword ptr [ebp - 0x94], 0x5c32336d
-0x41baaeL C78570FFFFFF73657468 mov dword ptr [ebp - 0x90], 0x68746573
-0x41bab8L C78574FFFFFF632E6578 mov dword ptr [ebp - 0x8c], 0x78652e63
-0x41bac2L C78578FFFFFF65202F79 mov dword ptr [ebp - 0x88], 0x792f2065
-0x41baccL 83A57CFFFFFF00 and dword ptr [ebp - 0x84], 0
-
-*/
-
-$chunk_1 = {
-
-C7 85 ?? ?? ?? ?? 63 6D 64 2E
-C7 85 ?? ?? ?? ?? 65 78 65 20
-C7 85 ?? ?? ?? ?? 2F 63 20 63
-C7 85 ?? ?? ?? ?? 6F 70 79 20
-C7 85 ?? ?? ?? ?? 25 77 69 6E
-C7 85 ?? ?? ?? ?? 64 69 72 25
-C7 85 ?? ?? ?? ?? 5C 73 79 73
-C7 85 ?? ?? ?? ?? 74 65 6D 33
-C7 85 ?? ?? ?? ?? 32 5C 63 6D
-C7 85 ?? ?? ?? ?? 64 2E 65 78
-C7 85 ?? ?? ?? ?? 65 20 25 77
-C7 85 ?? ?? ?? ?? 69 6E 64 69
-C7 85 ?? ?? ?? ?? 72 25 5C 73
-C7 85 ?? ?? ?? ?? 79 73 74 65
-C7 85 ?? ?? ?? ?? 6D 33 32 5C
-C7 85 ?? ?? ?? ?? 73 65 74 68
-C7 85 ?? ?? ?? ?? 63 2E 65 78
-C7 85 ?? ?? ?? ?? 65 20 2F 79
-83 A5 ?? ?? ?? ?? 00
-}
-
-
-
-
-/*
-
-0x41baeeL C785D8FEFFFF636D6420 mov dword ptr [ebp - 0x128], 0x20646d63
-0x41baf8L C785DCFEFFFF2F632022 mov dword ptr [ebp - 0x124], 0x2220632f
-0x41bb02L C785E0FEFFFF6E657420 mov dword ptr [ebp - 0x120], 0x2074656e
-0x41bb0cL C785E4FEFFFF75736572 mov dword ptr [ebp - 0x11c], 0x72657375
-0x41bb16L C785E8FEFFFF20636573 mov dword ptr [ebp - 0x118], 0x73656320
-0x41bb20L C785ECFEFFFF73757070 mov dword ptr [ebp - 0x114], 0x70707573
-0x41bb2aL C785F0FEFFFF6F727420 mov dword ptr [ebp - 0x110], 0x2074726f
-0x41bb34L C785F4FEFFFF3171617A mov dword ptr [ebp - 0x10c], 0x7a617131
-0x41bb3eL C785F8FEFFFF23454443 mov dword ptr [ebp - 0x108], 0x43444523
-0x41bb48L C785FCFEFFFF202F6164 mov dword ptr [ebp - 0x104], 0x64612f20
-0x41bb52L C78500FFFFFF64202626 mov dword ptr [ebp - 0x100], 0x26262064
-0x41bb5cL C78504FFFFFF206E6574 mov dword ptr [ebp - 0xfc], 0x74656e20
-0x41bb66L C78508FFFFFF206C6F63 mov dword ptr [ebp - 0xf8], 0x636f6c20
-0x41bb70L C7850CFFFFFF616C6772 mov dword ptr [ebp - 0xf4], 0x72676c61
-0x41bb7aL C78510FFFFFF6F757020 mov dword ptr [ebp - 0xf0], 0x2070756f
-0x41bb84L C78514FFFFFF61646D69 mov dword ptr [ebp - 0xec], 0x696d6461
-0x41bb8eL C78518FFFFFF6E697374 mov dword ptr [ebp - 0xe8], 0x7473696e
-0x41bb98L C7851CFFFFFF7261746F mov dword ptr [ebp - 0xe4], 0x6f746172
-0x41bba2L C78520FFFFFF72732063 mov dword ptr [ebp - 0xe0], 0x63207372
-0x41bbacL C78524FFFFFF65737375 mov dword ptr [ebp - 0xdc], 0x75737365
-0x41bbb6L C78528FFFFFF70706F72 mov dword ptr [ebp - 0xd8], 0x726f7070
-0x41bbc0L C7852CFFFFFF74202F61 mov dword ptr [ebp - 0xd4], 0x612f2074
-0x41bbcaL C78530FFFFFF64642200 mov dword ptr [ebp - 0xd0], 0x226464
-0x41bbd4L 6A5C push 0x5c
-
-*/
-
-$chunk_2 = {
-
-C7 85 ?? ?? ?? ?? 63 6D 64 20
-C7 85 ?? ?? ?? ?? 2F 63 20 22
-C7 85 ?? ?? ?? ?? 6E 65 74 20
-C7 85 ?? ?? ?? ?? 75 73 65 72
-C7 85 ?? ?? ?? ?? 20 63 65 73
-C7 85 ?? ?? ?? ?? 73 75 70 70
-C7 85 ?? ?? ?? ?? 6F 72 74 20
-C7 85 ?? ?? ?? ?? 31 71 61 7A
-C7 85 ?? ?? ?? ?? 23 45 44 43
-C7 85 ?? ?? ?? ?? 20 2F 61 64
-C7 85 ?? ?? ?? ?? 64 20 26 26
-C7 85 ?? ?? ?? ?? 20 6E 65 74
-C7 85 ?? ?? ?? ?? 20 6C 6F 63
-C7 85 ?? ?? ?? ?? 61 6C 67 72
-C7 85 ?? ?? ?? ?? 6F 75 70 20
-C7 85 ?? ?? ?? ?? 61 64 6D 69
-C7 85 ?? ?? ?? ?? 6E 69 73 74
-C7 85 ?? ?? ?? ?? 72 61 74 6F
-C7 85 ?? ?? ?? ?? 72 73 20 63
-C7 85 ?? ?? ?? ?? 65 73 73 75
-C7 85 ?? ?? ?? ?? 70 70 6F 72
-C7 85 ?? ?? ?? ?? 74 20 2F 61
-C7 85 ?? ?? ?? ?? 64 64 22 00
-6A 5C
-
-}
-
-/*
-
-0x41be22L C745D057696E45 mov dword ptr [ebp - 0x30], 0x456e6957
-0x41be29L C745D478656300 mov dword ptr [ebp - 0x2c], 0x636578
-0x41be30L C7459C47657450 mov dword ptr [ebp - 0x64], 0x50746547
-0x41be37L C745A0726F6341 mov dword ptr [ebp - 0x60], 0x41636f72
-0x41be3eL C745A464647265 mov dword ptr [ebp - 0x5c], 0x65726464
-0x41be45L C745A873730000 mov dword ptr [ebp - 0x58], 0x7373
-0x41be4cL C745C443726561 mov dword ptr [ebp - 0x3c], 0x61657243
-0x41be53L C745C874654669 mov dword ptr [ebp - 0x38], 0x69466574
-0x41be5aL C745CC6C654100 mov dword ptr [ebp - 0x34], 0x41656c
-0x41be61L C745B857726974 mov dword ptr [ebp - 0x48], 0x74697257
-0x41be68L C745BC6546696C mov dword ptr [ebp - 0x44], 0x6c694665
-0x41be6fL C745C065000000 mov dword ptr [ebp - 0x40], 0x65
-0x41be76L C745AC436C6F73 mov dword ptr [ebp - 0x54], 0x736f6c43
-0x41be7dL C745B06548616E mov dword ptr [ebp - 0x50], 0x6e614865
-0x41be84L C745B4646C6500 mov dword ptr [ebp - 0x4c], 0x656c64
-0x41be8bL 894DE8 mov dword ptr [ebp - 0x18], ecx
-
-*/
-
-$chunk_3 = {
-
-C7 45 ?? 57 69 6E 45
-C7 45 ?? 78 65 63 00
-C7 45 ?? 47 65 74 50
-C7 45 ?? 72 6F 63 41
-C7 45 ?? 64 64 72 65
-C7 45 ?? 73 73 00 00
-C7 45 ?? 43 72 65 61
-C7 45 ?? 74 65 46 69
-C7 45 ?? 6C 65 41 00
-C7 45 ?? 57 72 69 74
-C7 45 ?? 65 46 69 6C
-C7 45 ?? 65 00 00 00
-C7 45 ?? 43 6C 6F 73
-C7 45 ?? 65 48 61 6E
-C7 45 ?? 64 6C 65 00
-89 4D ??
-
-}
-
-
-condition:
- any of them
-}
diff --git a/yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar b/yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar
deleted file mode 100644
index d8bdb58..0000000
--- a/yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar
+++ /dev/null
@@ -1,68 +0,0 @@
-rule apt3_bemstour_strings
-{
-meta:
-
-description = "Detects strings used by the Bemstour exploitation tool"
-reference = "https://research.checkpoint.com/2019/upsynergy/"
-author = "Mark Lechtik"
-company = "Check Point Software Technologies LTD."
-date = "2019-06-25"
-sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
-strings:
-
-$dbg_print_1 = "leaked address is 0x%llx" ascii wide
-$dbg_print_2 = "========== %s ==========" ascii wide
-$dbg_print_3 = "detailVersion:%d" ascii wide
-$dbg_print_4 = "create pipe twice failed" ascii wide
-$dbg_print_5 = "WSAStartup function failed with error: %d" ascii wide
-$dbg_print_6 = "can't open input file." ascii wide
-$dbg_print_7 = "Allocate Buffer Failed." ascii wide
-$dbg_print_8 = "Connect to target failed." ascii wide
-$dbg_print_9 = "connect successful." ascii wide
-$dbg_print_10 = "not supported Platform" ascii wide
-$dbg_print_11 = "Wait several seconds." ascii wide
-$dbg_print_12 = "not set where to write ListEntry ." ascii wide
-$dbg_print_13 = "backdoor not installed." ascii wide
-$dbg_print_14 = "REConnect to target failed." ascii wide
-$dbg_print_15 = "Construct TreeConnectAndX Request Failed." ascii wide
-$dbg_print_16 = "Construct NTCreateAndXRequest Failed." ascii wide
-$dbg_print_17 = "Construct Trans2 Failed." ascii wide
-$dbg_print_18 = "Construct ConsWXR Failed." ascii wide
-$dbg_print_19 = "Construct ConsTransSecondary Failed." ascii wide
-$dbg_print_20 = "if you don't want to input password , use server2003 version.." ascii wide
-
-$cmdline_1 = "Command format %s TargetIp domainname username password 2" ascii wide
-$cmdline_2 = "Command format %s TargetIp domainname username password 1" ascii wide
-$cmdline_3 = "cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add" ascii wide
-$cmdline_4 = "hello.exe \"C:\\WINDOWS\\DEBUG\\test.exe\"" ascii wide
-$cmdline_5 = "parameter not right" ascii wide
-
-$smb_param_1 = "browser" ascii wide
-$smb_param_2 = "spoolss" ascii wide
-$smb_param_3 = "srvsvc" ascii wide
-$smb_param_4 = "\\PIPE\\LANMAN" ascii wide
-$smb_param_5 = "Werttys for Workgroups 3.1a" ascii wide
-$smb_param_6 = "PC NETWORK PROGRAM 1.0" ascii wide
-$smb_param_7 = "LANMAN1.0" ascii wide
-$smb_param_8 = "LM1.2X002" ascii wide
-$smb_param_9 = "LANMAN2.1" ascii wide
-$smb_param_10 = "NT LM 0.12" ascii wide
-$smb_param_12 = "WORKGROUP" ascii wide
-$smb_param_13 = "Windows Server 2003 3790 Service Pack 2" ascii wide
-$smb_param_14 = "Windows Server 2003 5.2" ascii wide
-$smb_param_15 = "Windows 2002 Service Pack 2 2600" ascii wide
-$smb_param_16 = "Windows 2002 5.1" ascii wide
-$smb_param_17 = "PC NETWORK PROGRAM 1.0" ascii wide
-$smb_param_18 = "Windows 2002 5.1" ascii wide
-$smb_param_19 = "Windows for Workgroups 3.1a" ascii wide
-
-$unique_str_1 = "WIN-NGJ7GKNROVS"
-$unique_str_2 = "XD-A31C2E0087B2"
-
-condition:
- uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of ($unique_str*)) and 3 of ($smb_param*)
-}
-
-
-
-
diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar
deleted file mode 100644
index 5413ce0..0000000
--- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule apt_CN_TwistedPanda_64bit_Loader {
- meta:
- author = "Check Point Research"
- description = "Detect the 64bit Loader DLL used by TwistedPanda"
- reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
- date = "2022-04-14"
- hash = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"
-
- strings:
- // 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]
- // 48 8B C1 mov rax, rcx
- // 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h
- // 72 ?? jb short loc_7FFDF0BA1B48
- $path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }
- // 48 8B D0 mov rdx, rax ; lpBuffer
- // 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead
- // 48 8B CF mov rcx, rdi ; hFile
- // 48 8B D8 mov rbx, rax
- // FF ?? ?? ?? ?? call cs:ReadFile
- $shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}
- // BA F0 16 00 00 mov edx, 16F0h ; dwSize
- // 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect
- // 33 C9 xor ecx, ecx ; lpAddress
- // 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType
- // FF ?? ?? ?? ?? ?? call cs:VirtualAlloc
- $shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }
- condition:
- // MZ signature at offset 0 and ...
- uint16(0) == 0x5A4D and
-
- // ... PE signature at offset stored in MZ header at 0x3C
- uint32(uint32(0x3C)) == 0x00004550 and
- filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read
-}
diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar
deleted file mode 100644
index dfd48c3..0000000
--- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule apt_CN_TwistedPanda_SPINNER_1 {
- meta:
- author = "Check Point Research"
- description = "Detect the obfuscated variant of SPINNER payload used by TwistedPanda"
- reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
- date = "2022-04-14"
- hash = "a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81"
-
- strings:
- // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
- // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
- // C6 mov byte ptr [eax], 0
- $config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 }
- $c2_cmd_1 = { 01 00 03 10}
- $c2_cmd_2 = { 02 00 01 10}
- $c2_cmd_3 = { 01 00 01 10}
- // 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx]
- // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
- // 89 F1 mov ecx, esi ; this
- // 6A 01 push 1 ; Size
- // 50 push eax ; Src
- // E8 ?? ?? ?? ?? call str_append
- // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
- $decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 }
-
- condition:
- // MZ signature at offset 0 and ...
- uint16(0) == 0x5A4D and
-
- // ... PE signature at offset stored in MZ header at 0x3C
- uint32(uint32(0x3C)) == 0x00004550 and
- filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
-}
diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar
deleted file mode 100644
index ee2792d..0000000
--- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar
+++ /dev/null
@@ -1,35 +0,0 @@
-rule apt_CN_TwistedPanda_SPINNER_2 {
- meta:
- author = "Check Point Research"
- description = "Detect an older variant of SPINNER payload used by TwistedPanda"
- reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
- date = "2022-04-14"
- hash = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8"
-
- strings:
- // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
- // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
- // C6 mov byte ptr [eax], 0
- $config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }
- $c2_cmd_1 = { 01 00 03 10 }
- $c2_cmd_2 = { 02 00 01 10 }
- $c2_cmd_3 = { 01 00 01 10 }
- $c2_cmd_4 = { 01 00 00 10 }
- $c2_cmd_5 = { 02 00 00 10 }
- // 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h
- // 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]
- // 8B 56 14 mov edx, [esi+14h]
- // 8B C2 mov eax, edx
- // 8B 4E 10 mov ecx, [esi+10h]
- // 2B C1 sub eax, ecx
- // 83 F8 01 cmp eax, 1
- $decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }
-
- condition:
- // MZ signature at offset 0 and ...
- uint16(0) == 0x5A4D and
-
- // ... PE signature at offset stored in MZ header at 0x3C
- uint32(uint32(0x3C)) == 0x00004550 and
- filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
-}
diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar
deleted file mode 100644
index 8262709..0000000
--- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule apt_CN_TwistedPanda_droppers {
- meta:
- author = "Check Point Research"
- description = "Detect droppers used by TwistedPanda"
- reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
- date = "2022-04-14"
- hash = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291"
- hash = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248"
- hash = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66"
-
- strings:
- // 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h
- // 75 ?? jnz short loc_140001829
- // E8 ?? ?? ?? ?? call sub_1400019D0
- // 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax
- // E? ?? ?? ?? ?? jmp loc_1400018DD
- $switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }
- // 41 0F ?? ?? movsx edx, byte ptr [r9]
- // 44 ?? ?? or r8d, edx
- // 41 ?? ?? 03 rol r8d, 3
- // 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h
- // 41 ?? ?? mov eax, r10d
- $byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }
- // %public%
- $stack_strings_1 = { 25 00 70 00 }
- $stack_strings_2 = { 75 00 62 00 }
- $stack_strings_3 = { 6C 00 69 00 }
- $stack_strings_4 = { 63 00 25 00 }
- condition:
- // MZ signature at offset 0 and ...
- uint16(0) == 0x5A4D and
-
- // ... PE signature at offset stored in MZ header at 0x3C
- uint32(uint32(0x3C)) == 0x00004550 and
- filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation
-}
diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar
deleted file mode 100644
index 903b24b..0000000
--- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar
+++ /dev/null
@@ -1,42 +0,0 @@
-rule apt_CN_TwistedPanda_loader {
- meta:
- author = "Check Point Research"
- reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
- description = "Detect loader used by TwistedPanda"
- date = "2022-04-14"
- hash = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0"
- hash = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198"
-
- strings:
-
- // 6A 40 push 40h ; '@'
- // 68 00 30 00 00 push 3000h
- $seq1 = { 6A 40 68 00 30 00 00 }
-
- // 6A 00 push 0 ; lpOverlapped
- // 50 push eax ; lpNumberOfBytesRead
- // 6A 14 push 14h ; nNumberOfBytesToRead
- // 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer]
- // 50 push eax ; lpBuffer
- // 53 push ebx ; hFile
- // FF 15 04 D0 4C 70 call ds:ReadFile
- $seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }
- // 6A 00 push 0
- // 6A 00 push 0
- // 6A 03 push 3
- // 6A 00 push 0
- // 6A 03 push 3
- // 68 00 00 00 80 push 80000000h
- $seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }
-
- // Decryption sequence
- $decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }
-
- condition:
- // MZ signature at offset 0 and ...
- uint16(0) == 0x5A4D and
-
- // ... PE signature at offset stored in MZ header at 0x3C
- uint32(uint32(0x3C)) == 0x00004550 and
- filesize < 3000KB and all of ($seq*) and $decryption
-}
diff --git a/yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar b/yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar
deleted file mode 100644
index bef2cc8..0000000
--- a/yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule apt_WebAssistant_TcahfUpdate {
-meta:
- description = "Rule for detecting the fake WebAssistant and TcahfUpdate applications used to target the Uyghur minority"
- reference = "https://research.checkpoint.com/2021/uyghurs-a-turkic-ethnic-minority-in-china-targeted-via-fake-foundations/"
- version = "1.0"
- last_modified = "2021-05-06"
- hash = "2f7492423586a3061e5641b5b271ca54"
- hash = "1b5dbd351bb7159eb08868c46a3fe3a6"
- hash = "90fcbd5c904326466c3b6af1ca34aae1"
-strings:
- $url = {2f 00 63 00 67 00 69 00 2d 00 62 00 69 00 6e 00 2f [0-50] 2e 00 70 00 79 00 3f 00}
- $lib = "Newtonsoft.Json"
- $mac = "MACAddress Is Not NULL" wide
-condition:
- uint16(0)==0x5A4D and $url and $lib and $mac
- and filesize < 1MB
-}
diff --git a/yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar b/yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar
deleted file mode 100644
index 2097782..0000000
--- a/yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule apt_nazar_component_guids
-{
- meta:
- description = "Detect Nazar Components by COM Objects' GUID"
- author = "Itay Cohen"
- date = "2020-04-27"
- reference = ""
- reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
- hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f"
- hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390"
- hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e"
- hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
- hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8"
- hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca"
- hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6"
- hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec"
- hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b"
- hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
- hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65"
- hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61"
- hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3"
- strings:
- $guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID
- $guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID
- $guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown
- $guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID
- $guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID
- $guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll
-
- condition:
- any of them
-}
diff --git a/yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar b/yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar
deleted file mode 100644
index e4ef01e..0000000
--- a/yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule apt_nazar_svchost_commands
-{
- meta:
- description = "Detect Nazar's svchost based on supported commands"
- author = "Itay Cohen"
- date = "2020-04-26"
- reference = ""
- reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
- hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
- hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
- strings:
- $str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 }
- $str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 }
- $str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 }
- $str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 }
- $str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 }
- condition:
- 4 of them
-}
diff --git a/yara-mikesxrs/Checkpoint/checkpoint_index.yara b/yara-mikesxrs/Checkpoint/checkpoint_index.yara
deleted file mode 100644
index 175adf5..0000000
--- a/yara-mikesxrs/Checkpoint/checkpoint_index.yara
+++ /dev/null
@@ -1,206 +0,0 @@
-rule explosive_exe
-{
- meta:
- author = "Check Point Software Technologies Inc."
- info = "Explosive EXE"
- strings:
- $MZ = "MZ"
- $DLD_S = "DLD-S:"
- $DLD_E = "DLD-E:"
- condition:
- $MZ at 0 and all of them
-}
-
-import "pe"
-rule explosive_dll
-
-{
- meta:
- author = "Check Point Software Technologies Inc."
- info = "Explosive DLL"
- reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
-
-
- condition:
- pe.DLL
- and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and
-pe.exports("CON")
-}
-
-rule ZZ_breakwin_config {
- meta:
- description = "Detects the header of the encrypted config files, assuming known encryption key."
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
- hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
- hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
- strings:
- $conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
- condition:
- $conf_header at 0
-}
-rule ZZ_breakwin_wiper {
- meta:
- description = "Detects the BreakWin wiper that was used in attacks in Syria"
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
- hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
- hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
- strings:
- $debug_str_meteor_1 = "the program received an invalid number of arguments" wide
- $debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
- $debug_str_meteor_0 = "failed to initialize configuration from file" wide
- $debug_str_meteor_3 = "Meteor is still alive." wide
- $debug_str_meteor_4 = "Exiting main function because of some error" wide
- $debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
- $debug_str_meteor_6 = "Meteor has started." wide
- $debug_str_meteor_7 = "Could not hide current console." wide
- $debug_str_meteor_8 = "Could not get the window handle used by the console." wide
- $debug_str_meteor_9 = "Failed to find base-64 data size" wide
- $debug_str_meteor_10 = "Running locker thread" wide
- $debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
- $debug_str_meteor_12 = "Wiper operation failed." wide
- $debug_str_meteor_13 = "Screen saver disable failed." wide
- $debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
- $debug_str_meteor_15 = "Failed to delete boot configuration" wide
- $debug_str_meteor_16 = "Could not delete all BCD entries." wide
- $debug_str_meteor_17 = "Finished deleting BCD entries." wide
- $debug_str_meteor_18 = "Failed to change lock screen" wide
- $debug_str_meteor_19 = "Boot configuration deleted successfully" wide
- $debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
- $debug_str_meteor_21 = "Changing passwords of all users to" wide
- $debug_str_meteor_22 = "Failed to change the passwords of all users" wide
- $debug_str_meteor_23 = "Failed to run the locker thread" wide
- $debug_str_meteor_24 = "Screen saver disabled successfully." wide
- $debug_str_meteor_25 = "Generating random password failed" wide
- $debug_str_meteor_26 = "Locker installation failed" wide
- $debug_str_meteor_27 = "Failed to set auto logon." wide
- $debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
- $debug_str_meteor_29 = "Succeeded setting auto logon for" wide
- $debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
- $debug_str_meteor_31 = "Failed disabling the first logon animation." wide
- $debug_str_meteor_32 = "Waiting for new winlogon process" wide
- $debug_str_meteor_33 = "Failed to isolate from domain" wide
- $debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
- $debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
- $debug_str_meteor_36 = "Failed adding new admin user." wide
- $debug_str_meteor_37 = "Failed changing settings for the created new user." wide
- $debug_str_meteor_38 = "Failed disabling recovery mode." wide
- $debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
- $debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
- $debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
- $debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
- $debug_str_meteor_43 = "Failed to log off all sessions" wide
- $debug_str_meteor_44 = "Failed to delete shadowcopies." wide
- $debug_str_meteor_45 = "Failed logging off session: " wide
- $debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
- $debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
- $debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
- $debug_str_meteor_49 = "Killing all winlogon processes" wide
- $debug_str_meteor_50 = "Logging off users in Windows 7" wide
- $debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
- $debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
- $debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
- $debug_str_meteor_54 = "Logging off users in Windows XP" wide
- $debug_str_meteor_55 = "Failed changing settings for the created new user." wide
- $debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
- $debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
- $debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
- $debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
- $debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
- $debug_str_meteor_61 = "Failed to wipe file %s" wide
- $debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
- $debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
- $debug_str_meteor_64 = "Failed to wipe file %s" wide
- $debug_str_meteor_65 = "failed to get configuration value with key %s" wide
- $debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
- $debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
- $debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
- $debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
- $debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
- $debug_str_meteor_71 = "failed to write message to log file %s" wide
- $debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
- $debug_str_stardust_0 = "Stardust has started." wide
- $debug_str_stardust_1 = "0Vy0qMGO" ascii wide
- $debug_str_comet_0 = "Comet has started." wide
- $debug_str_comet_1 = "Comet has finished." wide
- $str_lock_my_pc = "Lock My PC 4" ascii wide
- $config_entry_0 = "state_path" ascii
- $config_entry_1 = "state_encryption_key" ascii
- $config_entry_2 = "log_server_port" ascii
- $config_entry_3 = "log_file_path" ascii
- $config_entry_4 = "log_encryption_key" ascii
- $config_entry_5 = "log_server_ip" ascii
- $config_entry_6 = "processes_to_kill" ascii
- $config_entry_7 = "process_termination_timeout" ascii
- $config_entry_8 = "paths_to_wipe" ascii
- $config_entry_9 = "wiping_stage_logger_interval" ascii
- $config_entry_10 = "locker_exe_path" ascii
- $config_entry_11 = "locker_background_image_jpg_path" ascii
- $config_entry_12 = "auto_logon_path" ascii
- $config_entry_13 = "locker_installer_path" ascii
- $config_entry_14 = "locker_password_hash" ascii
- $config_entry_15 = "users_password" ascii
- $config_entry_16 = "locker_background_image_bmp_path" ascii
- $config_entry_17 = "locker_registry_settings_files" ascii
- $config_entry_18 = "cleanup_script_path" ascii
- $config_entry_19 = "is_alive_loop_interval" ascii
- $config_entry_20 = "cleanup_scheduled_task_name" ascii
- $config_entry_21 = "self_scheduled_task_name" ascii
- $encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
- $random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
- condition:
- uint16(0) == 0x5A4D and
- (
- 6 of them or
- $encryption_asm or
- $random_string_generation
- )
-}
-rule ZZ_breakwin_stardust_vbs {
- meta:
- description = "Detect the VBS files that where found in the attacks on targets in Syria"
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
- hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
- hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
- hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
- hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
- strings:
- $url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
- $compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
- $compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
- $uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
- $is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
- condition:
- any of them
-}
-rule ZZ_breakwin_meteor_batch_files {
- meta:
- description = "Detect the batch files used in the attacks"
- reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
- author = "Check Point Research"
- date = "22-07-2021"
- strings:
- $filename_0 = "mscap.bmp"
- $filename_1 = "mscap.jpg"
- $filename_2 = "msconf.conf"
- $filename_3 = "msmachine.reg"
- $filename_4 = "mssetup.exe"
- $filename_5 = "msuser.reg"
- $filename_6 = "msapp.exe"
- $filename_7 = "bcd.rar"
- $filename_8 = "bcd.bat"
- $filename_9 = "msrun.bat"
- $command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
- $command_line_1 = "start /b \"\" update.bat hackemall"
- condition:
- 4 of ($filename_*) or
- any of ($command_line_*)
-}
diff --git a/yara-mikesxrs/Checkpoint/explosive_dll.yar b/yara-mikesxrs/Checkpoint/explosive_dll.yar
deleted file mode 100644
index 0c6c0be..0000000
--- a/yara-mikesxrs/Checkpoint/explosive_dll.yar
+++ /dev/null
@@ -1,15 +0,0 @@
-import "pe"
-rule explosive_dll
-
-{
- meta:
- author = "Check Point Software Technologies Inc."
- info = "Explosive DLL"
- reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
-
-
- condition:
- pe.DLL
- and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and
-pe.exports("CON")
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Checkpoint/explosive_exe.yar b/yara-mikesxrs/Checkpoint/explosive_exe.yar
deleted file mode 100644
index 37b8d07..0000000
--- a/yara-mikesxrs/Checkpoint/explosive_exe.yar
+++ /dev/null
@@ -1,15 +0,0 @@
-rule explosive_exe
-{
- meta:
- author = "Check Point Software Technologies Inc."
- info = "Explosive EXE"
- reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
-
- strings:
- $MZ = "MZ"
- $DLD_S = "DLD-S:"
- $DLD_E = "DLD-E:"
-
- condition:
- $MZ at 0 and all of them
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Checkpoint/goziv3_trojan.yar b/yara-mikesxrs/Checkpoint/goziv3_trojan.yar
deleted file mode 100644
index 28da682..0000000
--- a/yara-mikesxrs/Checkpoint/goziv3_trojan.yar
+++ /dev/null
@@ -1,11 +0,0 @@
-rule goziv3: trojan {
- meta:
- module = "goziv3"
- reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/"
- strings:
- $dec_bss = {D3 C0 83 F3 01 89 02 83 C2 04 FF 4C 24 0C}
- $gen_serpent = {33 44 24 04 33 44 24 08 C2 08 00}
- condition:
- ($dec_bss and $gen_serpent) and (uint16(0) == 0x5A4D or uint16(0) == 0x5850 )
-}
-
diff --git a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar b/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar
deleted file mode 100644
index d95abc6..0000000
--- a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar
+++ /dev/null
@@ -1,58 +0,0 @@
-rule injector_ZZ_dotRunpeX {
- meta:
- description = "Detects new version of dotRunpeX - configurable .NET injector"
- author = "Jiri Vinopal (jiriv)"
- date = "2022-10-30"
- hash1 = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook
- hash2 = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook
- hash3 = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat
- hash4 = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos
- hash5 = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook
- hash6 = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla
- hash7 = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat
- hash8 = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger
- report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/"
- strings:
- // Used ImplMap imports (PInvoke)
- $implmap1 = "VirtualAllocEx"
- $implmap2 = "CreateProcess"
- $implmap3 = "CreateRemoteThread"
- $implmap4 = "Wow64SetThreadContext"
- $implmap5 = "Wow64GetThreadContext"
- $implmap6 = "NtResumeThread"
- $implmap7 = "ZwUnmapViewOfSection"
- $implmap8 = "NtWriteVirtualMemory"
- $implmap9 = "MessageBox" // ImplMap not presented in all samples - maybe different versions?
- $implmap10 = "Wow64DisableWow64FsRedirection"
- $implmap11 = "Wow64RevertWow64FsRedirection"
- $implmap12 = "CreateFile"
- $implmap13 = "RtlInitUnicodeString"
- $implmap14 = "NtLoadDriver"
- $implmap15 = "NtUnloadDriver"
- $implmap16 = "OpenProcessToken"
- $implmap17 = "LookupPrivilegeValue"
- $implmap18 = "AdjustTokenPrivileges"
- $implmap19 = "CloseHandle"
- $implmap20 = "NtQuerySystemInformation"
- $implmap21 = "DeviceIoControl"
- $implmap22 = "GetProcessHeap"
- $implmap23 = "HeapFree"
- $implmap24 = "HeapAlloc"
- $implmap25 = "GetProcAddress"
- $implmap26 = "CopyMemory" // ImplMap added by KoiVM Protector used by this injector
- $modulerefKernel1 = "Kernel32"
- $modulerefKernel2 = "kernel32"
- $modulerefNtdll1 = "Ntdll"
- $modulerefNtdll2 = "ntdll"
- $modulerefAdvapi1 = "Advapi32"
- $modulerefAdvapi2 = "advapi32"
-
- $regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver
- $rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide
- $koiVM1 = "KoiVM"
- $koiVM2 = "#Koi"
- condition:
- uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and
- 24 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*) and 1 of ($modulerefAdvapi*)
-
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar b/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar
deleted file mode 100644
index 638e559..0000000
--- a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar
+++ /dev/null
@@ -1,45 +0,0 @@
-rule injector_ZZ_dotRunpeX_oldnew {
- meta:
- description = "Detects new and old version of dotRunpeX - configurable .NET injector"
- author = "Jiri Vinopal (jiriv)"
- date = "2022-10-30"
- hash1_New = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook
- hash2_New = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook
- hash3_New = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat
- hash4_New = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos
- hash5_New = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook
- hash6_New = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla
- hash7_New = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat
- hash8_New = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger
- hash1_Old = "1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc" // injects Lokibot
- hash2_Old = "317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc" // injects Redline
- hash3_Old = "65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b" // injects SnakeKeylogger
- hash4_Old = "68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326" // injects Lokibot
- hash5_Old = "81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e" // injects SnakeKeylogger
- report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/"
- strings:
- // Used ImplMap imports (PInvoke)
- $implmap1 = "VirtualAllocEx"
- $implmap2 = "CreateProcess"
- $implmap3 = "CreateRemoteThread"
- $implmap4 = "Wow64SetThreadContext"
- $implmap5 = "Wow64GetThreadContext"
- $implmap6 = "RtlInitUnicodeString"
- $implmap7 = "NtLoadDriver"
- $implmap8 = "LoadLibrary"
- $implmap9 = "VirtualProtect"
- $implmap10 = "AdjustTokenPrivileges"
- $implmap11 = "GetProcAddress"
- $modulerefKernel1 = "Kernel32"
- $modulerefKernel2 = "kernel32"
- $modulerefNtdll1 = "Ntdll"
- $modulerefNtdll2 = "ntdll"
-
- $regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver
- $rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide
- $koiVM1 = "KoiVM"
- $koiVM2 = "#Koi"
- condition:
- uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and
- 9 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*)
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar b/yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar
deleted file mode 100644
index 8910ca1..0000000
--- a/yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule lyceum_dotnet_dns_backdoor
-{
- meta:
- author = "CPR"
- reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
- hash1 = "8199f14502e80581000bd5b3bda250ee"
- hash2 = "d79687676d2d152aec4143c852bdbc4a"
- hash3 = "bcb465cc2257e5777bab431690ca5039"
- hash4 = "2bc2abefc1a721908bc805894b62227d"
- hash5 = "37a1514a7a5f9b2c6786096129a30721"
- strings:
- $log1 = "MSG SIZE rcvd" wide
- $log2 = "Empty output" wide
- $log3 = "Big Output. lines: " wide
- $com1 = "Enddd" wide
- $com2 = "uploaddd" wide
- $com3 = "downloaddd" wide
- $dga = "trailers.apple.com" wide
- $replace1 = "BackSlashh" wide
- $replace2 = "QuotationMarkk" wide
- $re_pattern = "60\\s+IN\\s+TXT" wide
- $func1 = "comRun"
- $func2 = "PlaceDot"
- $func3 = "sendAns"
- $heijden1 = "Heijden.DNS"
- $heijden2 = "DnsHeijden"
- condition:
- uint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of ($heijden*) and $re_pattern and $dga))
-}
diff --git a/yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar b/yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar
deleted file mode 100644
index 055025d..0000000
--- a/yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar
+++ /dev/null
@@ -1,52 +0,0 @@
-rule lyceum_dotnet_http_backdoor
-{
- meta:
- author = "CPR"
- reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
- hash1 = "1c444ebeba24dcba8628b7dfe5fec7c6"
- hash2 = "85ca334f87667bd7fa0c47ae6149353e"
- hash3 = "73bddd5f1a0847ae5f5d55e7d9c177f6"
- hash4 = "9fb86915db1b7c00f1a4587de4e052de"
- hash5 = "37fe608983d4b06a5549247f0e16bc11"
- hash6 = "5916e5189ef0050dfcc3cc19382d08d5"
- strings:
- $class1 = "Funcss"
- $class2 = "Constantss"
- $class3 = "Reqss"
- $class4 = "Screenss"
- $class5 = "Shll"
- $class6 = "test_A1"
- $class7 = "Uploadss"
- $class8 = "WebDL"
- $cnc_uri1 = "/upload" wide
- $cnc_uri2 = "/screenshot" wide
- $cnc_pattern_hex1 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 0d 0a 0d 0a}
- $cnc_pattern_hex2 = {6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 7b 30 7d}
- $cnc_pattern_hex3 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 7b 31 7d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 7b 32 7d 0d 0a 0d 0a}
- $constant1 = "FILE_DIR_SEPARATOR"
- $constant2 = "APPS_PARAMS_SEPARATOR"
- $constant3 = "TYPE_SENDTOKEN"
- $constant4 = "TYPE_DATA1"
- $constant5 = "TYPE_SEND_RESPONSE_IN_SOCKET"
- $constant6 = "TYPE_FILES_LIST"
- $constant7 = "TYPE_FILES_DELETE"
- $constant8 = "TYPE_FILES_RUN"
- $constant9 = "TYPE_FILES_UPLOAD_TO_SERVER"
- $constant10 = "TYPE_FILES_DELETE_FOLDER"
- $constant11 = "TYPE_FILES_CREATE_FOLDER"
- $constant12 = "TYPE_FILES_DOWNLOAD_URL"
- $constant13 = "TYPE_OPEN_CMD"
- $constant14 = "TYPE_CMD_RES"
- $constant15 = "TYPE_CLOSE_CMD"
- $constant16 = "TYPE_CMD_REQ"
- $constant17 = "TYPE_INSTALLED_APPS"
- $constant18 = "TYPE_SCREENSHOT"
- $constant19 = "_RG_APP_NAME_"
- $constant20 = "_RG_APP_VERSION_"
- $constant21 = "_RG_APP_DATE_"
- $constant22 = "_RG_APP_PUB_"
- $constant23 = "_RG_APP_SEP_"
- $constant24 = "_SC_EXT_"
- condition:
- uint16(0)==0x5a4d and (4 of ($class*) or 4 of ($cnc_*) or 4 of ($constant*))
-}
diff --git a/yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar b/yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar
deleted file mode 100644
index 9791576..0000000
--- a/yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar
+++ /dev/null
@@ -1,37 +0,0 @@
-rule lyceum_golang_backdoor
-{
- meta:
- author = "CPR"
- reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
- hash1 = "a437f997d45bc14e76d0f2482f572a34"
- hash2 = "23d174e6a0905fd59b2613d5ac106261"
- hash3 = "bcb465cc2257e5777bab431690ca5039"
- strings:
- $func1 = "main.Ase256"
- $func2 = "main.DecryptAse256"
- $func3 = "main.IsServerUp"
- $func4 = "main.register"
- $func5 = "main.commandforrun"
- $func6 = "main.UPLOAD"
- $func7 = "main.commandforanswer"
- $func8 = "main.GetMD5Hash"
- $func9 = "main.get_uid"
- $func10 = "main.commandrun"
- $func11 = "main.download"
- $func12 = "main.postFile"
- $func13 = "main.sendAns"
- $func14 = "main.comRun"
- $cnc_uri1 = "/GO/1.php"
- $cnc_uri2 = "/GO/2.php"
- $cnc_uri3 = "/GO/3.php"
- $auth_token = "auth_token=\"XXXXXXX\""
- $log1 = "client registred"
- $log2 = "no command"
- $log3 = "can not create file"
- $log4 = "errorGettingUserName"
- $log5 = "New record created successfully"
- $log6 = "SERVER_IS_DOWN"
- $dga = "trailers.apple.com."
- condition:
- uint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of them))
-}
diff --git a/yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar b/yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar
deleted file mode 100644
index 480b8e4..0000000
--- a/yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule malware_bumblebee_packed {
- meta:
- author = "Marc Salinas @ CheckPoint Research"
- malware_family = "BumbleBee"
- date = "13/07/2022"
- description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic."
- dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db"
- dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb"
- dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c"
- iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa"
- iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78"
- iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e"
- zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad"
- zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce"
- report = "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/"
- strings:
- $heapalloc = {
- 48 8? EC [1-6] // sub rsp, 80h
- FF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap
- 33 D2 // xor edx, edx ; dwFlags
- 4? [2-5] // mov rcx, rax ; hHeap
- 4? ?? ?? // mov r8d, ebx ; dwBytes
- FF 15 ?? ?? 0? 00 // call cs:HeapAlloc
- [8 - 11] // (load params)
- 48 89 05 ?? ?? ?? 00 // mov cs:HeapBufferPtr, rax
- E8 ?? ?? ?? ?? // call memset
- 4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr
- }
- condition:
- $heapalloc
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Checkpoint/nazar_component_guids.yar b/yara-mikesxrs/Checkpoint/nazar_component_guids.yar
deleted file mode 100644
index 2097782..0000000
--- a/yara-mikesxrs/Checkpoint/nazar_component_guids.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule apt_nazar_component_guids
-{
- meta:
- description = "Detect Nazar Components by COM Objects' GUID"
- author = "Itay Cohen"
- date = "2020-04-27"
- reference = ""
- reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
- hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f"
- hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390"
- hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e"
- hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
- hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8"
- hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca"
- hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6"
- hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec"
- hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b"
- hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
- hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65"
- hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61"
- hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3"
- strings:
- $guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID
- $guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID
- $guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown
- $guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID
- $guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID
- $guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll
-
- condition:
- any of them
-}
diff --git a/yara-mikesxrs/Checkpoint/qbot_vbs.yar b/yara-mikesxrs/Checkpoint/qbot_vbs.yar
deleted file mode 100644
index 68b74b9..0000000
--- a/yara-mikesxrs/Checkpoint/qbot_vbs.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule qbot_vbs
-{
- meta:
- description = "Catches QBot VBS files"
- reference = "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/"
- author = "Alex Ilgayev"
- date = "2020-06-07"
- strings:
- $s3 = "ms.Send"
- $s4 = "for i=1 to 6"
- $s5 = "if ms.readyState = 4 Then"
- $s6 = "if len(ms.responseBody) <> 0 then"
- $s7 = /if left\(ms.responseText, \w*?\) = \"MZ\" then/
- condition:
- filesize > 20MB and $s3 and $s4 and $s5 and $s6 and $s7
-}
diff --git a/yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar b/yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar
deleted file mode 100644
index 8f68ee4..0000000
--- a/yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-import "pe"
-
-rule ransomware_ZZ_azov_wiper {
- meta:
- description = "Detects original and backdoored files with new and old versions of azov ransomware - polymorphic wiper"
- author = "Jiri Vinopal (jiriv)"
- date = "2022-11-14"
- hash_azov_new = "650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e"
- hash_azov_old = "b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801"
- report = "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/"
- strings:
- // Opcodes of allocating and decrypting shellcode routine
- $unpacking_azov_new = { 48 83 ec ?? 58 48 01 c8 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 89 74 24 ?? 48 83 ec ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 75 ?? 48 c7 c1 ?? ?? ?? ?? 41 b9 ?? ?? ?? ?? 41 ba ?? ?? ?? ?? 48 ff c9 8a 14 08 44 30 ca 88 14 08 41 81 ea ?? ?? ?? ?? 45 01 d1 41 81 c1 ?? ?? ?? ?? 41 81 c2 ?? ?? ?? ?? 41 d1 c1 48 85 c9 }
- $unpacking_azov_old = { 48 01 c8 48 05 ?? ?? ?? ?? 48 81 c1 ?? ?? ?? ?? 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 83 e1 ?? 48 01 f1 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 }
- condition:
- uint16(0) == 0x5a4d and pe.is_64bit() and
- any of ($unpacking_azov_*)
-}
diff --git a/yara-mikesxrs/CyberDefenses/installmonstr.yar b/yara-mikesxrs/CyberDefenses/installmonstr.yar
deleted file mode 100644
index a1ea795..0000000
--- a/yara-mikesxrs/CyberDefenses/installmonstr.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule installmonstr {
-meta:
- description = "adware, trojan, riskware"
- author = "Monty St John"
- company = "Cyberdefenses, inc."
- date = "2017/01/25"
- hash1 = "000be3b9991eaf28b3794d96ce08e883"
- hash2 = "1c21a4b1151921398b2c2fe9ea9892f8"
- hash3 = "be6eb42ea9e789d2a4425f61155f4664"
- hash4 = "001dd4fdd6973f4e6cb9d11bd9ba7eb3"
-
-strings:
- $a = " "
- $b = "%s %s"
- $c = "GoIdHTTPWork"
- $d = "sslvSSLv2sslvSSLv23sslvSSLv3sslvTLSv1"
- $e = "sslvSSLv23 sslvSSLv3 sslvTLSv1"
- $f = "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH"
-
-condition:
- 5 of them
-}
diff --git a/yara-mikesxrs/CyberDefenses/u34.yar b/yara-mikesxrs/CyberDefenses/u34.yar
deleted file mode 100644
index a61c94d..0000000
--- a/yara-mikesxrs/CyberDefenses/u34.yar
+++ /dev/null
@@ -1,15 +0,0 @@
-rule php_shell_U34 {
-meta:
- description = "Web Shell - file ans.php"
- author = "Monty St John"
- company = "Cyberdefenses, inc."
- date = "2017/01/25"
- hash = "5be3b1bc76677a70553a66575f289a0a"
-strings:
-$a = "'\".((strpos(@$_POST['"
-$b = "'],\"\\n\")!==false)?'':htmlspecialchars(@$_POST['"
-$c = "'],ENT_QUOTES)).\"';"
-$d = "posix_getpwuid"
-condition:
- all of them
-}
diff --git a/yara-mikesxrs/CyberDefenses/wirenet_dropper.yar b/yara-mikesxrs/CyberDefenses/wirenet_dropper.yar
deleted file mode 100644
index 8a5b609..0000000
--- a/yara-mikesxrs/CyberDefenses/wirenet_dropper.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule wirenet_dropper
- {
-meta:
- description = "Wirenet backdoor dropper Invoice_SKMBT_20170601.doc"
- author = "Chris Rogers"
- company = "Cyberdefenses, inc."
- date = "2017/07/11"
- hash = "954d7c15577f118171cc8adcc9f9ac94"
-strings:
-$a = "C:\Users\user\Desktop\JAVA\docinvoice.exe"
-$b = "C:\Users\user\AppData\Local\Temp\docinvoice.exe"
-$c = "ZTUWVSPRTj"
-$d = "IE(AL("%s",4),"AL(\"%0:s\",3)""
-condition:
- all of them
-}
diff --git a/yara-mikesxrs/Fidelis/AlienSpy.yar b/yara-mikesxrs/Fidelis/AlienSpy.yar
deleted file mode 100644
index bb6859e..0000000
--- a/yara-mikesxrs/Fidelis/AlienSpy.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule AlienSpy {
-meta:
- description = "AlienSpy"
- author = "Fidelis Cybersecurity"
- reference = "Fidelis Threat Advisory #1015 - Ratting on AlienSpy - Apr 08, 2015"
-
-strings:
- $sa_1 = "META-INF/MANIFEST.MF"
- $sa_2 = "Main.classPK"
- $sa_3 = "plugins/Server.classPK"
- $sa_4 = "IDPK"
-
- $sb_1 = "config.iniPK"
- $sb_2 = "password.iniPK"
- $sb_3 = "plugins/Server.classPK"
- $sb_4 = "LoadStub.classPK"
- $sb_5 = "LoadStubDecrypted.classPK"
- $sb_7 = "LoadPassword.classPK"
- $sb_8 = "DecryptStub.classPK"
- $sb_9 = "ClassLoaders.classPK"
-
- $sc_1 = "config.xml"
- $sc_2 = "options"
- $sc_3 = "plugins"
- $sc_4 = "util"
- $sc_5 = "util/OSHelper"
- $sc_6 = "Start.class"
- $sc_7 = "AlienSpy"
- $sc_8 = "PK"
-
-condition:
- (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*))
-
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/DarkComet.yar b/yara-mikesxrs/Fidelis/DarkComet.yar
deleted file mode 100644
index 5bfeacb..0000000
--- a/yara-mikesxrs/Fidelis/DarkComet.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule DarkComet
-{
-meta:
- description = "DarkComet RAT"
- author = "Fidelis Cybersecurity"
- reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015"
- date = "2015-07-22"
-
-strings:
- $s1 = "#KCMDDC"
- $s2 = "DCDATA"
- $s3 = "#BOT#CloseServer"
- $s4 = "#BOT#SvrUninstall"
- $s5 = "#BOT#URLDownload"
-condition:
- uint16(0) == 0x5a4d and filesize < 50MB and all of ($s*)
-}
-
diff --git a/yara-mikesxrs/Fidelis/DarkCometDownloader.yar b/yara-mikesxrs/Fidelis/DarkCometDownloader.yar
deleted file mode 100644
index f8d4cc2..0000000
--- a/yara-mikesxrs/Fidelis/DarkCometDownloader.yar
+++ /dev/null
@@ -1,12 +0,0 @@
-rule DarkCometDownloader {
-meta:
- description = "DarkComet RAT Downloader"
- author = "Fidelis Cybersecurity"
- reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015"
- date = "2015-07-22"
-
-strings:
- $s1 = {6A00FF15F0304000A30D1040006A0A68261040006A00FF15F4304000A311104000FF 35111040006A00FF15F8304000A315104000FF35111040006A00FF15FC304000A3191 04000FF3515104000FF1500314000A31D104000FF3519104000FF351D104000682C11 4000FF1508314000FF3515104000FF150C31400031C0682C104000682C104000FF151 43140006805104000682C104000FF1510314000682C104000FF15183140006A006A00 682C104000682C1140006A00FF15803040006A056A006A00682C10400068001040006 A00FF15A83040006A00FF1504314000}
-condition:
- uint16(0) == 0x5a4d and filesize < 10KB and all of them
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/Scanbox.yar b/yara-mikesxrs/Fidelis/Scanbox.yar
deleted file mode 100644
index 9c1491b..0000000
--- a/yara-mikesxrs/Fidelis/Scanbox.yar
+++ /dev/null
@@ -1,44 +0,0 @@
- rule apt_all_JavaScript_ScanboxFramework_obfuscated
-
-{
- meta:
- author = "Fidelis Security"
- reference = "https://www.fidelissecurity.com/TradeSecret"
-
- strings:
-
- $sa1 = /(var|new|return)\s[_\$]+\s?/
-
- $sa2 = "function"
-
- $sa3 = "toString"
-
- $sa4 = "toUpperCase"
-
- $sa5 = "arguments.length"
-
- $sa6 = "return"
-
- $sa7 = "while"
-
- $sa8 = "unescape("
-
- $sa9 = "365*10*24*60*60*1000"
-
- $sa10 = ">> 2"
-
- $sa11 = "& 3) << 4"
-
- $sa12 = "& 15) << 2"
-
- $sa13 = ">> 6) | 192"
-
- $sa14 = "& 63) | 128"
-
- $sa15 = ">> 12) | 224"
-
- condition:
-
- all of them
-
-}
diff --git a/yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar b/yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar
deleted file mode 100644
index c9cec98..0000000
--- a/yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule Ursnif_report_variant_memory
-{
-meta:
- description = "Ursnif"
- author = "Fidelis Cybersecurity"
- reference = "New Ursnif Variant Targeting Italy and U.S - June 7, 2016"
-
-strings:
- $isfb1 = "/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s"
- $isfb2 = "client.dll"
- $ursnif1 = "soft=1&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x"
- $a1 = "grabs="
- $a2 = "HIDDEN"
- $ursnif2 = "/images/"
- $randvar = "%s=%s&"
- $specialchar = "%c%02X" nocase
- $serpent_setkey = {8b 70 ec 33 70 f8 33 70 08 33 30 33 f1 81 f6 b9 79 37 9e c1 c6 0b 89 70 08 41 81 f9 84 [0-3] 72 db}
-condition:
- 7 of them
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/XenonCrypter.yar b/yara-mikesxrs/Fidelis/XenonCrypter.yar
deleted file mode 100644
index 1c06e57..0000000
--- a/yara-mikesxrs/Fidelis/XenonCrypter.yar
+++ /dev/null
@@ -1,12 +0,0 @@
-rule XenonCrypter
-{
-meta:
- author = "jason reaves"
- author2 = "Fidelis Cybersecurity"
- description = "Xenon Crypter"
-strings:
- $b1 = "Xenon2FF\\Bin\\StubNew.pdb” nocase
- $b2 = “XenonNew\\Bin\\StubNew.pdb” nocase
-condition:
- any of ($b*)
-}
diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar
deleted file mode 100644
index ee4fb06..0000000
--- a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar
+++ /dev/null
@@ -1,13 +0,0 @@
-rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
-{
- meta:
- author = "Fidelis Cybersecurity"
- reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
- strings:
- $byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
- condition:
- (uint32(0) == 0x464C457F) and (any of them)
-}
-
-
-
diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar
deleted file mode 100644
index 4f08ba4..0000000
--- a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule apt_nix_elf_Derusbi_Linux_Strings
-{
- meta:
- author = "Fidelis Cybersecurity"
- reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
- strings:
- $a1 = "loadso" wide ascii fullword
- $a2 = "\nuname -a\n\n" wide ascii
- $a3 = "/dev/shm/.x11.id" wide ascii
- $a4 = "LxMain64" wide ascii nocase
- $a5 = "# \\u@\\h:\\w \\$ " wide ascii
- $b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
- $b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
- $b3 = "ret %d" wide fullword
- $b4 = "uname -a\n\n" wide ascii
- $b5 = "/proc/%u/cmdline" wide ascii
- $b6 = "/proc/self/exe" wide ascii
- $b7 = "cp -a %s %s" wide ascii
- $c1 = "/dev/pts/4" wide ascii fullword
- $c2 = "/tmp/1408.log" wide ascii fullword
- condition:
- uint32(0) == 0x464C457F and
- ((1 of ($a*) and 4 of ($b*)) or
- (1 of ($a*) and 1 of ($c*)) or
- 2 of ($a*) or
- all of ($b*))
-}
-
diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar
deleted file mode 100644
index 3b78cdb..0000000
--- a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar
+++ /dev/null
@@ -1,48 +0,0 @@
-rule apt_nix_elf_derusbi
-{
- meta:
- author = "Fidelis Cybersecurity"
- reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
- strings:
- $ = "LxMain"
- $ = "execve"
- $ = "kill"
- $ = "cp -a %s %s"
- $ = "%s &"
- $ = "dbus-daemon"
- $ = "--noprofile"
- $ = "--norc"
- $ = "TERM=vt100"
- $ = "/proc/%u/cmdline"
- $ = "loadso"
- $ = "/proc/self/exe"
- $ = "Proxy-Connection: Keep-Alive"
- $ = "Connection: Keep-Alive"
- $ = "CONNECT %s"
- $ = "HOST: %s:%d"
- $ = "User-Agent: Mozilla/4.0"
- $ = "Proxy-Authorization: Basic %s"
- $ = "Server: Apache"
- $ = "Proxy-Authenticate"
- $ = "gettimeofday"
- $ = "pthread_create"
- $ = "pthread_join"
- $ = "pthread_mutex_init"
- $ = "pthread_mutex_destroy"
- $ = "pthread_mutex_lock"
- $ = "getsockopt"
- $ = "socket"
- $ = "setsockopt"
- $ = "select"
- $ = "bind"
- $ = "shutdown"
- $ = "listen"
- $ = "opendir"
- $ = "readdir"
- $ = "closedir"
- $ = "rename"
-
- condition:
- (uint32(0) == 0x4464c457f) and (all of them)
-}
-
diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar
deleted file mode 100644
index f52e4ed..0000000
--- a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule apt_nix_elf_derusbi_kernelModule
-{
- meta:
- author = "Fidelis Cybersecurity"
- reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
- strings:
- $ = "__this_module"
- $ = "init_module"
- $ = "unhide_pid"
- $ = "is_hidden_pid"
- $ = "clear_hidden_pid"
- $ = "hide_pid"
- $ = "license"
- $ = "description"
- $ = "srcversion="
- $ = "depends="
- $ = "vermagic="
- $ = "current_task"
- $ = "sock_release"
- $ = "module_layout"
- $ = "init_uts_ns"
- $ = "init_net"
- $ = "init_task"
- $ = "filp_open"
- $ = "__netlink_kernel_create"
- $ = "kfree_skb"
-
- condition:
- (uint32(0) == 0x4464c457f) and (all of them)
-}
diff --git a/yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar b/yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar
deleted file mode 100644
index 6532e98..0000000
--- a/yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar
+++ /dev/null
@@ -1,40 +0,0 @@
-rule apt_win32_dll_bergard_pgv_pvid_variant
-
-{
-
- meta:
-
- copyright = “Fidelis Cybersecurity”
- reference = "http://www.threatgeek.com/2016/05/"
-
- strings:
-
- $ = "Accept:"
-
- $ = "User-Agent: %s"
-
- $ = "Host: %s:%d"
-
- $ = "Cache-Control: no-cache"
-
- $ = "Connection: Keep-Alive"
-
- $ = "Cookie: pgv_pvid="
-
- $ = "Content-Type: application/x-octet-stream"
-
- $ = "User-Agent: %s"
-
- $ = "Host: %s:%d"
-
- $ = "Pragma: no-cache"
-
- $ = "Connection: Keep-Alive"
-
- $ = "HTTP/1.0"
-
- condition:
-
- (uint16(0) == 0x5A4D) and (all of them)
-
- }
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar b/yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar
deleted file mode 100644
index 08cf597..0000000
--- a/yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule apt_win32_dll_rat_hiZorRAT
-{
- meta:
- hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
- hash2 = "d9821468315ccd3b9ea03161566ef18e"
- hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
- ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
- ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
-
- strings:
-
- // Part of the encoded User-Agent = Mozilla
- $ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }
-
- // XOR to decode User-Agent after string stacking 0x10001630
- $ = { 66 [7] 0d 40 83 ?? ?? 7c ?? }
-
- // XOR with 0x2E - 0x10002EF6
-
- $ = { 80 [2] 2e 40 3b ?? 72 ?? }
-
- $ = "CmdProcessExited" wide ascii
- $ = "rootDir" wide ascii
- $ = "DllRegisterServer" wide ascii
- $ = "GetNativeSystemInfo" wide ascii
- $ = "%08x%08x%08x%08x" wide ascii
-
- condition:
- (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar b/yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar
deleted file mode 100644
index 2176cd6..0000000
--- a/yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar
+++ /dev/null
@@ -1,61 +0,0 @@
-rule apt_win_exe_trojan_derusbi
-{
- meta:
- author = "Fidelis Cybersecurity"
- reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
- strings:
- $sa_1 = "USB" wide ascii
- $sa_2 = "RAM" wide ascii
- $sa_3 = "SHARE" wide ascii
- $sa_4 = "HOST: %s:%d"
- $sa_5 = "POST"
- $sa_6 = "User-Agent: Mozilla"
- $sa_7 = "Proxy-Connection: Keep-Alive"
- $sa_8 = "Connection: Keep-Alive"
- $sa_9 = "Server: Apache"
- $sa_10 = "HTTP/1.1"
- $sa_11 = "ImagePath"
- $sa_12 = "ZwUnloadDriver"
- $sa_13 = "ZwLoadDriver"
- $sa_14 = "ServiceMain"
- $sa_15 = "regsvr32.exe"
- $sa_16 = "/s /u" wide ascii
- $sa_17 = "rand"
- $sa_18 = "_time64"
- $sa_19 = "DllRegisterServer"
- $sa_20 = "DllUnregisterServer"
- $sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
-
- $sb_1 = "PCC_CMD_PACKET"
- $sb_2 = "PCC_CMD"
- $sb_3 = "PCC_BASEMOD"
- $sb_4 = "PCC_PROXY"
- $sb_5 = "PCC_SYS"
- $sb_6 = "PCC_PROCESS"
- $sb_7 = "PCC_FILE"
- $sb_8 = "PCC_SOCK"
-
- $sc_1 = "bcdedit -set testsigning" wide ascii
- $sc_2 = "update.microsoft.com" wide ascii
- $sc_3 = "_crt_debugger_hook" wide ascii
- $sc_4 = "ue8G5" wide ascii
-
- $sd_1 = "NET" wide ascii
- $sd_2 = "\\\\.\\pipe\\%s" wide ascii
- $sd_3 = ".dat" wide ascii
- $sd_4 = "CONNECT %s:%d" wide ascii
- $sd_5 = "\\Device\\" wide ascii
-
- $se_1 = "-%s-%04d" wide ascii
- $se_2 = "-%04d" wide ascii
- $se_3 = "FAL" wide ascii
- $se_4 = "OK" wide ascii
- $se_5 = "2.03" wide ascii
- $se_6 = "XXXXXXXXXXXXXXX" wide ascii
-
- condition:
- (uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or (
- (13 of ($sa_*)) and
- ( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or
- ( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) )
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar b/yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar
deleted file mode 100644
index 0d4ee30..0000000
--- a/yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar
+++ /dev/null
@@ -1,51 +0,0 @@
-rule crime_win32_exe_rat_netwire{
-meta:
- description = "AlienSpy"
- author = "Fidelis Cybersecurity"
- reference = "Fidelis Threat Advisory #1017 - Phishing in Plain Sight - June 9, 2015"
- hash = "fd5a753347416484ab01712786c407c4"
-
-strings:
- $sa = "StubPath"
- $sa = "CONNECT"
- $sa = "200 OK"
- $sa = "GET"
- $sa = "Host"
- $sa = "Connection"
- $sa = "Firefox"
- $sa = "Chrome"
- $sa = "Opera"
- $sa = "Outlook"
- $sa = "NSS_Shutdown"
- $sa = "NSSBase64_DecodeBuffer"
- $sa = "NSS_Init"
- $sa = "NSS_Shutdown"
- $sa = "name" nocase
- $sa = "password"
- $sa = "Server"
- $sa = "LANMANNT"
- $sa = "SERVERNT"
- $sa = "[Backspace]"
- $sa = "[Enter]"
- $sa = "[Tab]"
- $sa = "[Print Screen]"
- $sa = "mozsqlite"
- $sa = "nssutil"
- $sa = "sqlite"
- $sa = "Email"
- $sa = "POP3 User"
- $sa = "POP3 Server"
- $sa = "POP3 Password"
- $sa = "IMAP User"
- $sa = "IMAP Server"
- $sa = "IMAP Password"
- $sa = "HTTP User"
- $sa = "HTTP Server"
- $sa = "HTTP Password"
- $sa = "SMTP User"
- $sa = "SMTP Server"
- $sa = "SMTP Password"
-
-condition:
- (uint16(0) == 0x5A4D) and (all of them)
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar b/yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar
deleted file mode 100644
index dedcbf6..0000000
--- a/yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule crime_win_PWS_Fareit
-{
-meta:
- description = "Fareit password stealer"
- author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
- reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdf"
- date = "20150414"
- filetype = "exe"
- hash_1 = "e93799591429756b7a5ad6e44197c020"
- hash_2 = "891823de9b05e17def459e04fb574f94"
- hash_3 = "6e54267c787fc017a2b2cc5dc5273a0a"
- hash_4 = "40165ee6b1d69c58d3c0d2f4701230fa"
- hash_5 = "de3b206a8066db48e9d7b0a42d50c5cd"
- hash_6 = "b988944f831c478f5a6d71f9e06fbc22"
- hash_7 = "7b7584d86efa2df42fe504213a3d1d2c"
- hash_8 = "f088b291af1a3710f99c33fa37f68602"
-strings:
- $mz = {4d5a}
- $s1 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins"
- $s2 = "gate.php"
- $s3 = "STATUS-IMPORT-OK"
- $s4 = "Client Hash"
- $s5 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
- $c1 = "wiseftpsrvs.bin"
- $c2 = "out.bin"
-condition:
- $mz at 0 and filesize < 105KB and all of ($s*) and ($c1 or $c2)
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/network_traffic_njRAT.yar b/yara-mikesxrs/Fidelis/network_traffic_njRAT.yar
deleted file mode 100644
index e6fec5e..0000000
--- a/yara-mikesxrs/Fidelis/network_traffic_njRAT.yar
+++ /dev/null
@@ -1,47 +0,0 @@
-rule network_traffic_njRAT
-{
-meta:
-author = "info@fidelissecurity.com"
-descripion = "njRAT - Remote Access Trojan"
-comment = "Rule to alert on network traffic indicators"
-filetype = "PCAP - Network Traffic"
-date = "2013-07-15"
-version = "1.0"
-hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
-hash2 ="3576d40ce18bb0349f9dfa42b8911c3a"
-hash3 ="24cc5b811a7f9591e7f2cb9a818be104"
-hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
-hash5 = "a98b4c99f64315aac9dd992593830f35"
-hash6 = "5fcb5282da1a2a0f053051c8da1686ef"
-hash7 = "a669c0da6309a930af16381b18ba2f9d"
-hash8 = "79dce17498e1997264346b162b09bde8"
-hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
-ref1 = "http://bit.ly/19tlf4s"
-ref2 = "http://www.fidelissecurity.com/threatadvisory"
-ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html"
-ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
-
-strings:
-$string1 = "FM|'|'|" // File Manager
-$string2 = "nd|'|'|" // File Manager
-$string3 = "rn|'|'|" // Run File
-$string4 = "sc~|'|'|" // Remote Desktop
-$string5 = "scPK|'|'|" // Remote Desktop
-$string6 = "CAM|'|'|" // Remote Cam
-$string7 = "USB Video Device[endof]" // Remote Cam
-$string8 = "rs|'|'|" // Reverse Shell
-$string9 = "proc|'|'|" // Process Manager
-$string10 = "k|'|'|" // Process Manager
-$string11 = "RG|'|'|~|'|'|" // Registry Manipulation
-$string12 = "kl|'|'|" // Keylogger file
-$string13 = "ret|'|'|" // Get Browser Passwords
-$string14 = "pl|'|'|" // Get Browser Passwords
-$string15 = "lv|'|'|" // General
-$string16 = "prof|'|'|~|'|'|" // Server rename
-$string17 = "un|'|'|~[endof]" // Uninstall
-$idle_string = "P[endof]" // Idle Connection
-
-condition:
-any of ($string*) or #idle_string > 4
-
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/win_exe_njRAT.yar b/yara-mikesxrs/Fidelis/win_exe_njRAT.yar
deleted file mode 100644
index fce09d9..0000000
--- a/yara-mikesxrs/Fidelis/win_exe_njRAT.yar
+++ /dev/null
@@ -1,45 +0,0 @@
-rule win_exe_njRAT
-{
-meta:
-author = "info@fidelissecurity.com"
-descripion = "njRAT - Remote Access Trojan"
-comment = "Variants have also been observed obfuscated with .NET Reactor"
-filetype = "pe"
-date = "2013-07-15"
-version = "1.0"
-hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
-hash2 = "3576d40ce18bb0349f9dfa42b8911c3a"
-hash3 = "24cc5b811a7f9591e7f2cb9a818be104"
-hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
-hash5 = "a98b4c99f64315aac9dd992593830f35"
-hash6 ="5fcb5282da1a2a0f053051c8da1686ef"
-hash7 = "a669c0da6309a930af16381b18ba2f9d"
-hash8 = "79dce17498e1997264346b162b09bde8"
-hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
-ref1 = "http://bit.ly/19tlf4s"
-ref2 = "http://www.fidelissecurity.com/threatadvisory"
-ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njratuncovered.html"
-ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
-
-strings:
-$magic = "MZ"
-$string_setA_1 = "FromBase64String"
-$string_setA_2 = "Base64String"
-$string_setA_3 = "Connected" wide ascii
-$string_setA_4 = "Receive"
-$string_setA_5 = "DeleteSubKey" wide ascii
-$string_setA_6 = "get_MachineName"
-$string_setA_7 = "get_UserName"
-$string_setA_8 = "get_LastWriteTime"
-$string_setA_9 = "GetVolumeInformation"
-
-$string_setB_1 = "OSFullName" wide ascii
-$string_setB_2 = "Send" wide ascii
-$string_setB_3 = "Connected" wide ascii
-$string_setB_4 = "DownloadData" wide ascii
-$string_setB_5 = "netsh firewall" wide
-$string_setB_6 = "cmd.exe /k ping 0 & del" wide
-
-condition:
-($magic at 0) and ( all of ($string_setA*) or all of ($string_setB*) )
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara b/yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara
deleted file mode 100644
index e63f4c3..0000000
--- a/yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara
+++ /dev/null
@@ -1,128 +0,0 @@
-rule win_vbs_rat_hworm
-
-{
- meta:
- author = "Fidelis Cybersecurity"
- reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html"
- strings:
-
- $sa1 = "CONFIG"
-
- $sa2 = "MYCODE"
-
- $sa3 = "SHELLOBJ.EXPANDENVIRONMENTSTRINGS"
-
- $sa4 = "BASE64TOHEX"
-
- $sa5 = "DCOM.VIRTUALALLOC"
-
- $sa6 = "LOADER_"
-
- $sa7 = "PE_PTR"
-
- $sa8 = "OBJWMISERVICE.EXECQUERY"
-
- $sa9 = "WSCRIPT.EXE" nocase
-
- $sa10 = "FUNCTION"
-
- $sa11 = "DIM"
-
- $sa12 = "END SUB"
-
- $sb1 = "HOST_FILE"
-
- $sb2 = "FILE_NAME"
-
- $sb3 = "INSTALL_DIR"
-
- $sb4 = "START_UP_REG"
-
- $sb5 = "START_UP_TASK"
-
- $sb6 = "START_UP_FOLDER"
-
- $sc1 = "DCOM_DATA"
-
- $sc2 = "LOADER_DATA"
-
- $sc3 = "FILE_DATA"
-
- $sc4 = "(1)"
-
- $sc5 = "(2)"
-
- $sc6 = "(3)"
-
- $sc7 = "FILE_SIZE"
-
- condition:
-
- (all of ($sa*)) and ( (all of ($sb*)) or (all of ($sc*)) )
-
-}
-
-rule win_exe_rat_hworm
-
-{
- meta:
- author = "Fidelis Cybersecurity"
- reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html"
- strings:
-
- $sa1 = "connection_host" wide ascii
-
- $sa2 = "connection_port" wide ascii
-
- $sa3 = "install_folder" wide ascii
-
- $sa4 = "install_name" wide ascii
-
- $sa5 = "nickname_id" wide ascii
-
- $sa6 = "password" wide ascii
-
- $sa7 = "injection" wide ascii
-
- $sa8 = "startup_registry" wide ascii
-
- $sa9 = "startup_folder" wide ascii
-
- $sa10 = "startup_task" wide ascii
-
- $sa11 = "process_name" wide ascii
-
- $sa12 = "fkeylogger_host" wide ascii
-
- $sa13 = "fkeylogger_port" wide ascii
-
- $sa14 = "keylogger_init" wide ascii
-
- $sa15 = "keylogger_offline" wide ascii
-
- $sa16 = "file_manager" wide ascii
-
- $sa17 = "usb" wide ascii
-
- $sa18 = "password" wide ascii
-
- $sa19 = "filemanager" wide ascii
-
- $sa20 = "keylogger" wide ascii
-
- $sa21 = "screenshot" wide ascii
-
- $sa22 = "show" nocase wide ascii
-
- $sa23 = "open" wide ascii
-
- $sa25 = "create" wide ascii
-
- $sa26 = "Self" wide ascii
-
- $sa27 = "createsuspended" wide ascii
-
- condition:
-
- (uint16(0) == 0x5A4D) and (all of them)
-
diff --git a/yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara b/yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara
deleted file mode 100644
index e73e61a..0000000
--- a/yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara
+++ /dev/null
@@ -1,113 +0,0 @@
-rule FE_LEGALSTRIKE_MACRO {
- meta:version=".1"
- filetype="MACRO"
- author="Ian.Ahl@fireeye.com @TekDefense"
- date="2017-06-02"
- description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
- reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
-strings:
- // OBSFUCATION
- $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
- $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
- $ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
- $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
- $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
- $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
- $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
- $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
- $obreg1 = /(\w{5}\s&\s){7}\w{5}/
- $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
- // wscript
- $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
- $wsobj2 = "Obj.Run " ascii wide
-
-condition:
- (
- (
- (uint16(0) != 0x5A4D)
- )
- and
- (
- all of ($wsobj*) and 3 of ($ob*)
- or
- all of ($wsobj*) and all of ($obreg*)
- )
- )
-}
-
-rule FE_LEGALSTRIKE_MACRO_2 {
- meta:version=".1"
- filetype="MACRO"
- author="Ian.Ahl@fireeye.com @TekDefense"
- date="2017-06-02"
- description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."
- reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
-strings:
- // Setting the environment
- $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
- $env2 = "windir = Environ(\"windir\")" ascii wide
- $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
- // powershell command fragments
- $ps1 = "-NoP" ascii wide
- $ps2 = "-NonI" ascii wide
- $ps3 = "-W Hidden" ascii wide
- $ps4 = "-Command" ascii wide
- $ps5 = "New-Object IO.StreamReader" ascii wide
- $ps6 = "IO.Compression.DeflateStream" ascii wide
- $ps7 = "IO.MemoryStream" ascii wide
- $ps8 = ",$([Convert]::FromBase64String" ascii wide
- $ps9 = "ReadToEnd();" ascii wide
- $psregex1 = /\W\w+\s+\s\".+\"/
-condition:
- (
- (
- (uint16(0) != 0x5A4D)
- )
- and
- (
- all of ($env*) and 6 of ($ps*)
- or
- all of ($env*) and 4 of ($ps*) and all of ($psregex*)
- )
- )
-}
-
-rule FE_LEGALSTRIKE_RTF {
- meta:
- version=".1"
- filetype="MACRO"
- author="joshua.kim@FireEye.com"
- date="2017-06-02"
- description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
- reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
-
- strings:
- $header = "{\\rt"
-
- $lnkinfo = "4c0069006e006b0049006e0066006f"
-
- $encoded1 = "4f4c45324c696e6b"
- $encoded2 = "52006f006f007400200045006e007400720079"
- $encoded3 = "4f0062006a0049006e0066006f"
- $encoded4 = "4f006c0065"
-
- $http1 = "68{"
- $http2 = "74{"
- $http3 = "07{"
-
- // 2bunny.com
- $domain1 = "32{\\"
- $domain2 = "62{\\"
- $domain3 = "75{\\"
- $domain4 = "6e{\\"
- $domain5 = "79{\\"
- $domain6 = "2e{\\"
- $domain7 = "63{\\"
- $domain8 = "6f{\\"
- $domain9 = "6d{\\"
-
- $datastore = "\\*\\datastore"
-
- condition:
- $header at 0 and all of them
-}
diff --git a/yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar b/yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar
deleted file mode 100644
index 5e6d569..0000000
--- a/yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule APT32_ActiveMime_Lure{
- meta:
- filetype = "MIME entity"
- author = "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)"
- date = "2017-03-02"
- description = "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017"
- reference = "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
- strings:
- $a1 = "office_text" wide ascii
- $a2 = "schtasks /create /tn" wide ascii
- $a3 = "scrobj.dll" wide ascii
- $a4 = "new-object net.webclient" wide ascii
- $a5 = "GetUserName" wide ascii
- $a6 = "WSHnet.UserDomain" wide ascii
- $a7 = "WSHnet.UserName" wide ascii
- condition:
- 4 of them
-}
diff --git a/yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar b/yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar
deleted file mode 100644
index 9dc50a2..0000000
--- a/yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule APT_DeputyDog_Strings
-{
-
- meta:
-
- author = "FireEye Labs"
- version = "1.0"
- description = "detects string seen in samples used in 2013-3893 0day attacks"
- reference = "8aba4b5184072f2a50cbc5ecfe326701"
-
- strings:
-
- $mz = {4d 5a}
- $a = "DGGYDSYRL"
-
- condition:
-
- ($mz at 0) and $a
-
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fireeye/BadRabbit.yar b/yara-mikesxrs/Fireeye/BadRabbit.yar
deleted file mode 100644
index 6d610f3..0000000
--- a/yara-mikesxrs/Fireeye/BadRabbit.yar
+++ /dev/null
@@ -1,120 +0,0 @@
-rule FE_Hunting_BADRABBIT {
- meta:version=".2"
- filetype="PE"
- author="ian.ahl @TekDefense & nicholas.carr @itsreallynick"
- reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
- date="2017-10-24"
- md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
-strings:
- // Messages
- $msg1 = "Incorrect password" nocase ascii wide
- $msg2 = "Oops! Your files have been encrypted." ascii wide
- $msg3 = "If you see this text, your files are no longer accessible." ascii wide
- $msg4 = "You might have been looking for a way to recover your files." ascii wide
- $msg5 = "Don't waste your time. No one will be able to recover them without our" ascii wide
- $msg6 = "Visit our web service at" ascii wide
- $msg7 = "Your personal installation key#1:" ascii wide
- $msg8 = "Run DECRYPT app at your desktop after system boot" ascii wide
- $msg9 = "Password#1" nocase ascii wide
- $msg10 = "caforssztxqzf2nm.onion" nocase ascii wide
- $msg11 = /partition (unbootable|not (found|mounted))/ nocase ascii wide
-
- // File references
- $fref1 = "C:\\Windows\\cscc.dat" nocase ascii wide
- $fref2 = "\\\\.\\dcrypt" nocase ascii wide
- $fref3 = "Readme.txt" ascii wide
- $fref4 = "\\Desktop\\DECRYPT.lnk" nocase ascii wide
- $fref5 = "dispci.exe" nocase ascii wide
- $fref6 = "C:\\Windows\\infpub.dat" nocase ascii wide
- // META
- $meta1 = "http://diskcryptor.net/" nocase ascii wide
- $meta2 = "dispci.exe" nocase ascii wide
- $meta3 = "GrayWorm" ascii wide
- $meta4 = "viserion" nocase ascii wide
- //commands
- $com1 = "ComSpec" ascii wide
- $com2 = "\\cmd.exe" nocase ascii wide
- $com3 = "schtasks /Create" nocase ascii wide
- $com4 = "schtasks /Delete /F /TN %ws" nocase ascii wide
-condition:
- (uint16(0) == 0x5A4D)
- and
- (8 of ($msg*) and 3 of ($fref*) and 2 of ($com*))
- or
- (all of ($meta*) and 8 of ($msg*))
- }
-
-rule FE_Trojan_BADRABBIT_DROPPER
- {
- meta:
- author = "muhammad.umair"
- md5 = "fbbdc39af1139aebba4da004475e8839"
- reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
- rev = 1
- strings:
- $api1 = "GetSystemDirectoryW" fullword
- $api2 = "GetModuleFileNameW" fullword
- $dropped_dll = "infpub.dat" ascii fullword wide
- $exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
- $extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
- }
-
-rule FE_Worm_BADRABBIT
- {
- meta:
- author = "muhammad.umair"
- md5 = "1d724f95c61f1055f0d02c2154bbccd3"
- reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
- rev = 1
- strings:
- $api1 = "WNetAddConnection2W" fullword
- $api2 = "CredEnumerateW" fullword
- $api3 = "DuplicateTokenEx" fullword
- $api4 = "GetIpNetTable"
- $del_tasks = "schtasks /Delete /F /TN drogon" ascii fullword wide
- $dropped_driver = "cscc.dat" ascii fullword wide
- $exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
- $iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? }
- $share_fmt_str = "\\\\%ws\\admin$\\%ws" ascii fullword wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
- }
-
-rule FE_Trojan_BADRABBIT_MIMIKATZ
- {
- meta:
- author = "muhammad.umair"
- md5 = "37945c44a897aa42a66adcab68f560e0"
- reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
- rev = 1
- strings:
- $api1 = "WriteProcessMemory" fullword
- $api2 = "SetSecurityDescriptorDacl" fullword
- $api_str1 = "BCryptDecrypt" ascii fullword wide
- $mimi_str = "CredentialKeys" ascii fullword wide
- $wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B }
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
- }
-
-rule FE_Trojan_BADRABBIT_DISKENCRYPTOR
- {
- meta:
- author = "muhammad.umair"
- md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
- reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
- rev = 1
- strings:
- $api1 = "CryptAcquireContextW" fullword
- $api2 = "CryptEncrypt" fullword
- $api3 = "NetWkstaGetInfo" fullword
- $decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F }
- $msg1 = "Disk decryption progress..." ascii fullword wide
- $task_fmt_str = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" ascii fullword wide
- $tok1 = "\\\\.\\dcrypt" ascii fullword wide
- $tok2 = "C:\\Windows\\cscc.dat" ascii fullword wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them
- }
diff --git a/yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar b/yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar
deleted file mode 100644
index 76db8e5..0000000
--- a/yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule FE_APT_9002_rat
-
-{
-
- meta:
- author = "FireEye Labs"
- reference = "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"
-
- strings:
-
- $mz = {4d 5a}
-
- $a = "rat_UnInstall" wide ascii
-
- condition:
-
- ($mz at 0) and $a
-
-}
\ No newline at end of file
diff --git a/yara-mikesxrs/Fireeye/FE_petya_ransomware,yar b/yara-mikesxrs/Fireeye/FE_petya_ransomware,yar
deleted file mode 100644
index 6c6c7cc..0000000
--- a/yara-mikesxrs/Fireeye/FE_petya_ransomware,yar
+++ /dev/null
@@ -1,75 +0,0 @@
-rule FE_CPE_MS17_010_RANSOMWARE {
-meta:version="1.1"
- //filetype="PE"
- author="Ian.Ahl@fireeye.com @TekDefense, Nicholas.Carr@mandiant.com @ItsReallyNick"
- date="2017-06-27"
- description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec"
- reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html"
-strings:
- // DRIVE USAGE
- $dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide
- $dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide
- $dmap03 = "\\\\.\\C:" nocase ascii wide
- $dmap04 = "TERMSRV" nocase ascii wide
- $dmap05 = "\\admin$" nocase ascii wide
- $dmap06 = "GetLogicalDrives" nocase ascii wide
- $dmap07 = "GetDriveTypeW" nocase ascii wide
-
- // RANSOMNOTE
- $msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide
- $msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide
- $msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide
- $msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide
- $msg05 = "your important files are encrypted" ascii wide
- $msg06 = "Your personal installation key" nocase ascii wide
- $msg07 = "worth of Bitcoin to following address" nocase ascii wide
- $msg08 = "CHKDSK is repairing sector" nocase ascii wide
- $msg09 = "Repairing file system on " nocase ascii wide
- $msg10 = "Bitcoin wallet ID" nocase ascii wide
- $msg11 = "wowsmith123456@posteo.net" nocase ascii wide
- $msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide
- $msg_pcre = /(en|de)crypt(ion|ed\.)/
-
- // FUNCTIONALITY, APIS
- $functions01 = "need dictionary" nocase ascii wide
- $functions02 = "comspec" nocase ascii wide
- $functions03 = "OpenProcessToken" nocase ascii wide
- $functions04 = "CloseHandle" nocase ascii wide
- $functions05 = "EnterCriticalSection" nocase ascii wide
- $functions06 = "ExitProcess" nocase ascii wide
- $functions07 = "GetCurrentProcess" nocase ascii wide
- $functions08 = "GetProcAddress" nocase ascii wide
- $functions09 = "LeaveCriticalSection" nocase ascii wide
- $functions10 = "MultiByteToWideChar" nocase ascii wide
- $functions11 = "WideCharToMultiByte" nocase ascii wide
- $functions12 = "WriteFile" nocase ascii wide
- $functions13 = "CoTaskMemFree" nocase ascii wide
- $functions14 = "NamedPipe" nocase ascii wide
- $functions15 = "Sleep" nocase ascii wide // imported, not in strings
-
- // COMMANDS
- // -- Clearing event logs & USNJrnl
- $cmd01 = "wevtutil cl Setup" ascii wide nocase
- $cmd02 = "wevtutil cl System" ascii wide nocase
- $cmd03 = "wevtutil cl Security" ascii wide nocase
- $cmd04 = "wevtutil cl Application" ascii wide nocase
- $cmd05 = "fsutil usn deletejournal" ascii wide nocase
- // -- Scheduled task
- $cmd06 = "schtasks " nocase ascii wide
- $cmd07 = "/Create /SC " nocase ascii wide
- $cmd08 = " /TN " nocase ascii wide
- $cmd09 = "at %02d:%02d %ws" nocase ascii wide
- $cmd10 = "shutdown.exe /r /f" nocase ascii wide
- // -- Sysinternals/PsExec and WMIC
- $cmd11 = "-accepteula -s" nocase ascii wide
- $cmd12 = "wmic"
- $cmd13 = "/node:" nocase ascii wide
- $cmd14 = "process call create" nocase ascii wide
-
-condition:
- // (uint16(0) == 0x5A4D)
- 3 of ($dmap*)
- and 2 of ($msg*)
- and 9 of ($functions*)
- and 7 of ($cmd*)
-}
diff --git a/yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar b/yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar
deleted file mode 100644
index cb545f0..0000000
--- a/yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar
+++ /dev/null
@@ -1,2947 +0,0 @@
-// Copyright 2020 by FireEye, Inc.
-// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
-// https://github.com/fireeye/red_team_tool_countermeasures/blob/master/LICENSE.txt
-import "pe"
-
-rule HackTool_MSIL_Rubeus_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project."
- md5 = "66e0681a500c726ed52e5ea9423d2654"
- rev = 4
- author = "FireEye"
- strings:
- $typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06" ascii nocase wide
- condition:
- uint16(0) == 0x5A4D and $typelibguid
-}
-rule Trojan_Raw_Generic_4
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "f41074be5b423afb02a74bc74222e35d"
- rev = 1
- author = "FireEye"
- strings:
- $s0 = { 83 ?? 02 [1-16] 40 [1-16] F3 A4 [1-16] 40 [1-16] E8 [4-32] FF ( D? | 5? | 1? ) }
- $s1 = { 0F B? [1-16] 4D 5A [1-32] 3C [16-64] 50 45 [8-32] C3 }
- condition:
- uint16(0) != 0x5A4D and all of them
-}
-rule HackTool_Win32_AndrewSpecial_1
-{
- meta:
- date_created = "2020-11-25"
- date_modified = "2020-11-25"
- md5 = "e89efa88e3fda86be48c0cc8f2ef7230"
- rev = 4
- author = "FireEye"
- strings:
- $dump = { 6A 00 68 FF FF 1F 00 FF 15 [4] 89 45 ?? 83 [2] 00 [1-50] 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 10 68 [4] FF 15 [4] 89 45 [10-70] 6A 00 6A 00 6A 00 6A 02 8B [2-4] 5? 8B [2-4] 5? 8B [2-4] 5? E8 [4-20] FF 15 }
- $shellcode_x86 = { B8 3C 00 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00 83 C4 04 C2 14 00 }
- $shellcode_x86_inline = { C6 45 ?? B8 C6 45 ?? 3C C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 33 C6 45 ?? C9 C6 45 ?? 8D C6 45 ?? 54 C6 45 ?? 24 C6 45 ?? 04 C6 45 ?? 64 C6 45 ?? FF C6 45 ?? 15 C6 45 ?? C0 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 83 C6 45 ?? C4 C6 45 ?? 04 C6 45 ?? C2 C6 45 ?? 14 C6 45 ?? 00 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and $dump and any of ($shellcode*)
-}
-rule APT_Backdoor_Win_GORAT_3
-{
- meta:
- description = "This rule uses the same logic as FE_APT_Trojan_Win_GORAT_1_FEBeta with the addition of one check, to look for strings that are known to be in the Gorat implant when a certain cleaning script is not run against it."
- md5 = "995120b35db9d2f36d7d0ae0bfc9c10d"
- rev = 5
- author = "FireEye"
- strings:
- $dirty1 = "fireeye" ascii nocase wide
- $dirty2 = "kulinacs" ascii nocase wide
- $dirty3 = "RedFlare" ascii nocase wide
- $dirty4 = "gorat" ascii nocase wide
- $dirty5 = "flare" ascii nocase wide
- $go1 = "go.buildid" ascii wide
- $go2 = "Go build ID:" ascii wide
- $json1 = "json:\"pid\"" ascii wide
- $json2 = "json:\"key\"" ascii wide
- $json3 = "json:\"agent_time\"" ascii wide
- $json4 = "json:\"rid\"" ascii wide
- $json5 = "json:\"ports\"" ascii wide
- $json6 = "json:\"agent_platform\"" ascii wide
- $rat = "rat" ascii wide
- $str1 = "handleCommand" ascii wide
- $str2 = "sendBeacon" ascii wide
- $str3 = "rat.AgentVersion" ascii wide
- $str4 = "rat.Core" ascii wide
- $str5 = "rat/log" ascii wide
- $str6 = "rat/comms" ascii wide
- $str7 = "rat/modules" ascii wide
- $str8 = "murica" ascii wide
- $str9 = "master secret" ascii wide
- $str10 = "TaskID" ascii wide
- $str11 = "rat.New" ascii wide
- condition:
- uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10MB and all of ($go*) and all of ($json*) and all of ($str*) and #rat > 1000 and any of ($dirty*)
-}
-rule CredTheft_Win_EXCAVATOR_1
-{
- meta:
- description = "This rule looks for the binary signature of the 'Inject' method found in the main Excavator PE."
- md5 = "f7d9961463b5110a3d70ee2e97842ed3"
- rev = 4
- author = "FireEye"
- strings:
- $bytes1 = { 48 89 74 24 10 48 89 7C 24 18 4C 89 74 24 20 55 48 8D 6C 24 E0 48 81 EC 20 01 00 00 48 8B 05 75 BF 01 00 48 33 C4 48 89 45 10 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 60 48 8D 0D 12 A1 01 00 4C 89 74 24 68 0F 11 45 A0 41 8B FE 4C 89 74 24 70 0F 11 45 B0 0F 11 45 C0 0F 11 45 D0 0F 11 45 E0 0F 11 45 F0 0F 11 45 00 FF 15 CB 1F 01 00 48 85 C0 75 1B FF 15 80 1F 01 00 8B D0 48 8D 0D DF A0 01 00 E8 1A FF FF FF 33 C0 E9 B4 02 00 00 48 8D 15 D4 A0 01 00 48 89 9C 24 30 01 00 00 48 8B C8 FF 15 4B 1F 01 00 48 8B D8 48 85 C0 75 19 FF 15 45 1F 01 00 8B D0 48 8D 0D A4 A0 01 00 E8 DF FE FF FF E9 71 02 00 00 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA 00 00 00 02 FF D3 85 C0 75 45 66 66 0F 1F 84 00 00 00 00 00 48 8B 4C 24 60 FF 15 4D 1F 01 00 3B C6 74 22 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA 00 00 00 02 FF D3 85 C0 74 D1 EB 0A 48 8B 44 24 60 48 89 44 24 70 66 0F 6F 15 6D A0 01 00 48 8D 05 A6 C8 01 00 B9 C8 05 00 00 90 F3 0F 6F 40 F0 48 8D 40 40 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 B0 66 0F 6F CA F3 0F 6F 40 C0 66 0F EF C8 F3 0F 7F 48 C0 66 0F 6F CA F3 0F 6F 40 D0 66 0F EF C8 F3 0F 7F 48 D0 F3 0F 6F 40 E0 66 0F EF C2 F3 0F 7F 40 E0 48 83 E9 01 75 B2 FF 15 CC 1E 01 00 4C 8D 44 24 78 BA 0A 00 00 00 48 8B C8 FF 15 01 1E 01 00 85 C0 0F 84 66 01 00 00 48 8B 4C 24 78 48 8D 45 80 41 B9 02 00 00 00 48 89 44 24 28 45 33 C0 C7 44 24 20 02 00 00 00 41 8D 51 09 FF 15 D8 1D 01 00 85 C0 0F 84 35 01 00 00 45 33 C0 4C 8D 4C 24 68 33 C9 41 8D 50 01 FF 15 5C 1E 01 00 FF 15 06 1E 01 00 4C 8B 44 24 68 33 D2 48 8B C8 FF 15 DE 1D 01 00 48 8B F8 48 85 C0 0F 84 FF 00 00 00 45 33 C0 4C 8D 4C 24 68 48 8B C8 41 8D 50 01 FF 15 25 1E 01 00 85 C0 0F 84 E2 00 00 00 4C 89 74 24 30 4C 8D 4C 24 70 4C 89 74 24 28 33 D2 41 B8 00 00 02 00 48 C7 44 24 20 08 00 00 00 48 8B CF FF 15 6C 1D 01 00 85 C0 0F 84 B1 00 00 00 48 8B 4D 80 48 8D 45 88 48 89 44 24 50 4C 8D 05 58 39 03 00 48 8D 45 A0 48 89 7D 08 48 89 44 24 48 45 33 C9 4C 89 74 24 40 33 D2 4C 89 74 24 38 C7 44 24 30 04 00 08 00 44 89 74 24 28 4C 89 74 24 20 FF 15 0C 1D 01 00 85 C0 74 65 48 8B 4C 24 70 8B 5D 98 FF 15 1A 1D 01 00 48 8B 4D 88 FF 15 10 1D 01 00 48 8B 4D 90 FF 15 06 1D 01 00 44 8B C3 33 D2 B9 3A 04 00 00 FF 15 4E 1D 01 00 48 8B D8 48 85 C0 74 2B 48 8B C8 E8 4E 06 00 00 48 85 C0 74 1E BA FF FF FF FF 48 8B C8 FF 15 3B 1D 01 00 48 8B CB FF 15 CA 1C 01 00 B8 01 00 00 00 EB 24 FF 15 DD 1C 01 00 8B D0 48 8D 0D 58 9E 01 00 E8 77 FC FF FF 48 85 FF 74 09 48 8B CF FF 15 A9 1C 01 00 33 C0 48 8B 9C 24 30 01 00 00 48 8B 4D 10 48 33 CC E8 03 07 00 00 4C 8D 9C 24 20 01 00 00 49 8B 73 18 49 8B 7B 20 4D 8B 73 28 49 8B E3 5D C3 }
- $bytes2 = { 48 89 74 24 10 48 89 7C 24 18 4C 89 74 24 20 55 48 8D 6C 24 E0 48 81 EC 2? ?1 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 33 C4 48 89 45 10 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 60 48 ?? ?? ?? ?? ?? ?? 4C 89 74 24 68 0F 11 45 A0 41 8B FE 4C 89 74 24 70 0F 11 45 B0 0F 11 45 C0 0F 11 45 D0 0F 11 45 E0 0F 11 45 F0 0F 11 45 ?? FF ?? ?? ?? ?? ?? 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 9C 24 3? ?1 ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 75 ?? 66 66 0F 1F 84 ?? ?? ?? ?? ?? 48 8B 4C 24 60 FF ?? ?? ?? ?? ?? 3B C6 74 ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 74 ?? EB ?? 48 8B 44 24 60 48 89 44 24 70 66 0F 6F 15 6D A? ?1 ?? 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 90 F3 0F 6F 40 F0 48 8D 40 40 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 B0 66 0F 6F CA F3 0F 6F 40 C0 66 0F EF C8 F3 0F 7F 48 C0 66 0F 6F CA F3 0F 6F 40 D0 66 0F EF C8 F3 0F 7F 48 D0 F3 0F 6F 40 E0 66 0F EF C2 F3 0F 7F 40 E0 48 83 E9 01 75 ?? FF ?? ?? ?? ?? ?? 4C 8D 44 24 78 BA 0A ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 78 48 8D 45 80 41 B9 02 ?? ?? ?? 48 89 44 24 28 45 33 C0 C7 44 24 2? ?2 ?? ?? ?? 41 8D 51 09 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 33 C9 41 8D 5? ?1 FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 4C 8B 44 24 68 33 D2 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 48 8B C8 41 8D 5? ?1 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 89 74 24 30 4C 8D 4C 24 70 4C 89 74 24 28 33 D2 41 ?? ?? ?? ?? ?? 48 C7 44 24 2? ?8 ?? ?? ?? 48 8B CF FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D 80 48 8D 45 88 48 89 44 24 50 4C ?? ?? ?? ?? ?? ?? 48 8D 45 A0 48 89 7D 08 48 89 44 24 48 45 33 C9 4C 89 74 24 40 33 D2 4C 89 74 24 38 C7 ?? ?? ?? ?? ?? ?? ?? 44 89 74 24 28 4C 89 74 24 20 FF ?? ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 70 8B 5D 98 FF ?? ?? ?? ?? ?? 48 8B 4D 88 FF ?? ?? ?? ?? ?? 48 8B 4D 90 FF ?? ?? ?? ?? ?? 44 8B C3 33 D2 B9 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 74 ?? BA ?? ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B CB FF ?? ?? ?? ?? ?? B8 01 ?? ?? ?? EB ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF FF ?? ?? ?? ?? ?? 33 C0 48 8B 9C 24 3? ?1 ?? ?? 48 8B 4D 10 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 2? ?1 ?? ?? 49 8B 73 18 49 8B 7B 20 4D 8B 73 28 49 8B E3 5D C3 }
- $bytes3 = { 48 89 74 24 10 48 89 7C 24 18 4C 89 74 24 20 55 48 8D 6C 24 E0 48 81 EC 2? ?1 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 33 C4 48 89 45 10 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 60 48 ?? ?? ?? ?? ?? ?? 4C 89 74 24 68 0F 11 45 A0 41 8B FE 4C 89 74 24 70 0F 11 45 B0 0F 11 45 C0 0F 11 45 D0 0F 11 45 E0 0F 11 45 F0 0F 11 45 ?? FF ?? ?? ?? ?? ?? 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 9C 24 3? ?1 ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 75 ?? 66 66 0F 1F 84 ?? ?? ?? ?? ?? 48 8B 4C 24 60 FF ?? ?? ?? ?? ?? 3B C6 74 ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 74 ?? EB ?? 48 8B 44 24 60 48 89 44 24 70 66 0F 6F 15 6D A? ?1 ?? 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 90 F3 0F 6F 40 F0 48 8D 40 40 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 B0 66 0F 6F CA F3 0F 6F 40 C0 66 0F EF C8 F3 0F 7F 48 C0 66 0F 6F CA F3 0F 6F 40 D0 66 0F EF C8 F3 0F 7F 48 D0 F3 0F 6F 40 E0 66 0F EF C2 F3 0F 7F 40 E0 48 83 E9 01 75 ?? FF ?? ?? ?? ?? ?? 4C 8D 44 24 78 BA 0A ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 78 48 8D 45 80 41 B9 02 ?? ?? ?? 48 89 44 24 28 45 33 C0 C7 44 24 2? ?2 ?? ?? ?? 41 8D 51 09 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 33 C9 41 8D 5? ?1 FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 4C 8B 44 24 68 33 D2 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 48 8B C8 41 8D 5? ?1 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 89 74 24 30 4C 8D 4C 24 70 4C 89 74 24 28 33 D2 41 ?? ?? ?? ?? ?? 48 C7 44 24 2? ?8 ?? ?? ?? 48 8B CF FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D 80 48 8D 45 88 48 89 44 24 50 4C ?? ?? ?? ?? ?? ?? 48 8D 45 A0 48 89 7D 08 48 89 44 24 48 45 33 C9 4C 89 74 24 40 33 D2 4C 89 74 24 38 C7 ?? ?? ?? ?? ?? ?? ?? 44 89 74 24 28 4C 89 74 24 20 FF ?? ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 70 8B 5D 98 FF ?? ?? ?? ?? ?? 48 8B 4D 88 FF ?? ?? ?? ?? ?? 48 8B 4D 90 FF ?? ?? ?? ?? ?? 44 8B C3 33 D2 B9 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 74 ?? BA ?? ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B CB FF ?? ?? ?? ?? ?? B8 01 ?? ?? ?? EB ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF FF ?? ?? ?? ?? ?? 33 C0 48 8B 9C 24 3? ?1 ?? ?? 48 8B 4D 10 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 2? ?1 ?? ?? 49 8B 73 18 49 8B 7B 20 4D 8B 73 28 49 8B E3 5D C3 }
- $bytes4 = { 48 89 74 24 ?? 48 89 7C 24 ?? 4C 89 74 24 ?? 55 48 8D 6C 24 ?? 48 81 EC 20 01 00 00 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 45 ?? 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 ?? 48 8D 0D ?? ?? ?? ?? 4C 89 74 24 ?? 0F 11 45 ?? 41 8B FE 4C 89 74 24 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 48 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 75 ?? 66 66 0F 1F 84 00 ?? ?? 00 00 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 3B C6 74 ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 74 ?? EB ?? 48 8B 44 24 ?? 48 89 44 24 ?? 66 0F 6F 15 ?? ?? 01 00 48 8D 05 ?? ?? ?? ?? B9 C8 05 00 00 90 F3 0F 6F 40 ?? 48 8D 40 ?? 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 ?? 66 0F 6F CA F3 0F 6F 40 ?? 66 0F EF C8 F3 0F 7F 48 ?? 66 0F 6F CA F3 0F 6F 40 ?? 66 0F EF C8 F3 0F 7F 48 ?? F3 0F 6F 40 ?? 66 0F EF C2 F3 0F 7F 40 ?? 48 83 E9 01 75 ?? FF 15 ?? ?? ?? ?? 4C 8D 44 24 ?? BA 0A 00 00 00 48 8B C8 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 45 ?? 41 B9 02 00 00 00 48 89 44 24 ?? 45 33 C0 C7 44 24 ?? 02 00 00 00 41 8D 51 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 ?? 33 C9 41 8D 50 ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 4C 8B 44 24 ?? 33 D2 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 ?? 48 8B C8 41 8D 50 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 89 74 24 ?? 4C 8D 4C 24 ?? 4C 89 74 24 ?? 33 D2 41 B8 00 00 02 00 48 C7 44 24 ?? 08 00 00 00 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D ?? 48 8D 45 ?? 48 89 44 24 ?? 4C 8D 05 ?? ?? ?? ?? 48 8D 45 ?? 48 89 7D ?? 48 89 44 24 ?? 45 33 C9 4C 89 74 24 ?? 33 D2 4C 89 74 24 ?? C7 44 24 ?? 04 00 08 00 44 89 74 24 ?? 4C 89 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? 8B 5D ?? FF 15 ?? ?? ?? ?? 48 8B 4D ?? FF 15 ?? ?? ?? ?? 48 8B 4D ?? FF 15 ?? ?? ?? ?? 44 8B C3 33 D2 B9 3A 04 00 00 FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 74 ?? BA FF FF FF FF 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF FF 15 ?? ?? ?? ?? 33 C0 48 8B 9C 24 ?? ?? ?? ?? 48 8B 4D ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 73 ?? 49 8B 7B ?? 4D 8B 73 ?? 49 8B E3 5D C3 }
- condition:
- uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and any of ($bytes*)
-}
-rule APT_Loader_Win64_REDFLARE_1
-{
- meta:
- date_created = "2020-11-27"
- date_modified = "2020-11-27"
- md5 = "f20824fa6e5c81e3804419f108445368"
- rev = 1
- author = "FireEye"
- strings:
- $alloc_n_load = { 41 B9 40 00 00 00 41 B8 00 30 00 00 33 C9 [1-10] FF 50 [4-80] F3 A4 [30-120] 48 6B C9 28 [3-20] 48 6B C9 28 }
- $const_values = { 0F B6 ?? 83 C? 20 83 F? 6D [2-20] 83 C? 20 83 F? 7A }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
-}
-rule APT_Loader_Raw64_REDFLARE_1
-{
- meta:
- date_created = "2020-11-27"
- date_modified = "2020-11-27"
- md5 = "5e14f77f85fd9a5be46e7f04b8a144f5"
- rev = 1
- author = "FireEye"
- strings:
- $load = { EB ?? 58 48 8B 10 4C 8B 48 ?? 48 8B C8 [1-10] 48 83 C1 ?? 48 03 D1 FF }
- condition:
- (uint16(0) != 0x5A4D) and all of them
-}
-rule HackTool_MSIL_SHARPZEROLOGON_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public 'sharpzerologon' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 3
- author = "FireEye"
- strings:
- $typelibguid0 = "15ce9a3c-4609-4184-87b2-e29fc5e2b770" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule HackTool_MSIL_CoreHound_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CoreHound' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 1
- author = "FireEye"
- strings:
- $typelibguid0 = "1fff2aee-a540-4613-94ee-4f208b30c599" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule Loader_MSIL_NETAssemblyInject_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NET-Assembly-Inject' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "af09c8c3-b271-4c6c-8f48-d5f0e1d1cac6" ascii nocase wide
- $typelibguid1 = "c5e56650-dfb0-4cd9-8d06-51defdad5da1" ascii nocase wide
- $typelibguid2 = "e8fa7329-8074-4675-9588-d73f88a8b5b6" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule Hunting_GadgetToJScript_1
-{
- meta:
- description = "This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling."
- md5 = "7af24305a409a2b8f83ece27bb0f7900"
- rev = 4
- author = "FireEye"
- strings:
- $s1 = "GF6eU5ldFRvSnNjcmlwdExvYWRl"
- $s2 = "henlOZXRUb0pzY3JpcHRMb2Fk"
- $s3 = "YXp5TmV0VG9Kc2NyaXB0TG9hZGV"
- condition:
- any of them
-}
-rule Trojan_MSIL_GORAT_Plugin_DOTNET_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Plugin - .NET' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 1
- author = "FireEye"
- strings:
- $typelibguid0 = "cd9407d0-fc8d-41ed-832d-da94daa3e064" ascii nocase wide
- $typelibguid1 = "fc3daedf-1d01-4490-8032-b978079d8c2d" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Trojan_Win_REDFLARE_1
-{
- meta:
- date_created = "2020-11-27"
- date_modified = "2020-11-27"
- md5 = "100d73b35f23b2fe84bf7cd37140bf4d,4e7e90c7147ee8aa01275894734f4492"
- rev = 3
- author = "FireEye"
- strings:
- $1 = "initialize" fullword
- $2 = "runCommand" fullword
- $3 = "stop" fullword
- $4 = "fini" fullword
- $5 = "VirtualAllocEx" fullword
- $6 = "WriteProcessMemory" fullword
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_Dropper_Win64_MATRYOSHKA_1
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- description = "matryoshka_dropper.rs"
- md5 = "edcd58ba5b1b87705e95089002312281"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { 8D 8D [4] E8 [4] 49 89 D0 C6 [2-6] 01 C6 [2-6] 01 [0-8] C7 44 24 ?? 0E 00 00 00 4C 8D 0D [4] 48 8D 8D [4] 48 89 C2 E8 [4] C6 [2-6] 01 C6 [2-6] 01 48 89 E9 48 8D 95 [4] E8 [4] 83 [2] 01 0F 8? [4] 48 01 F3 48 29 F7 48 [2] 08 48 89 85 [4] C6 [2-6] 01 C6 [2-6] 01 C6 [2-6] 01 48 8D 8D [4] 48 89 DA 49 89 F8 E8 }
- $sb2 = { 0F 29 45 ?? 48 C7 45 ?? 00 00 00 00 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 48 C7 45 ?? 00 00 00 00 C7 45 ?? 68 00 00 00 48 8B [2] 48 8D [2] 48 89 [3] 48 89 [3] 0F 11 44 24 ?? C7 44 24 ?? 08 00 00 0C C7 44 24 ?? 00 00 00 00 31 ?? 48 89 ?? 31 ?? 45 31 ?? 45 31 ?? E8 [4] 83 F8 01 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
-}
-rule APT_HackTool_MSIL_SHARPGOPHER_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpgopher' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "83413a89-7f5f-4c3f-805d-f4692bc60173" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule HackTool_MSIL_KeeFarce_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeeFarce' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 3
- author = "FireEye"
- strings:
- $typelibguid0 = "17589ea6-fcc9-44bb-92ad-d5b3eea6af03" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Backdoor_Win_GORAT_1
-{
- meta:
- description = "This detects if a sample is less than 50KB and has a number of strings found in the Gorat shellcode (stage0 loader). The loader contains an embedded DLL (stage0.dll) that contains a number of unique strings. The 'Cookie' string found in this loader is important as this cookie is needed by the C2 server to download the Gorat implant (stage1 payload)."
- md5 = "66cdaa156e4d372cfa3dea0137850d20"
- rev = 4
- author = "FireEye"
- strings:
- $s1 = "httpComms.dll" ascii wide
- $s2 = "Cookie: SID1=%s" ascii wide
- $s3 = "Global\\" ascii wide
- $s4 = "stage0.dll" ascii wide
- $s5 = "runCommand" ascii wide
- $s6 = "getData" ascii wide
- $s7 = "initialize" ascii wide
- $s8 = "Windows NT %d.%d;" ascii wide
- $s9 = "!This program cannot be run in DOS mode." ascii wide
- condition:
- filesize < 50KB and all of them
-}
-rule APT_Dropper_Win_MATRYOSHKA_1
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- description = "matryoshka_dropper.rs"
- md5 = "edcd58ba5b1b87705e95089002312281"
- rev = 1
- author = "FireEye"
- strings:
- $s1 = "\x00matryoshka.exe\x00"
- $s2 = "\x00Unable to write data\x00"
- $s3 = "\x00Error while spawning process. NTStatus: \x0a\x00"
- $s4 = "\x00.execmdstart/Cfailed to execute process\x00"
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule Loader_Win_Generic_20
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "5125979110847d35a338caac6bff2aa8"
- rev = 1
- author = "FireEye"
- strings:
- $s0 = { 8B [1-16] 89 [1-16] E8 [4-32] F3 A4 [0-16] 89 [1-8] E8 }
- $s2 = { 83 EC [4-24] 00 10 00 00 [4-24] C7 44 24 ?? ?? 00 00 00 [0-8] FF 15 [4-24] 89 [1-4] 89 [1-4] 89 [1-8] FF 15 [4-16] 3? ?? 7? [4-24] 20 00 00 00 [4-24] FF 15 [4-32] F3 A5 }
- $si1 = "VirtualProtect" fullword
- $si2 = "malloc" fullword
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_Loader_Win32_PGF_2
-{
- meta:
- date_created = "2020-11-25"
- date_modified = "2020-11-25"
- description = "base dlls: /lib/payload/techniques/dllmain/"
- md5 = "04eb45f8546e052fe348fda2425b058c"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { 6A ?? FF 15 [4-16] 8A ?? 04 [0-16] 8B ?? 1C [0-64] 0F 10 ?? 66 0F EF C8 0F 11 [0-32] 30 [2] 8D [2] 4? 83 [2] 7? }
- $sb2 = { 8B ?? 08 [0-16] 6A 40 68 00 30 00 00 5? 6A 00 [0-32] FF 15 [4-32] 5? [0-16] E8 [4-64] C1 ?? 04 [0-32] 8A [2] 3? [2] 4? 3? ?? 24 ?? 7? }
- $sb3 = { 8B ?? 3C [0-16] 03 [1-64] 0F B? ?? 14 [0-32] 83 ?? 18 [0-32] 66 3? ?? 06 [4-32] 68 [4] 5? FF 15 [4-16] 85 C0 [2-32] 83 ?? 28 0F B? ?? 06 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
-}
-rule APT_HackTool_MSIL_REDTEAMMATERIALS_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'red_team_materials' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 3
- author = "FireEye"
- strings:
- $typelibguid0 = "86c95a99-a2d6-4ebe-ad5f-9885b06eab12" ascii nocase wide
- $typelibguid1 = "e06f1411-c7f8-4538-bbb9-46c928732245" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Trojan_Win_REDFLARE_7
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "e7beece34bdf67cbb8297833c5953669, 8025bcbe3cc81fc19021ad0fbc11cf9b"
- rev = 1
- author = "FireEye"
- strings:
- $1 = "initialize" fullword
- $2 = "getData" fullword
- $3 = "putData" fullword
- $4 = "fini" fullword
- $5 = "NamedPipe"
- $named_pipe = { 88 13 00 00 [1-8] E8 03 00 00 [20-60] 00 00 00 00 [1-8] 00 00 00 00 [1-40] ( 6A 00 6A 00 6A 03 6A 00 6A 00 68 | 00 00 00 00 [1-6] 00 00 00 00 [1-6] 03 00 00 00 45 33 C? 45 33 C? BA ) 00 00 00 C0 [2-10] FF 15 [4-30] FF 15 [4-7] E7 00 00 00 [4-40] FF 15 [4] 85 C0 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_Trojan_Win_REDFLARE_8
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "9c8eb908b8c1cda46e844c24f65d9370, 9e85713d615bda23785faf660c1b872c"
- rev = 1
- author = "FireEye"
- strings:
- $1 = "PSRunner.PSRunner" fullword
- $2 = "CorBindToRuntime" fullword
- $3 = "ReportEventW" fullword
- $4 = "InvokePS" fullword wide
- $5 = "runCommand" fullword
- $6 = "initialize" fullword
- $trap = { 03 40 00 80 E8 [4] CC }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_Backdoor_Win_GORAT_5
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f"
- rev = 1
- author = "FireEye"
- strings:
- $1 = "comms.BeaconData" fullword
- $2 = "comms.CommandResponse" fullword
- $3 = "rat.BaseChannel" fullword
- $4 = "rat.Config" fullword
- $5 = "rat.Core" fullword
- $6 = "platforms.AgentPlatform" fullword
- $7 = "GetHostID" fullword
- $8 = "/rat/cmd/gorat_shared/dllmain.go" fullword
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_HackTool_MSIL_GPOHUNT_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'gpohunt' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 3
- author = "FireEye"
- strings:
- $typelibguid0 = "751a9270-2de0-4c81-9e29-872cd6378303" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_HackTool_MSIL_JUSTASK_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'justask' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "aa59be52-7845-4fed-9ea5-1ea49085d67a" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Trojan_Win_REDFLARE_4
-{
- meta:
- date_created = "2020-12-01"
- date_modified = "2020-12-01"
- md5 = "a8b5dcfea5e87bf0e95176daa243943d, 9dcb6424662941d746576e62712220aa"
- rev = 2
- author = "FireEye"
- strings:
- $s1 = "LogonUserW" fullword
- $s2 = "ImpersonateLoggedOnUser" fullword
- $s3 = "runCommand" fullword
- $user_logon = { 22 02 00 00 [1-10] 02 02 00 00 [0-4] E8 [4-40] ( 09 00 00 00 [1-10] 03 00 00 00 | 6A 03 6A 09 ) [4-30] FF 15 [4] 85 C0 7? }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_HackTool_MSIL_TITOSPECIAL_1
-{
- meta:
- date_created = "2020-11-25"
- date_modified = "2020-11-25"
- md5 = "4bf96a7040a683bd34c618431e571e26"
- rev = 5
- author = "FireEye"
- strings:
- $ind_dump = { 1F 10 16 28 [2] 00 0A 6F [2] 00 0A [50-200] 18 19 18 73 [2] 00 0A 13 [1-4] 06 07 11 ?? 6F [2] 00 0A 18 7E [2] 00 0A 7E [2] 00 0A 7E [2] 00 0A 28 [2] 00 06 }
- $ind_s1 = "NtReadVirtualMemory" fullword wide
- $ind_s2 = "WriteProcessMemory" fullword
- $shellcode_x64 = { 4C 8B D1 B8 3C 00 00 00 0F 05 C3 }
- $shellcode_x86 = { B8 3C 00 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00 83 C4 04 C2 14 00 }
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($ind*) and any of ($shellcode* )
-}
-rule Dropper_LNK_LNKSmasher_1
-{
- meta:
- description = "The LNKSmasher project contains a prebuilt LNK file that has pieces added based on various configuration items. Because of this, several artifacts are present in every single LNK file generated by LNKSmasher, including the Drive Serial #, the File Droid GUID, and the GUID CLSID."
- md5 = "0a86d64c3b25aa45428e94b6e0be3e08"
- rev = 6
- author = "FireEye"
- strings:
- $drive_serial = { 12 F7 26 BE }
- $file_droid_guid = { BC 96 28 4F 0A 46 54 42 81 B8 9F 48 64 D7 E9 A5 }
- $guid_clsid = { E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D }
- $header = { 4C 00 00 00 01 14 02 }
- condition:
- $header at 0 and all of them
-}
-rule HackTool_MSIL_SharpSchtask_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpSchtask' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 1
- author = "FireEye"
- strings:
- $typelibguid0 = "0a64a5f4-bdb6-443c-bdc7-f6f0bf5b5d6c" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Controller_Linux_REDFLARE_1
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e"
- rev = 1
- author = "FireEye"
- strings:
- $1 = "/RedFlare/gorat_server"
- $2 = "RedFlare/sandals"
- $3 = "goratsvr.CommandResponse" fullword
- $4 = "goratsvr.CommandRequest" fullword
- condition:
- (uint32(0) == 0x464c457f) and all of them
-}
-rule APT_HackTool_MSIL_WMISPY_2
-{
- meta:
- description = "wql searches"
- md5 = "3651f252d53d2f46040652788499d65a"
- rev = 4
- author = "FireEye"
- strings:
- $MSIL = "_CorExeMain"
- $str1 = "root\\cimv2" wide
- $str2 = "root\\standardcimv2" wide
- $str3 = "from MSFT_NetNeighbor" wide
- $str4 = "from Win32_NetworkLoginProfile" wide
- $str5 = "from Win32_IP4RouteTable" wide
- $str6 = "from Win32_DCOMApplication" wide
- $str7 = "from Win32_SystemDriver" wide
- $str8 = "from Win32_Share" wide
- $str9 = "from Win32_Process" wide
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and $MSIL and all of ($str*)
-}
-rule HackTool_MSIL_SharPersist_2
-{
- meta:
- md5 = "98ecf58d48a3eae43899b45cec0fc6b7"
- rev = 1
- author = "FireEye"
- strings:
- $a1 = "SharPersist.lib"
- $a2 = "SharPersist.exe"
- $b1 = "ERROR: Invalid hotkey location option given." ascii wide
- $b2 = "ERROR: Invalid hotkey given." ascii wide
- $b3 = "ERROR: Keepass configuration file not found." ascii wide
- $b4 = "ERROR: Keepass configuration file was not found." ascii wide
- $b5 = "ERROR: That value already exists in:" ascii wide
- $b6 = "ERROR: Failed to delete hidden registry key." ascii wide
- $pdb1 = "\\SharPersist\\"
- $pdb2 = "\\SharPersist.pdb"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and ((@pdb2[1] < @pdb1[1] + 50) or (1 of ($a*) and 2 of ($b*)))
-}
-rule APT_Loader_Win_MATRYOSHKA_1
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- description = "matryoshka_process_hollow.rs"
- md5 = "44887551a47ae272d7873a354d24042d"
- rev = 1
- author = "FireEye"
- strings:
- $s1 = "ZwQueryInformationProcess" fullword
- $s2 = "WriteProcessMemory" fullword
- $s3 = "CreateProcessW" fullword
- $s4 = "WriteProcessMemory" fullword
- $s5 = "\x00Invalid NT Signature!\x00"
- $s6 = "\x00Error while creating and mapping section. NTStatus: "
- $s7 = "\x00Error no process information - NTSTATUS:"
- $s8 = "\x00Error while erasing pe header. NTStatus: "
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
-}
-rule Builder_MSIL_SinfulOffice_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SinfulOffice' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 1
- author = "FireEye"
- strings:
- $typelibguid0 = "9940e18f-e3c7-450f-801a-07dd534ccb9a" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule Loader_MSIL_SharPy_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharPy' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 1
- author = "FireEye"
- strings:
- $typelibguid0 = "f6cf1d3b-3e43-4ecf-bb6d-6731610b4866" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Loader_MSIL_WILDCHILD_1
-{
- meta:
- date_created = "2020-12-01"
- date_modified = "2020-12-01"
- md5 = "6f04a93753ae3ae043203437832363c4"
- rev = 1
- author = "FireEye"
- strings:
- $s1 = "\x00QueueUserAPC\x00"
- $s2 = "\x00WriteProcessMemory\x00"
- $sb1 = { 6F [2] 00 0A 28 [2] 00 0A 6F [2] 00 0A 13 ?? 28 [2] 00 0A 28 [2] 00 0A 13 ?? 11 ?? 11 ?? 28 [2] 00 0A [0-16] 7B [2] 00 04 1? 20 [4] 28 [2] 00 0A 11 ?? 28 [2] 00 0A 28 [2] 00 0A 7E [2] 00 0A 7E [2] 00 0A 28 [2] 00 06 [0-16] 14 7E [2] 00 0A 7E [2] 00 0A 1? 20 04 00 08 08 7E [2] 00 0A 14 12 ?? 12 ?? 28 [2] 00 06 [0-16] 7B [2] 00 04 7E [2] 00 0A [0-16] 8E ?? 7E [2] 00 04 7E [2] 00 04 28 [2] 00 06 [4-120] 28 [2] 00 06 [0-80] 6F [2] 00 0A 6F [2] 00 0A 28 [2] 00 06 13 ?? 11 ?? 11 ?? 7E [2] 00 0A 28 [2] 00 06 }
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule Loader_Win_Generic_18
-{
- meta:
- date_created = "2020-11-25"
- date_modified = "2020-11-25"
- md5 = "c74ebb6c238bbfaefd5b32d2bf7c7fcc"
- rev = 3
- author = "FireEye"
- strings:
- $s0 = { 89 [1-16] FF 15 [4-16] 89 [1-24] E8 [4-16] 89 C6 [4-24] 8D [1-8] 89 [1-4] 89 [1-4] E8 [4-16] 89 [1-8] E8 [4-24] 01 00 00 00 [1-8] 89 [1-8] E8 [4-64] 8A [1-8] 88 }
- $s2 = { 83 EC [4-24] 00 10 00 00 [4-24] C7 44 24 ?? ?? 00 00 00 [0-8] FF 15 [4-24] 89 [1-4] 89 [1-4] 89 [1-8] FF 15 [4-16] 3? ?? 7? [4-24] 20 00 00 00 [4-24] FF 15 [4-32] F3 A5 }
- $si1 = "fread" fullword
- $si2 = "fwrite" fullword
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule HackTool_MSIL_HOLSTER_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the a customized version of the 'DUEDLLIGENCE' project."
- md5 = "a91bf61cc18705be2288a0f6f125068f"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid1 = "a8bdbba4-7291-49d1-9a1b-372de45a9d88" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Loader_MSIL_TRIMBISHOP_1
-{
- meta:
- date_created = "2020-12-03"
- date_modified = "2020-12-03"
- md5 = "e91670423930cbbd3dbf5eac1f1a7cb6"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { 28 [2] 00 06 0A 06 7B [2] 00 04 [12-64] 06 7B [2] 00 04 6E 28 [2] 00 06 0B 07 7B [2] 00 04 [12-64] 0? 7B [2] 00 04 0? 7B [2] 00 04 0? 7B [2] 00 04 6E 28 [2] 00 06 0? 0? 7B [2] 00 04 [12-80] 0? 7B [2] 00 04 1? 0? 7B [2] 00 04 }
- $sb2 = { 0F ?? 7C [2] 00 04 28 [2] 00 0A 8C [2] 00 01 [20-80] 28 [2] 00 06 0? 0? 7E [2] 00 0A 28 [2] 00 0A [12-80] 7E [2] 00 0A 13 ?? 0? 7B [2] 00 04 28 [2] 00 0A 0? 28 [2] 00 0A 58 28 [2] 00 0A 13 [1-32] 28 [2] 00 0A [0-32] D0 [2] 00 02 28 [2] 00 0A 28 [2] 00 0A 74 [2] 00 02 }
- $ss1 = "\x00NtMapViewOfSection\x00"
- $ss2 = "\x00NtOpenProcess\x00"
- $ss3 = "\x00NtAlertResumeThread\x00"
- $ss4 = "\x00LdrGetProcedureAddress\x00"
- $tb1 = "\x00DTrim.Execution.DynamicInvoke\x00"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (@sb1[1] < @sb2[1]) and (all of ($ss*)) and (all of ($tb*))
-}
-rule APT_Loader_MSIL_TRIMBISHOP_2
-{
- meta:
- date_created = "2020-12-03"
- date_modified = "2020-12-03"
- md5 = "c0598321d4ad4cf1219cc4f84bad4094"
- rev = 1
- author = "FireEye"
- strings:
- $ss1 = "\x00NtMapViewOfSection\x00"
- $ss2 = "\x00NtOpenProcess\x00"
- $ss3 = "\x00NtAlertResumeThread\x00"
- $ss4 = "\x00LdrGetProcedureAddress\x00"
- $ss5 = "\x2f(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00i\x00|\x00I\x00n\x00j\x00e\x00c\x00t\x00)\x00$\x00"
- $ss6 = "\x2d(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00c\x00|\x00C\x00l\x00e\x00a\x00n\x00)\x00$\x00"
- $tb1 = "\x00DTrim.Execution.DynamicInvoke\x00"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_Backdoor_Win_DShell_3
-{
- meta:
- description = "This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell"
- md5 = "cf752e9cd2eccbda5b8e4c29ab5554b6"
- rev = 3
- author = "FireEye"
- strings:
- $dlang1 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
- $dlang2 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" ascii wide
- $dlang3 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" ascii wide
- $dlang4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
- $dlang5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
- $dlang6 = "\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
- $dlang7 = "\\..\\..\\src\\phobos\\std\\file.d" ascii wide
- $dlang8 = "\\..\\..\\src\\phobos\\std\\format.d" ascii wide
- $dlang9 = "\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
- $dlang10 = "\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
- $dlang11 = "Unexpected '\\n' when converting from type const(char)[] to type int" ascii wide
- $e0 = ",0,"
- $e1 = ",1,"
- $e2 = ",2,"
- $e3 = ",3,"
- $e4 = ",4,"
- $e5 = ",5,"
- $e6 = ",6,"
- $e7 = ",7,"
- $e8 = ",8,"
- $e9 = ",9,"
- $e10 = ",10,"
- $e11 = ",11,"
- $e12 = ",12,"
- $e13 = ",13,"
- $e14 = ",14,"
- $e15 = ",15,"
- $e16 = ",16,"
- $e17 = ",17,"
- $e18 = ",18,"
- $e19 = ",19,"
- $e20 = ",20,"
- $e21 = ",21,"
- $e22 = ",22,"
- $e23 = ",23,"
- $e24 = ",24,"
- $e25 = ",25,"
- $e26 = ",26,"
- $e27 = ",27,"
- $e28 = ",28,"
- $e29 = ",29,"
- $e30 = ",30,"
- $e31 = ",31,"
- $e32 = ",32,"
- $e33 = ",33,"
- $e34 = ",34,"
- $e35 = ",35,"
- $e36 = ",36,"
- $e37 = ",37,"
- $e38 = ",38,"
- $e39 = ",39,"
- $e40 = ",40,"
- $e41 = ",41,"
- $e42 = ",42,"
- $e43 = ",43,"
- $e44 = ",44,"
- $e45 = ",45,"
- $e46 = ",46,"
- $e47 = ",47,"
- $e48 = ",48,"
- $e49 = ",49,"
- $e50 = ",50,"
- $e51 = ",51,"
- $e52 = ",52,"
- $e53 = ",53,"
- $e54 = ",54,"
- $e55 = ",55,"
- $e56 = ",56,"
- $e57 = ",57,"
- $e58 = ",58,"
- $e59 = ",59,"
- $e60 = ",60,"
- $e61 = ",61,"
- $e62 = ",62,"
- $e63 = ",63,"
- $e64 = ",64,"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize > 500KB and filesize < 1500KB and 40 of ($e*) and 1 of ($dlang*)
-}
-rule APT_HackTool_MSIL_SHARPSTOMP_1
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "83ed748cd94576700268d35666bf3e01"
- rev = 3
- author = "FireEye"
- strings:
- $s0 = "mscoree.dll" fullword nocase
- $s1 = "timestompfile" fullword nocase
- $s2 = "sharpstomp" fullword nocase
- $s3 = "GetLastWriteTime" fullword
- $s4 = "SetLastWriteTime" fullword
- $s5 = "GetCreationTime" fullword
- $s6 = "SetCreationTime" fullword
- $s7 = "GetLastAccessTime" fullword
- $s8 = "SetLastAccessTime" fullword
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_HackTool_MSIL_SHARPPATCHCHECK_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharppatchcheck' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "528b8df5-6e5e-4f3b-b617-ac35ed2f8975" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule HackTool_MSIL_SAFETYKATZ_4
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project."
- md5 = "45736deb14f3a68e88b038183c23e597"
- rev = 3
- author = "FireEye"
- strings:
- $typelibguid1 = "8347E81B-89FC-42A9-B22C-F59A6A572DEC" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1
-}
-rule APT_Backdoor_MacOS_GORAT_1
-{
- meta:
- description = "This rule is looking for specific strings associated with network activity found within the MacOS generated variant of GORAT"
- md5 = "68acf11f5e456744262ff31beae58526"
- rev = 3
- author = "FireEye"
- strings:
- $s1 = "SID1=%s" ascii wide
- $s2 = "http/http.dylib" ascii wide
- $s3 = "Mozilla/" ascii wide
- $s4 = "User-Agent" ascii wide
- $s5 = "Cookie" ascii wide
- condition:
- ((uint32(0) == 0xBEBAFECA) or (uint32(0) == 0xFEEDFACE) or (uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xCEFAEDFE)) and all of them
-}
-rule CredTheft_MSIL_ADPassHunt_2
-{
- meta:
- md5 = "6efb58cf54d1bb45c057efcfbbd68a93"
- rev = 1
- author = "FireEye"
- strings:
- $pdb1 = "\\ADPassHunt\\"
- $pdb2 = "\\ADPassHunt.pdb"
- $s1 = "Usage: .\\ADPassHunt.exe"
- $s2 = "[ADA] Searching for accounts with msSFU30Password attribute"
- $s3 = "[ADA] Searching for accounts with userpassword attribute"
- $s4 = "[GPP] Searching for passwords now"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and ((@pdb2[1] < @pdb1[1] + 50) or 2 of ($s*))
-}
-rule APT_Loader_Win64_PGF_4
-{
- meta:
- date_created = "2020-11-26"
- date_modified = "2020-11-26"
- md5 = "3bb34ebd93b8ab5799f4843e8cc829fa"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { 41 B9 04 00 00 00 41 B8 00 10 00 00 BA [4] B9 00 00 00 00 [0-32] FF [1-24] 7? [1-150] 8B 45 [0-32] 44 0F B? ?? 8B [2-16] B? CD CC CC CC [0-16] C1 ?? 04 [0-16] C1 ?? 02 [0-16] C1 ?? 02 [0-16] 48 8? 05 [4-32] 31 [1-4] 88 }
- $sb2 = { C? 45 ?? 48 [0-32] B8 [0-64] FF [0-32] E0 [0-32] 41 B8 40 00 00 00 BA 0C 00 00 00 48 8B [2] 48 8B [2-32] FF [1-16] 48 89 10 8B 55 ?? 89 ?? 08 48 8B [2] 48 8D ?? 02 48 8B 45 18 48 89 02 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
-}
-rule APT_Loader_Win32_PGF_4
-{
- meta:
- date_created = "2020-11-26"
- date_modified = "2020-11-26"
- md5 = "4414953fa397a41156f6fa4f9462d207"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { C7 44 24 0C 04 00 00 00 C7 44 24 08 00 10 00 00 [4-32] C7 04 24 00 00 00 00 [0-32] FF [1-16] 89 45 ?? 83 7D ?? 00 [2-150] 0F B? ?? 8B [2] B? CD CC CC CC 89 ?? F7 ?? C1 ?? 04 89 ?? C1 ?? 02 [0-32] 0F B? [5-32] 3? [1-16] 88 }
- $sb2 = { C? 45 ?? B8 [0-4] C? 45 ?? 00 [0-64] FF [0-32] E0 [0-32] C7 44 24 08 40 00 00 00 [0-32] C7 44 24 04 07 00 00 00 [0-32] FF [1-64] 89 ?? 0F B? [2-3] 89 ?? 04 0F B? [2] 88 ?? 06 8B ?? 08 8D ?? 01 8B 45 0C }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
-}
-rule CredTheft_MSIL_ADPassHunt_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public ADPassHunt project."
- md5 = "6efb58cf54d1bb45c057efcfbbd68a93"
- rev = 4
- author = "FireEye"
- strings:
- $typelibguid = "15745B9E-A059-4AF1-A0D8-863E349CD85D" ascii nocase wide
- condition:
- uint16(0) == 0x5A4D and $typelibguid
-}
-rule HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the recon utility 'getdomainpasswordpolicy' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 4
- author = "FireEye"
- strings:
- $typelibguid0 = "a5da1897-29aa-45f4-a924-561804276f08" ascii nocase wide
- condition:
- filesize < 10MB and (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule HackTool_MSIL_SharPivot_1
-{
- meta:
- date_created = "2020-11-25"
- date_modified = "2020-11-25"
- md5 = "e4efa759d425e2f26fbc29943a30f5bd"
- rev = 3
- author = "FireEye"
- strings:
- $s2 = { 73 ?? 00 00 0A 0A 06 1F ?? 1F ?? 6F ?? 00 00 0A 0B 73 ?? 00 00 0A 0C 16 13 04 2B 5E 23 [8] 06 6F ?? 00 00 0A 5A 23 [8] 58 28 ?? 00 00 0A 28 ?? 00 00 0A 28 ?? 00 00 0A }
- $s3 = "cmd_rpc" wide
- $s4 = "costura"
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_Loader_Win32_PGF_3
-{
- meta:
- description = "PGF payload, generated rule based on symfunc/c02594972dbab6d489b46c5dee059e66. Identifies dllmain_hook x86 payloads."
- md5 = "4414953fa397a41156f6fa4f9462d207"
- rev = 4
- author = "FireEye"
- strings:
- $cond1 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 2C F9 FF FF 90 EE 01 6D C7 85 30 F9 FF FF 6C FE 01 6D 8D 85 34 F9 FF FF 89 28 BA CC 19 00 6D 89 50 04 89 60 08 8D 85 14 F9 FF FF 89 04 24 E8 BB A6 00 00 A1 48 A1 05 6D C7 85 18 F9 FF FF FF FF FF FF FF D0 C7 44 24 08 04 01 00 00 8D 95 B6 FD FF FF 89 54 24 04 89 04 24 E8 B8 AE 00 00 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 8B 03 00 00 8D 45 BF 89 C1 E8 56 0B 01 00 8D 85 9C FD FF FF 8D 55 BF 89 54 24 04 8D 95 B6 FD FF FF 89 14 24 C7 85 18 F9 FF FF 01 00 00 00 89 C1 E8 DF B5 01 00 83 EC 08 8D 45 BF 89 C1 E8 52 0B 01 00 A1 4C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 89 44 24 04 C7 04 24 08 00 00 00 E8 51 AE 00 00 83 EC 08 89 45 D0 83 7D D0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 8C 02 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 85 74 F9 FF FF 28 04 00 00 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 EF AD 00 00 83 EC 08 89 45 DC 83 7D DC 00 74 67 8D 85 9C FD FF FF C7 44 24 04 00 00 00 00 8D 95 74 F9 FF FF 83 C2 20 89 14 24 89 C1 E8 82 FF 00 00 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 12 8B 85 88 F9 FF FF 89 45 E4 8B 85 8C F9 FF FF 89 45 E0 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 84 AD 00 00 83 EC 08 89 45 DC EB 93 8B 45 D0 89 04 24 A1 2C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 83 7D E4 00 74 06 83 7D E0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 AD 01 00 00 C7 04 24 0C 40 05 6D A1 5C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 C7 44 24 04 18 40 05 6D 89 04 24 A1 60 A1 05 6D FF D0 83 EC 08 89 45 CC 89 E8 89 45 D8 8D 85 6C F9 FF FF 89 44 24 04 8D 85 70 F9 FF FF 89 04 24 A1 54 A1 05 6D FF D0 83 EC 08 C7 45 D4 00 00 00 00 8B 55 D8 8B 85 6C F9 FF FF 39 C2 0F 83 F5 00 00 00 8B 45 D8 8B 00 3D FF 0F 00 00 0F 86 D8 00 00 00 8B 45 D8 8B 00 39 45 CC 73 19 8B 45 D8 8B 00 8B 55 CC 81 C2 00 10 00 00 39 D0 73 07 C7 45 D4 01 00 00 00 83 7D D4 00 0F 84 AF 00 00 00 8B 45 D8 8B 00 39 45 E4 0F 83 A1 00 00 00 8B 45 D8 8B 00 8B 4D E4 8B 55 E0 01 CA 39 D0 0F 83 8C 00 00 00 B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 50 F9 FF FF 83 C0 04 39 D0 72 F2 8B 45 D8 8B 00 C7 44 24 08 1C 00 00 00 8D 95 50 F9 FF FF 89 54 24 04 89 04 24 A1 9C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 0C 8B 85 64 F9 FF FF 83 E0 20 85 C0 74 2E 8B 45 D8 8B 00 C7 44 24 04 30 14 00 6D 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 59 FC FF FF C7 85 10 F9 FF FF 00 00 00 00 EB 58 90 EB 01 90 83 45 D8 04 E9 FA FE FF FF 8B 45 E4 89 45 C8 8B 45 C8 8B 40 3C 89 C2 8B 45 E4 01 D0 89 45 C4 8B 45 C4 8B 50 28 8B 45 E4 01 D0 89 45 C0 C7 44 24 04 30 14 00 6D 8B 45 C0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 FF FB FF FF C7 85 10 F9 FF FF 01 00 00 00 8D 85 9C FD FF FF 89 C1 E8 5D BC 01 00 83 BD 10 F9 FF FF 01 EB 70 8B 95 1C F9 FF FF 8B 85 18 F9 FF FF 85 C0 74 0C 83 E8 01 85 C0 74 2D 83 E8 01 0F 0B 89 95 10 F9 FF FF 8D 45 BF 89 C1 E8 48 08 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 A0 A6 00 00 89 95 10 F9 FF FF 8D 85 9C FD FF FF 89 C1 E8 FD BB 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 75 A6 00 00 90 8D 85 14 F9 FF FF 89 04 24 E8 76 A3 00 00 8D 65 F4 5B 5E 5F 5D C3 }
- $cond2 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 2C F9 FF FF B0 EF 3D 6A C7 85 30 F9 FF FF 8C FF 3D 6A 8D 85 34 F9 FF FF 89 28 BA F4 1A 3C 6A 89 50 04 89 60 08 8D 85 14 F9 FF FF 89 04 24 E8 B3 A6 00 00 A1 64 A1 41 6A C7 85 18 F9 FF FF FF FF FF FF FF D0 C7 44 24 08 04 01 00 00 8D 95 B6 FD FF FF 89 54 24 04 89 04 24 E8 B0 AE 00 00 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 8B 03 00 00 8D 45 BF 89 C1 E8 4E 0B 01 00 8D 85 9C FD FF FF 8D 55 BF 89 54 24 04 8D 95 B6 FD FF FF 89 14 24 C7 85 18 F9 FF FF 01 00 00 00 89 C1 E8 D7 B5 01 00 83 EC 08 8D 45 BF 89 C1 E8 4A 0B 01 00 A1 68 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 89 44 24 04 C7 04 24 08 00 00 00 E8 49 AE 00 00 83 EC 08 89 45 D0 83 7D D0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 8C 02 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 85 74 F9 FF FF 28 04 00 00 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 E7 AD 00 00 83 EC 08 89 45 DC 83 7D DC 00 74 67 8D 85 9C FD FF FF C7 44 24 04 00 00 00 00 8D 95 74 F9 FF FF 83 C2 20 89 14 24 89 C1 E8 7A FF 00 00 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 12 8B 85 88 F9 FF FF 89 45 E4 8B 85 8C F9 FF FF 89 45 E0 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 7C AD 00 00 83 EC 08 89 45 DC EB 93 8B 45 D0 89 04 24 A1 44 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 83 7D E4 00 74 06 83 7D E0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 AD 01 00 00 C7 04 24 62 40 41 6A A1 78 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 C7 44 24 04 6E 40 41 6A 89 04 24 A1 7C A1 41 6A FF D0 83 EC 08 89 45 CC 89 E8 89 45 D8 8D 85 6C F9 FF FF 89 44 24 04 8D 85 70 F9 FF FF 89 04 24 A1 70 A1 41 6A FF D0 83 EC 08 C7 45 D4 00 00 00 00 8B 55 D8 8B 85 6C F9 FF FF 39 C2 0F 83 F5 00 00 00 8B 45 D8 8B 00 3D FF 0F 00 00 0F 86 D8 00 00 00 8B 45 D8 8B 00 39 45 CC 73 19 8B 45 D8 8B 00 8B 55 CC 81 C2 00 10 00 00 39 D0 73 07 C7 45 D4 01 00 00 00 83 7D D4 00 0F 84 AF 00 00 00 8B 45 D8 8B 00 39 45 E4 0F 83 A1 00 00 00 8B 45 D8 8B 00 8B 4D E4 8B 55 E0 01 CA 39 D0 0F 83 8C 00 00 00 B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 50 F9 FF FF 83 C0 04 39 D0 72 F2 8B 45 D8 8B 00 C7 44 24 08 1C 00 00 00 8D 95 50 F9 FF FF 89 54 24 04 89 04 24 A1 C8 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 0C 8B 85 64 F9 FF FF 83 E0 20 85 C0 74 2E 8B 45 D8 8B 00 C7 44 24 04 30 14 3C 6A 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 59 FC FF FF C7 85 10 F9 FF FF 00 00 00 00 EB 58 90 EB 01 90 83 45 D8 04 E9 FA FE FF FF 8B 45 E4 89 45 C8 8B 45 C8 8B 40 3C 89 C2 8B 45 E4 01 D0 89 45 C4 8B 45 C4 8B 50 28 8B 45 E4 01 D0 89 45 C0 C7 44 24 04 30 14 3C 6A 8B 45 C0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 FF FB FF FF C7 85 10 F9 FF FF 01 00 00 00 8D 85 9C FD FF FF 89 C1 E8 55 BC 01 00 83 BD 10 F9 FF FF 01 EB 70 8B 95 1C F9 FF FF 8B 85 18 F9 FF FF 85 C0 74 0C 83 E8 01 85 C0 74 2D 83 E8 01 0F 0B 89 95 10 F9 FF FF 8D 45 BF 89 C1 E8 40 08 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 98 A6 00 00 89 95 10 F9 FF FF 8D 85 9C FD FF FF 89 C1 E8 F5 BB 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 6D A6 00 00 90 8D 85 14 F9 FF FF 89 04 24 E8 6E A3 00 00 8D 65 F4 5B 5E 5F 5D C3 }
- $cond3 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 2C F9 FF FF F0 EF D5 63 C7 85 30 F9 FF FF CC FF D5 63 8D 85 34 F9 FF FF 89 28 BA 28 1B D4 63 89 50 04 89 60 08 8D 85 14 F9 FF FF 89 04 24 E8 BF A6 00 00 A1 64 A1 D9 63 C7 85 18 F9 FF FF FF FF FF FF FF D0 C7 44 24 08 04 01 00 00 8D 95 B6 FD FF FF 89 54 24 04 89 04 24 E8 BC AE 00 00 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 8B 03 00 00 8D 45 BF 89 C1 E8 5A 0B 01 00 8D 85 9C FD FF FF 8D 55 BF 89 54 24 04 8D 95 B6 FD FF FF 89 14 24 C7 85 18 F9 FF FF 01 00 00 00 89 C1 E8 E3 B5 01 00 83 EC 08 8D 45 BF 89 C1 E8 56 0B 01 00 A1 68 A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 89 44 24 04 C7 04 24 08 00 00 00 E8 55 AE 00 00 83 EC 08 89 45 D0 83 7D D0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 8C 02 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 85 74 F9 FF FF 28 04 00 00 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 F3 AD 00 00 83 EC 08 89 45 DC 83 7D DC 00 74 67 8D 85 9C FD FF FF C7 44 24 04 00 00 00 00 8D 95 74 F9 FF FF 83 C2 20 89 14 24 89 C1 E8 86 FF 00 00 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 12 8B 85 88 F9 FF FF 89 45 E4 8B 85 8C F9 FF FF 89 45 E0 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 88 AD 00 00 83 EC 08 89 45 DC EB 93 8B 45 D0 89 04 24 A1 44 A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 83 7D E4 00 74 06 83 7D E0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 AD 01 00 00 C7 04 24 7E 40 D9 63 A1 7C A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 C7 44 24 04 8A 40 D9 63 89 04 24 A1 80 A1 D9 63 FF D0 83 EC 08 89 45 CC 89 E8 89 45 D8 8D 85 6C F9 FF FF 89 44 24 04 8D 85 70 F9 FF FF 89 04 24 A1 70 A1 D9 63 FF D0 83 EC 08 C7 45 D4 00 00 00 00 8B 55 D8 8B 85 6C F9 FF FF 39 C2 0F 83 F5 00 00 00 8B 45 D8 8B 00 3D FF 0F 00 00 0F 86 D8 00 00 00 8B 45 D8 8B 00 39 45 CC 73 19 8B 45 D8 8B 00 8B 55 CC 81 C2 00 10 00 00 39 D0 73 07 C7 45 D4 01 00 00 00 83 7D D4 00 0F 84 AF 00 00 00 8B 45 D8 8B 00 39 45 E4 0F 83 A1 00 00 00 8B 45 D8 8B 00 8B 4D E4 8B 55 E0 01 CA 39 D0 0F 83 8C 00 00 00 B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 50 F9 FF FF 83 C0 04 39 D0 72 F2 8B 45 D8 8B 00 C7 44 24 08 1C 00 00 00 8D 95 50 F9 FF FF 89 54 24 04 89 04 24 A1 C8 A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 0C 8B 85 64 F9 FF FF 83 E0 20 85 C0 74 2E 8B 45 D8 8B 00 C7 44 24 04 30 14 D4 63 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 59 FC FF FF C7 85 10 F9 FF FF 00 00 00 00 EB 58 90 EB 01 90 83 45 D8 04 E9 FA FE FF FF 8B 45 E4 89 45 C8 8B 45 C8 8B 40 3C 89 C2 8B 45 E4 01 D0 89 45 C4 8B 45 C4 8B 50 28 8B 45 E4 01 D0 89 45 C0 C7 44 24 04 30 14 D4 63 8B 45 C0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 FF FB FF FF C7 85 10 F9 FF FF 01 00 00 00 8D 85 9C FD FF FF 89 C1 E8 61 BC 01 00 83 BD 10 F9 FF FF 01 EB 70 8B 95 1C F9 FF FF 8B 85 18 F9 FF FF 85 C0 74 0C 83 E8 01 85 C0 74 2D 83 E8 01 0F 0B 89 95 10 F9 FF FF 8D 45 BF 89 C1 E8 4C 08 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 A4 A6 00 00 89 95 10 F9 FF FF 8D 85 9C FD FF FF 89 C1 E8 01 BC 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 79 A6 00 00 90 8D 85 14 F9 FF FF 89 04 24 E8 7A A3 00 00 8D 65 F4 5B 5E 5F 5D C3 }
- $cond4 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 ?? ?? ?? ?? 90 EE 01 6D C7 85 ?? ?? ?? ?? 6C FE 01 6D 8D 85 ?? ?? ?? ?? 89 28 BA CC 19 00 6D 89 50 ?? 89 60 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF FF D0 C7 44 24 ?? 04 01 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8D 95 ?? ?? ?? ?? 89 14 24 C7 85 ?? ?? ?? ?? 01 00 00 00 89 C1 E8 ?? ?? ?? ?? 83 EC 08 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 89 44 24 ?? C7 04 24 08 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 28 04 00 00 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 8D 95 ?? ?? ?? ?? 83 C2 20 89 14 24 89 C1 E8 ?? ?? ?? ?? 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? EB ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 83 7D ?? 00 74 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 04 24 0C 40 05 6D A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 C7 44 24 ?? 18 40 05 6D 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 89 45 ?? 89 E8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 C7 45 ?? 00 00 00 00 8B 55 ?? 8B 85 ?? ?? ?? ?? 39 C2 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 3D FF 0F 00 00 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 73 ?? 8B 45 ?? 8B 00 8B 55 ?? 81 C2 00 10 00 00 39 D0 73 ?? C7 45 ?? 01 00 00 00 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 8B 4D ?? 8B 55 ?? 01 CA 39 D0 0F 83 ?? ?? ?? ?? B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 ?? ?? ?? ?? 83 C0 04 39 D0 72 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 1C 00 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 0C 8B 85 ?? ?? ?? ?? 83 E0 20 85 C0 74 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 30 14 00 6D 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 EB ?? 90 EB ?? 90 83 45 ?? 04 E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 89 C2 8B 45 ?? 01 D0 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 01 D0 89 45 ?? C7 44 24 ?? 30 14 00 6D 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 01 00 00 00 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 01 EB ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 01 85 C0 74 ?? 83 E8 01 0F 0B 89 95 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 }
- $cond5 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 ?? ?? ?? ?? B0 EF 3D 6A C7 85 ?? ?? ?? ?? 8C FF 3D 6A 8D 85 ?? ?? ?? ?? 89 28 BA F4 1A 3C 6A 89 50 ?? 89 60 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF FF D0 C7 44 24 ?? 04 01 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8D 95 ?? ?? ?? ?? 89 14 24 C7 85 ?? ?? ?? ?? 01 00 00 00 89 C1 E8 ?? ?? ?? ?? 83 EC 08 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 89 44 24 ?? C7 04 24 08 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 28 04 00 00 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 8D 95 ?? ?? ?? ?? 83 C2 20 89 14 24 89 C1 E8 ?? ?? ?? ?? 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? EB ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 83 7D ?? 00 74 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 04 24 62 40 41 6A A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 C7 44 24 ?? 6E 40 41 6A 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 89 45 ?? 89 E8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 C7 45 ?? 00 00 00 00 8B 55 ?? 8B 85 ?? ?? ?? ?? 39 C2 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 3D FF 0F 00 00 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 73 ?? 8B 45 ?? 8B 00 8B 55 ?? 81 C2 00 10 00 00 39 D0 73 ?? C7 45 ?? 01 00 00 00 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 8B 4D ?? 8B 55 ?? 01 CA 39 D0 0F 83 ?? ?? ?? ?? B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 ?? ?? ?? ?? 83 C0 04 39 D0 72 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 1C 00 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 0C 8B 85 ?? ?? ?? ?? 83 E0 20 85 C0 74 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 30 14 3C 6A 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 EB ?? 90 EB ?? 90 83 45 ?? 04 E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 89 C2 8B 45 ?? 01 D0 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 01 D0 89 45 ?? C7 44 24 ?? 30 14 3C 6A 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 01 00 00 00 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 01 EB ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 01 85 C0 74 ?? 83 E8 01 0F 0B 89 95 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 }
- $cond6 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 ?? ?? ?? ?? F0 EF D5 63 C7 85 ?? ?? ?? ?? CC FF D5 63 8D 85 ?? ?? ?? ?? 89 28 BA 28 1B D4 63 89 50 ?? 89 60 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF FF D0 C7 44 24 ?? 04 01 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8D 95 ?? ?? ?? ?? 89 14 24 C7 85 ?? ?? ?? ?? 01 00 00 00 89 C1 E8 ?? ?? ?? ?? 83 EC 08 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 89 44 24 ?? C7 04 24 08 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 28 04 00 00 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 8D 95 ?? ?? ?? ?? 83 C2 20 89 14 24 89 C1 E8 ?? ?? ?? ?? 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? EB ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 83 7D ?? 00 74 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 04 24 7E 40 D9 63 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 C7 44 24 ?? 8A 40 D9 63 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 89 45 ?? 89 E8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 C7 45 ?? 00 00 00 00 8B 55 ?? 8B 85 ?? ?? ?? ?? 39 C2 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 3D FF 0F 00 00 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 73 ?? 8B 45 ?? 8B 00 8B 55 ?? 81 C2 00 10 00 00 39 D0 73 ?? C7 45 ?? 01 00 00 00 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 8B 4D ?? 8B 55 ?? 01 CA 39 D0 0F 83 ?? ?? ?? ?? B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 ?? ?? ?? ?? 83 C0 04 39 D0 72 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 1C 00 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 0C 8B 85 ?? ?? ?? ?? 83 E0 20 85 C0 74 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 30 14 D4 63 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 EB ?? 90 EB ?? 90 83 45 ?? 04 E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 89 C2 8B 45 ?? 01 D0 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 01 D0 89 45 ?? C7 44 24 ?? 30 14 D4 63 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 01 00 00 00 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 01 EB ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 01 85 C0 74 ?? 83 E8 01 0F 0B 89 95 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and any of them
-}
-rule APT_Loader_Win32_REDFLARE_2
-{
- meta:
- date_created = "2020-11-27"
- date_modified = "2020-11-27"
- md5 = "4e7e90c7147ee8aa01275894734f4492"
- rev = 1
- author = "FireEye"
- strings:
- $inject = { 83 F8 01 [4-50] 6A 00 6A 00 68 04 00 00 08 6A 00 6A 00 6A 00 6A 00 5? [10-70] FF 15 [4] 85 C0 [1-20] 6A 04 68 00 10 00 00 5? 6A 00 5? [1-10] FF 15 [4-8] 85 C0 [1-20] 5? 5? 5? 8B [1-4] 5? 5? FF 15 [4] 85 C0 [1-20] 6A 20 [4-20] FF 15 [4] 85 C0 [1-40] 01 00 01 00 [2-20] FF 15 [4] 85 C0 [1-30] FF 15 [4] 85 C0 [1-20] FF 15 [4] 83 F8 FF }
- $s1 = "ResumeThread"
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
-}
-rule APT_HackTool_MSIL_SHARPSTOMP_2
-{
- meta:
- date_created = "2020-12-02"
- date_modified = "2020-12-02"
- md5 = "83ed748cd94576700268d35666bf3e01"
- rev = 3
- author = "FireEye"
- strings:
- $f0 = "mscoree.dll" fullword nocase
- $s0 = { 06 72 [4] 6F [4] 2C ?? 06 72 [4] 6F [4] 2D ?? 72 [4] 28 [4] 28 [4] 2A }
- $s1 = { 02 28 [4] 0A 02 28 [4] 0B 02 28 [4] 0C 72 [4] 28 [4] 72 }
- $s2 = { 28 [4] 02 28 [4] 0D 12 ?? 03 6C 28 [4] 28 [4] 02 28 [4] 0D 12 ?? 03 6C 28 [4] 28 [4] 02 28 [4] 0D 12 ?? 03 6C 28 [4] 28 [4] 72 }
- $s3 = "SetCreationTime" fullword
- $s4 = "GetLastAccessTime" fullword
- $s5 = "SetLastAccessTime" fullword
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule Loader_MSIL_NetshShellCodeRunner_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NetshShellCodeRunner' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "49c045bc-59bb-4a00-85c3-4beb59b2ee12" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule HackTool_MSIL_SharPivot_4
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPivot project."
- md5 = "e4efa759d425e2f26fbc29943a30f5bd"
- rev = 3
- author = "FireEye"
- strings:
- $typelibguid1 = "44B83A69-349F-4A3E-8328-A45132A70D62" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1
-}
-rule APT_Backdoor_Win_GoRat_Memory
-{
- meta:
- description = "Identifies GoRat malware in memory based on strings."
- md5 = "3b926b5762e13ceec7ac3a61e85c93bb"
- rev = 1
- author = "FireEye"
- strings:
- $murica = "murica" fullword
- $rat1 = "rat/modules/socks.(*HTTPProxyClient).beacon" fullword
- $rat2 = "rat.(*Core).generateBeacon" fullword
- $rat3 = "rat.gJitter" fullword
- $rat4 = "rat/comms.(*protectedChannel).SendCmdResponse" fullword
- $rat5 = "rat/modules/filemgmt.(*acquire).NewCommandExecution" fullword
- $rat6 = "rat/modules/latlisten.(*latlistensrv).handleCmd" fullword
- $rat7 = "rat/modules/netsweeper.(*netsweeperRunner).runSweep" fullword
- $rat8 = "rat/modules/netsweeper.(*Pinger).listen" fullword
- $rat9 = "rat/modules/socks.(*HTTPProxyClient).beacon" fullword
- $rat10 = "rat/platforms/win/dyloader.(*memoryLoader).ExecutePluginFunction" fullword
- $rat11 = "rat/platforms/win/modules/namedpipe.(*dummy).Open" fullword
- $winblows = "rat/platforms/win.(*winblows).GetStage" fullword
- condition:
- $winblows or #murica > 10 or 3 of ($rat*)
-}
-rule Loader_MSIL_AllTheThings_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'AllTheThings' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "542ccc64-c4c3-4c03-abcd-199a11b26754" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Loader_Win64_PGF_1
-{
- meta:
- date_created = "2020-11-25"
- date_modified = "2020-11-25"
- description = "base dlls: /lib/payload/techniques/unmanaged_exports/"
- md5 = "2b686a8b83f8e1d8b455976ae70dab6e"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { B9 14 00 00 00 FF 15 [4-32] 0F B6 ?? 04 [0-32] F3 A4 [0-64] 0F B6 [2-3] 0F B6 [2-3] 33 [0-32] 88 [1-9] EB }
- $sb2 = { 41 B8 00 30 00 00 [0-32] FF 15 [8-64] 83 ?? 01 [4-80] 0F B6 [1-64] 33 [1-32] 88 [1-64] FF ( D? | 5? ) }
- $sb3 = { 48 89 4C 24 08 [4-64] 48 63 48 3C [0-32] 48 03 C1 [0-64] 0F B7 48 14 [0-64] 48 8D 44 08 18 [8-64] 0F B7 40 06 [2-32] 48 6B C0 28 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
-}
-rule APT_Trojan_Win_REDFLARE_5
-{
- meta:
- date_created = "2020-12-01"
- date_modified = "2020-12-01"
- md5 = "dfbb1b988c239ade4c23856e42d4127b, 3322fba40c4de7e3de0fda1123b0bf5d"
- rev = 3
- author = "FireEye"
- strings:
- $s1 = "AdjustTokenPrivileges" fullword
- $s2 = "LookupPrivilegeValueW" fullword
- $s3 = "ImpersonateLoggedOnUser" fullword
- $s4 = "runCommand" fullword
- $steal_token = { FF 15 [4] 85 C0 [1-40] C7 44 24 ?? 01 00 00 00 [0-20] C7 44 24 ?? 02 00 00 00 [0-20] FF 15 [4] FF [1-5] 85 C0 [4-40] 00 04 00 00 FF 15 [4-5] 85 C0 [2-20] ( BA 0F 00 00 00 | 6A 0F ) [1-4] FF 15 [4] 85 C0 74 [1-20] FF 15 [4] 85 C0 74 [1-20] ( 6A 0B | B9 0B 00 00 00 ) E8 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule CredTheft_MSIL_TitoSpecial_1
-{
- meta:
- description = "This rule looks for .NET PE files that have the strings of various method names in the TitoSpecial code."
- md5 = "4bf96a7040a683bd34c618431e571e26"
- rev = 4
- author = "FireEye"
- strings:
- $str1 = "Minidump" ascii wide
- $str2 = "dumpType" ascii wide
- $str3 = "WriteProcessMemory" ascii wide
- $str4 = "bInheritHandle" ascii wide
- $str5 = "GetProcessById" ascii wide
- $str6 = "SafeHandle" ascii wide
- $str7 = "BeginInvoke" ascii wide
- $str8 = "EndInvoke" ascii wide
- $str9 = "ConsoleApplication1" ascii wide
- $str10 = "getOSInfo" ascii wide
- $str11 = "OpenProcess" ascii wide
- $str12 = "LoadLibrary" ascii wide
- $str13 = "GetProcAddress" ascii wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($str*)
-}
-rule Builder_MSIL_G2JS_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the Gadget2JScript project."
- md5 = "fa255fdc88ab656ad9bc383f9b322a76"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid1 = "AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1
-}
-rule APT_Loader_Win32_DShell_2
-{
- meta:
- date_created = "2020-11-27"
- date_modified = "2020-11-27"
- md5 = "590d98bb74879b52b97d8a158af912af"
- rev = 2
- author = "FireEye"
- strings:
- $sb1 = { 6A 40 68 00 30 00 00 [4-32] E8 [4-8] 50 [0-16] E8 [4-150] 6A FF [1-32] 6A 00 6A 00 5? 6A 00 6A 00 [0-32] E8 [4] 50 }
- $ss1 = "\x00CreateThread\x00"
- $ss2 = "base64.d" fullword
- $ss3 = "core.sys.windows" fullword
- $ss4 = "C:\\Users\\config.ini" fullword
- $ss5 = "Invalid config file" fullword
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
-}
-rule HackTool_MSIL_SharPivot_3
-{
- meta:
- description = "This rule looks for .NET PE files that have the strings of various method names in the SharPivot code."
- md5 = "e4efa759d425e2f26fbc29943a30f5bd"
- rev = 3
- author = "FireEye"
- strings:
- $msil = "_CorExeMain" ascii wide
- $str1 = "SharPivot" ascii wide
- $str2 = "ParseArgs" ascii wide
- $str3 = "GenRandomString" ascii wide
- $str4 = "ScheduledTaskExists" ascii wide
- $str5 = "ServiceExists" ascii wide
- $str6 = "lpPassword" ascii wide
- $str7 = "execute" ascii wide
- $str8 = "WinRM" ascii wide
- $str9 = "SchtaskMod" ascii wide
- $str10 = "PoisonHandler" ascii wide
- $str11 = "SCShell" ascii wide
- $str12 = "SchtaskMod" ascii wide
- $str13 = "ServiceHijack" ascii wide
- $str14 = "commandArg" ascii wide
- $str15 = "payloadPath" ascii wide
- $str16 = "Schtask" ascii wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $msil and all of ($str*)
-}
-rule APT_HackTool_MSIL_FLUFFY_2
-{
- meta:
- date_created = "2020-12-04"
- date_modified = "2020-12-04"
- md5 = "11b5aceb428c3e8c61ed24a8ca50553e"
- rev = 1
- author = "FireEye"
- strings:
- $s1 = "\x00Asktgt\x00"
- $s2 = "\x00Kerberoast\x00"
- $s3 = "\x00HarvestCommand\x00"
- $s4 = "\x00EnumerateTickets\x00"
- $s5 = "[*] Action: " wide
- $s6 = "\x00Fluffy.Commands\x00"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule APT_HackTool_MSIL_FLUFFY_1
-{
- meta:
- date_created = "2020-12-04"
- date_modified = "2020-12-04"
- md5 = "11b5aceb428c3e8c61ed24a8ca50553e"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { 0E ?? 1? 72 [4] 28 [2] 00 06 [0-16] 28 [2] 00 0A [2-80] 1F 58 0? [0-32] 28 [2] 00 06 [2-32] 1? 28 [2] 00 06 0? 0? 6F [2] 00 06 [2-4] 1F 0B }
- $sb2 = { 73 [2] 00 06 13 ?? 11 ?? 11 ?? 7D [2] 00 04 11 ?? 73 [2] 00 0A 7D [2] 00 04 0E ?? 2D ?? 11 ?? 7B [2] 00 04 72 [4] 28 [2] 00 0A [2-32] 0? 28 [2] 00 0A [2-16] 11 ?? 7B [2] 00 04 0? 28 [2] 00 0A 1? 28 [2] 00 0A [2-32] 7E [2] 00 0A [0-32] FE 15 [2] 00 02 [0-16] 7D [2] 00 04 28 [2] 00 06 [2-32] 7B [2] 00 04 7D [2] 00 04 [2-32] 7C [2] 00 04 FE 15 [2] 00 02 [0-16] 11 ?? 8C [2] 00 02 28 [2] 00 0A 28 [2] 00 0A [2-80] 8C [2] 00 02 28 [2] 00 0A 12 ?? 12 ?? 12 ?? 28 [2] 00 06 }
- $ss1 = "\x00Fluffy\x00"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule HackTool_MSIL_SEATBELT_1
-{
- meta:
- description = "This rule looks for .NET PE files that have regex and format strings found in the public tool SeatBelt. Due to the nature of the regex and format strings used for detection, this rule should detect custom variants of the SeatBelt project."
- md5 = "848837b83865f3854801be1f25cb9f4d"
- rev = 3
- author = "FireEye"
- strings:
- $msil = "_CorExeMain" ascii wide
- $str1 = "{ Process = {0}, Path = {1}, CommandLine = {2} }" ascii nocase wide
- $str2 = "Domain=\"(.*)\",Name=\"(.*)\"" ascii nocase wide
- $str3 = "LogonId=\"(\\d+)\"" ascii nocase wide
- $str4 = "{0}.{1}.{2}.{3}" ascii nocase wide
- $str5 = "^\\W*([a-z]:\\\\.+?(\\.exe|\\.dll|\\.sys))\\W*" ascii nocase wide
- $str6 = "*[System/EventID={0}]" ascii nocase wide
- $str7 = "*[System[TimeCreated[@SystemTime >= '{" ascii nocase wide
- $str8 = "(http|ftp|https|file)://([\\w_-]+(?:(?:\\.[\\w_-]+)+))([\\w.,@?^=%&:/~+#-]*[\\w@?^=%&/~+#-])?" ascii nocase wide
- $str9 = "{0}" ascii nocase wide
- $str10 = "{0,-23}" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $msil and all of ($str*)
-}
-rule HackTool_MSIL_INVEIGHZERO_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'inveighzero' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "113ae281-d1e5-42e7-9cc2-12d30757baf1" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule Loader_MSIL_RURALBISHOP_1
-{
- meta:
- date_created = "2020-12-03"
- date_modified = "2020-12-03"
- md5 = "e91670423930cbbd3dbf5eac1f1a7cb6"
- rev = 1
- author = "FireEye"
- strings:
- $sb1 = { 28 [2] 00 06 0A 06 7B [2] 00 04 [12-64] 06 7B [2] 00 04 6E 28 [2] 00 06 0B 07 7B [2] 00 04 [12-64] 0? 7B [2] 00 04 0? 7B [2] 00 04 0? 7B [2] 00 04 6E 28 [2] 00 06 0? 0? 7B [2] 00 04 [12-80] 0? 7B [2] 00 04 1? 0? 7B [2] 00 04 }
- $sb2 = { 0F ?? 7C [2] 00 04 28 [2] 00 0A 8C [2] 00 01 [20-80] 28 [2] 00 06 0? 0? 7E [2] 00 0A 28 [2] 00 0A [12-80] 7E [2] 00 0A 13 ?? 0? 7B [2] 00 04 28 [2] 00 0A 0? 28 [2] 00 0A 58 28 [2] 00 0A 13 [1-32] 28 [2] 00 0A [0-32] D0 [2] 00 02 28 [2] 00 0A 28 [2] 00 0A 74 [2] 00 02 }
- $ss1 = "\x00NtMapViewOfSection\x00"
- $ss2 = "\x00NtOpenProcess\x00"
- $ss3 = "\x00NtAlertResumeThread\x00"
- $ss4 = "\x00LdrGetProcedureAddress\x00"
- $tb1 = "\x00SharpSploit.Execution.DynamicInvoke\x00"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (@sb1[1] < @sb2[1]) and (all of ($ss*)) and (all of ($tb*))
-}
-rule Loader_MSIL_RURALBISHOP_2
-{
- meta:
- date_created = "2020-12-03"
- date_modified = "2020-12-03"
- md5 = "e91670423930cbbd3dbf5eac1f1a7cb6"
- rev = 1
- author = "FireEye"
- strings:
- $ss1 = "\x00NtMapViewOfSection\x00"
- $ss2 = "\x00NtOpenProcess\x00"
- $ss3 = "\x00NtAlertResumeThread\x00"
- $ss4 = "\x00LdrGetProcedureAddress\x00"
- $ss5 = "\x2f(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00i\x00|\x00I\x00n\x00j\x00e\x00c\x00t\x00)\x00$\x00"
- $ss6 = "\x2d(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00c\x00|\x00C\x00l\x00e\x00a\x00n\x00)\x00$\x00"
- $tb1 = "\x00SharpSploit.Execution.DynamicInvoke\x00"
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
-}
-rule HackTool_MSIL_PrepShellcode_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'PrepShellcode' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 2
- author = "FireEye"
- strings:
- $typelibguid0 = "d16ed275-70d5-4ae5-8ce7-d249f967616c" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule APT_Downloader_Win32_REDFLARE_1
-{
- meta:
- date_created = "2020-11-27"
- date_modified = "2020-11-27"
- md5 = "05b99d438dac63a5a993cea37c036673"
- rev = 1
- author = "FireEye"
- strings:
- $const = "Cookie: SID1=%s" fullword
- $http_req = { 00 00 08 80 81 3D [4] BB 01 00 00 75 [1-10] 00 00 80 00 [1-4] 00 10 00 00 [1-4] 00 20 00 00 89 [1-10] 6A 00 8B [1-8] 5? 6A 00 6A 00 6A 00 8B [1-8] 5? 68 [4] 8B [1-8] 5? FF 15 [4-40] 6A 14 E8 }
- condition:
- (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
-}
-rule Loader_MSIL_WMIRunner_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIRunner' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 1
- author = "FireEye"
- strings:
- $typelibguid0 = "6cc61995-9fd5-4649-b3cc-6f001d60ceda" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule HackTool_MSIL_SharpStomp_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharpStomp project."
- md5 = "83ed748cd94576700268d35666bf3e01"
- rev = 4
- author = "FireEye"
- strings:
- $typelibguid1 = "41f35e79-2034-496a-8c82-86443164ada2" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1
-}
-rule Tool_MSIL_SharpGrep_1
-{
- meta:
- description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGrep' project."
- md5 = "dd8805d0e470e59b829d98397507d8c2"
- rev = 1
- author = "FireEye"
- strings:
- $typelibguid0 = "f65d75b5-a2a6-488f-b745-e67fc075f445" ascii nocase wide
- condition:
- (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
-}
-rule Dropper_HTA_WildChild_1
-{
- meta:
- description = "This rule looks for strings present in unobfuscated HTAs generated by the WildChild builder."
- md5 = "3e61ca5057633459e96897f79970a46d"
- rev = 5
- author = "FireEye"
- strings:
- $s1 = "processpath" ascii wide
- $s2 = "v4.0.30319" ascii wide
- $s3 = "v2.0.50727" ascii wide
- $s4 = "COMPLUS_Version" ascii wide
- $s5 = "FromBase64Transform" ascii wide
- $s6 = "MemoryStream" ascii wide
- $s7 = "entry_class" ascii wide
- $s8 = "DynamicInvoke" ascii wide
- $s9 = "Sendoff" ascii wide
- $script_header = ""
- condition:
- all of them
-}
-rule FSO_s_EFSO_2_2 {
- meta:
- description = "Webshells Auto-generated - file EFSO_2.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "a341270f9ebd01320a7490c12cb2e64c"
- strings:
- $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
- $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
- condition:
- all of them
-}
-rule byshell063_ntboot_2 {
- meta:
- description = "Webshells Auto-generated - file ntboot.dll"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
- strings:
- $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
- condition:
- all of them
-}
-rule u_uay {
- meta:
- description = "Webshells Auto-generated - file uay.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
- strings:
- $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
- $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
- condition:
- 1 of them
-}
-rule bin_wuaus {
- meta:
- description = "Webshells Auto-generated - file wuaus.dll"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "46a365992bec7377b48a2263c49e4e7d"
- strings:
- $s1 = "9(90989@9V9^9f9n9v9"
- $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
- $s3 = ";(=@=G=O=T=X=\\="
- $s4 = "TCP Send Error!!"
- $s5 = "1\"1;1X1^1e1m1w1~1"
- $s8 = "=$=)=/=<=Y=_=j=p=z="
- condition:
- all of them
-}
-rule pwreveal {
- meta:
- description = "Webshells Auto-generated - file pwreveal.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "b4e8447826a45b76ca45ba151a97ad50"
- strings:
- $s0 = "* [Leith=0 bytes]"
- $s9 = "ION\\System\\Floating-"
- condition:
- all of them
-}
-rule shelltools_g0t_root_xwhois {
- meta:
- description = "Webshells Auto-generated - file xwhois.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "0bc98bd576c80d921a3460f8be8816b4"
- strings:
- $s1 = "rting! "
- $s2 = "aTypCog("
- $s5 = "Diamond"
- $s6 = "r)r=rQreryr"
- condition:
- all of them
-}
-rule vanquish_2 {
- meta:
- description = "Webshells Auto-generated - file vanquish.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "2dcb9055785a2ee01567f52b5a62b071"
- strings:
- $s2 = "Vanquish - DLL injection failed:"
- condition:
- all of them
-}
-rule down_rar_Folder_down {
- meta:
- description = "Webshells Auto-generated - file down.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "db47d7a12b3584a2e340567178886e71"
- strings:
- $s0 = "response.write \"NetBios Name: \\\\\" & Snet.ComputerName &"
- condition:
- all of them
-}
-rule cmdShell {
- meta:
- description = "Webshells Auto-generated - file cmdShell.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "8a9fef43209b5d2d4b81dfbb45182036"
- strings:
- $s1 = "if cmdPath=\"wscriptShell\" then"
- condition:
- all of them
-}
-rule ZXshell2_0_rar_Folder_nc {
- meta:
- description = "Webshells Auto-generated - file nc.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
- strings:
- $s0 = "WSOCK32.dll"
- $s1 = "?bSUNKNOWNV"
- $s7 = "p@gram Jm6h)"
- $s8 = "ser32.dllCONFP@"
- condition:
- all of them
-}
-rule portlessinst {
- meta:
- description = "Webshells Auto-generated - file portlessinst.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "74213856fc61475443a91cd84e2a6c2f"
- strings:
- $s2 = "Fail To Open Registry"
- $s3 = "f<-WLEggDr\""
- $s6 = "oMemoryCreateP"
- condition:
- all of them
-}
-rule SetupBDoor {
- meta:
- description = "Webshells Auto-generated - file SetupBDoor.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "41f89e20398368e742eda4a3b45716b6"
- strings:
- $s1 = "\\BDoor\\SetupBDoor"
- condition:
- all of them
-}
-rule phpshell_3 {
- meta:
- description = "Webshells Auto-generated - file phpshell.php"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
- strings:
- $s3 = "
"
- $s5 = " echo \"Current Directory \\n\";"
- condition:
- all of them
-}
-rule BIN_Server {
- meta:
- description = "Webshells Auto-generated - file Server.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
- strings:
- $s0 = "configserver"
- $s1 = "GetLogicalDrives"
- $s2 = "WinExec"
- $s4 = "fxftest"
- $s5 = "upfileok"
- $s7 = "upfileer"
- condition:
- all of them
-}
-rule HYTop2006_rar_Folder_2006 {
- meta:
- description = "Webshells Auto-generated - file 2006.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "c19d6f4e069188f19b08fa94d44bc283"
- strings:
- $s6 = "strBackDoor = strBackDoor "
- condition:
- all of them
-}
-rule r57shell_3 {
- meta:
- description = "Webshells Auto-generated - file r57shell.php"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "87995a49f275b6b75abe2521e03ac2c0"
- strings:
- $s1 = "\".$_POST['cmd']"
- condition:
- all of them
-}
-rule HDConfig {
- meta:
- description = "Webshells Auto-generated - file HDConfig.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "7d60e552fdca57642fd30462416347bd"
- strings:
- $s0 = "An encryption key is derived from the password hash. "
- $s3 = "A hash object has been created. "
- $s4 = "Error during CryptCreateHash!"
- $s5 = "A new key container has been created."
- $s6 = "The password has been added to the hash. "
- condition:
- all of them
-}
-rule FSO_s_ajan_2 {
- meta:
- description = "Webshells Auto-generated - file ajan.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "22194f8c44524f80254e1b5aec67b03e"
- strings:
- $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
- $s3 = "/file.zip"
- condition:
- all of them
-}
-
-rule Webshell_and_Exploit_CN_APT_HK : Webshell
-{
-meta:
- author = "Florian Roth"
- description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
- date = "10.10.2014"
- score = 50
-strings:
- $a0 = ""
- condition:
- all of them
-}
-rule FSO_s_EFSO_2_2 {
- meta:
- description = "Webshells Auto-generated - file EFSO_2.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "a341270f9ebd01320a7490c12cb2e64c"
- strings:
- $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
- $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
- condition:
- all of them
-}
-rule byshell063_ntboot_2 {
- meta:
- description = "Webshells Auto-generated - file ntboot.dll"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
- strings:
- $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
- condition:
- all of them
-}
-rule u_uay {
- meta:
- description = "Webshells Auto-generated - file uay.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
- strings:
- $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
- $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
- condition:
- 1 of them
-}
-rule bin_wuaus {
- meta:
- description = "Webshells Auto-generated - file wuaus.dll"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "46a365992bec7377b48a2263c49e4e7d"
- strings:
- $s1 = "9(90989@9V9^9f9n9v9"
- $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
- $s3 = ";(=@=G=O=T=X=\\="
- $s4 = "TCP Send Error!!"
- $s5 = "1\"1;1X1^1e1m1w1~1"
- $s8 = "=$=)=/=<=Y=_=j=p=z="
- condition:
- all of them
-}
-rule pwreveal {
- meta:
- description = "Webshells Auto-generated - file pwreveal.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "b4e8447826a45b76ca45ba151a97ad50"
- strings:
- $s0 = "* [Leith=0 bytes]"
- $s9 = "ION\\System\\Floating-"
- condition:
- all of them
-}
-rule shelltools_g0t_root_xwhois {
- meta:
- description = "Webshells Auto-generated - file xwhois.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "0bc98bd576c80d921a3460f8be8816b4"
- strings:
- $s1 = "rting! "
- $s2 = "aTypCog("
- $s5 = "Diamond"
- $s6 = "r)r=rQreryr"
- condition:
- all of them
-}
-rule vanquish_2 {
- meta:
- description = "Webshells Auto-generated - file vanquish.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "2dcb9055785a2ee01567f52b5a62b071"
- strings:
- $s2 = "Vanquish - DLL injection failed:"
- condition:
- all of them
-}
-rule down_rar_Folder_down {
- meta:
- description = "Webshells Auto-generated - file down.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "db47d7a12b3584a2e340567178886e71"
- strings:
- $s0 = "response.write \"NetBios Name: \\\\\" & Snet.ComputerName &"
- condition:
- all of them
-}
-rule cmdShell {
- meta:
- description = "Webshells Auto-generated - file cmdShell.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "8a9fef43209b5d2d4b81dfbb45182036"
- strings:
- $s1 = "if cmdPath=\"wscriptShell\" then"
- condition:
- all of them
-}
-rule ZXshell2_0_rar_Folder_nc {
- meta:
- description = "Webshells Auto-generated - file nc.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
- strings:
- $s0 = "WSOCK32.dll"
- $s1 = "?bSUNKNOWNV"
- $s7 = "p@gram Jm6h)"
- $s8 = "ser32.dllCONFP@"
- condition:
- all of them
-}
-rule portlessinst {
- meta:
- description = "Webshells Auto-generated - file portlessinst.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "74213856fc61475443a91cd84e2a6c2f"
- strings:
- $s2 = "Fail To Open Registry"
- $s3 = "f<-WLEggDr\""
- $s6 = "oMemoryCreateP"
- condition:
- all of them
-}
-rule SetupBDoor {
- meta:
- description = "Webshells Auto-generated - file SetupBDoor.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "41f89e20398368e742eda4a3b45716b6"
- strings:
- $s1 = "\\BDoor\\SetupBDoor"
- condition:
- all of them
-}
-rule phpshell_3 {
- meta:
- description = "Webshells Auto-generated - file phpshell.php"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
- strings:
- $s3 = " "
- $s5 = " echo \"Current Directory \\n\";"
- condition:
- all of them
-}
-rule BIN_Server {
- meta:
- description = "Webshells Auto-generated - file Server.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
- strings:
- $s0 = "configserver"
- $s1 = "GetLogicalDrives"
- $s2 = "WinExec"
- $s4 = "fxftest"
- $s5 = "upfileok"
- $s7 = "upfileer"
- condition:
- all of them
-}
-rule HYTop2006_rar_Folder_2006 {
- meta:
- description = "Webshells Auto-generated - file 2006.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "c19d6f4e069188f19b08fa94d44bc283"
- strings:
- $s6 = "strBackDoor = strBackDoor "
- condition:
- all of them
-}
-rule r57shell_3 {
- meta:
- description = "Webshells Auto-generated - file r57shell.php"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "87995a49f275b6b75abe2521e03ac2c0"
- strings:
- $s1 = "\".$_POST['cmd']"
- condition:
- all of them
-}
-rule HDConfig {
- meta:
- description = "Webshells Auto-generated - file HDConfig.exe"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "7d60e552fdca57642fd30462416347bd"
- strings:
- $s0 = "An encryption key is derived from the password hash. "
- $s3 = "A hash object has been created. "
- $s4 = "Error during CryptCreateHash!"
- $s5 = "A new key container has been created."
- $s6 = "The password has been added to the hash. "
- condition:
- all of them
-}
-rule FSO_s_ajan_2 {
- meta:
- description = "Webshells Auto-generated - file ajan.asp"
- author = "Yara Bulk Rule Generator by Florian Roth"
- hash = "22194f8c44524f80254e1b5aec67b03e"
- strings:
- $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
- $s3 = "/file.zip"
- condition:
- all of them
-}
-
-rule Webshell_and_Exploit_CN_APT_HK : Webshell
-{
-meta:
- author = "Florian Roth"
- description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
- date = "10.10.2014"
- score = 50
-strings:
- $a0 = "" fullword
- $ekr4 = "