/* YARA Rule Set Author: The DFIR Report Date: 2022-04-24 Identifier: Quantum Case 12647 Reference: https://thedfirreport.com/2022/04/25/quantum-ransomware/ */ /* Rule Set ----------------------------------------------------------------- */ import "pe" rule docs_invoice_173 { meta: description = "IcedID - file docs_invoice_173.iso" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2022-04-24" hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b" strings: $x1 = "dar.dll,DllRegisterServer!%SystemRoot%\\System32\\SHELL32.dll" fullword wide $x2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii $s3 = "C:\\Users\\admin\\Desktop\\data" fullword wide $s4 = "Desktop (C:\\Users\\admin)" fullword wide $s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s6 = "1t3Eo8.dll" fullword ascii $s7 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide $s8 = "DAR.DLL." fullword ascii $s9 = "dar.dll:h" fullword wide $s10 = "document.lnk" fullword wide $s11 = "DOCUMENT.LNK" fullword ascii $s12 = "6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe3f4667e79c188aa8ab75702520" ascii $s13 = "03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f3641b45f3f8bb317aac02aa1fb" ascii $s14 = "d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82ffd924b720f62d665558ad1d8c" ascii $s15 = "7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de3eb309c722db92d9f53b6ace68" ascii $s16 = "89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f421b536db53fa1d21942d48d93" ascii $s17 = "8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a5625c1761aa6fd46b4aefe98453a" ascii $s18 = "24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f415ed6ebe515d57f4284ae068851" ascii $s19 = "827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331a81d13db6d10c7a771e82dfd8b" ascii $s20 = "7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e8ed2a51adaf91b5e615cece1d3" ascii condition: uint16(0) == 0x0000 and filesize < 600KB and 1 of ($x*) and 4 of them } rule quantum_license { meta: description = "IcedID - file license.dat" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2022-04-24" hash1 = "84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238" strings: $s1 = "W* |[h" fullword ascii $s2 = "PSHN,;x" fullword ascii $s3 = "ephu\"W" fullword ascii $s4 = "LwUw9\\" fullword ascii $s5 = "VYZP~pN," fullword ascii $s6 = "eRek?@" fullword ascii $s7 = "urKuEqR" fullword ascii $s8 = "1zjWa{`!" fullword ascii $s9 = "YHAV{tl" fullword ascii $s10 = "bwDU?u" fullword ascii $s11 = "SJbW`!W" fullword ascii $s12 = "BNnEx1k" fullword ascii $s13 = "SEENI3=" fullword ascii $s14 = "Bthw?:'H*" fullword ascii $s15 = "NfGHNHC" fullword ascii $s16 = "xUKlrl'>`" fullword ascii $s17 = "gZaZ^;Ro2" fullword ascii $s18 = "JhVo5Bb" fullword ascii $s19 = "OPta)}$" fullword ascii $s20 = "cZZJoVB" fullword ascii condition: uint16(0) == 0x44f8 and filesize < 1000KB and 8 of them } rule quantum_p227 { meta: description = "Cobalt Strike - file p227.dll" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2022-04-24" hash1 = "c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3" strings: $s1 = "Remote Event Log Manager4" fullword wide $s2 = "IIdRemoteCMDServer" fullword ascii $s3 = "? ?6?B?`?" fullword ascii /* hex encoded string 'k' */ $s4 = "<*=.=2=6=<=\\=" fullword ascii /* hex encoded string '&' */ $s5 = ">'?+?/?3?7?;???" fullword ascii /* hex encoded string '7' */ $s6 = ":#:':+:/:3:7:" fullword ascii /* hex encoded string '7' */ $s7 = "2(252<2[2" fullword ascii /* hex encoded string '"R"' */ $s8 = ":$;,;2;>;F;" fullword ascii /* hex encoded string '/' */ $s9 = ":<:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii $s10 = "%IdThreadMgr" fullword ascii $s11 = "AutoHotkeys3F3f3m3t3}3" fullword ascii $s15 = "3\"3(3<3]3o3" fullword ascii $s16 = "9 9*909B9" fullword ascii $s17 = "9.979S9]9a9w9" fullword ascii $s18 = "txf9(tsf9)tnj\\P" fullword ascii $s19 = "5!5'5-5J5Y5b5i5~5" fullword ascii $s20 = "<2=7=>=E={=" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and ( pe.imphash() == "68b5e41a24d5a26c1c2196733789c238" or 8 of them ) }