Sneed-Reactivity/yara-Neo23x0/apt_quasar_vermin.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

71 lines
No EOL
3.2 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-01-29
Identifier: Vermin Keylogger and Quasar RAT
Reference: https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
*/
/* Rule Set ----------------------------------------------------------------- */
rule Quasar_RAT_Jan18_1 {
meta:
description = "Detects Quasar RAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
date = "2018-01-29"
hash1 = "0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6"
hash2 = "24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18"
id = "52408897-bfec-5726-9d01-6ff982d50c28"
strings:
$a1 = "ping -n 20 localhost > nul" fullword wide
$s2 = "HandleDownloadAndExecuteCommand" fullword ascii
$s3 = "DownloadAndExecute" fullword ascii
$s4 = "UploadAndExecute" fullword ascii
$s5 = "ShellCommandResponse" fullword ascii
$s6 = "Select * From Win32_ComputerSystem" fullword wide
$s7 = "Process could not be started!" fullword wide
$s8 = ".Core.RemoteShell" ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and $a1 and 3 of them
}
rule Vermin_Keylogger_Jan18_1 {
meta:
description = "Detects Vermin Keylogger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
date = "2018-01-29"
hash1 = "74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d"
hash2 = "e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7"
hash3 = "0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6"
hash4 = "4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da"
hash5 = "24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18"
hash6 = "2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef"
id = "52192ea1-bb3d-52da-ba18-0645262745e2"
strings:
$x1 = "_keyloggerTaskDescription" ascii
$x2 = "_keyloggerTaskAuthor" ascii
$x3 = "GetKeyloggerLogsResponse" fullword ascii
$x4 = "GetKeyloggerLogs" fullword ascii
$x5 = "ExecuteUninstallKeyLoggerTask" fullword ascii
$x6 = "ExecuteInstallKeyLoggerTask" fullword ascii
$x7 = ":\\Projects\\Vermin\\KeyboardHookLib\\" ascii
$x8 = ":\\Projects\\Vermin\\CryptoLib\\" ascii
$s1 = "<RunHidden>k__BackingField" fullword ascii
$s2 = "set_SystemInfos" fullword ascii
$s3 = "set_RunHidden" fullword ascii
$s4 = "set_RemotePath" fullword ascii
$s5 = "ExecuteShellCommandTask" fullword ascii
$s6 = "Client.exe" fullword wide
$s7 = "xClient.Core.ReverseProxy.Packets" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and (
1 of ($x*) or
3 of them
)
}