mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
Detect-It-Easy/yara_rules/malware_analisys.yar
DosX 725f3f759d Reformat YARA rules indentation 
Normalize indentation and spacing across multiple YARA rule files. Changes are whitespace/formatting-only (alignment of comments, blocks, and string sections) and do not modify rule logic or conditions. Updated files: yara_rules/DiE_BasicHeuristics_by_DosX.yar, yara_rules/DiE_EnhancedHeuristics_by_DosX.yar, yara_rules/DiE_InterestingThings_by_DosX.yar, yara_rules/crypto_signature.yar, yara_rules/malware_analisys.yar, yara_rules/packer.yar, yara_rules/packer_compiler_signatures.yar, yara_rules/peid.yar.
2026-04-19 13:53:40 +03:00

11464 lines
No EOL
419 KiB
Text
Raw Permalink Blame History

import "pe"
rule MALWARE_Win_Laturo {
meta:
author = "ditekSHen"
description = "Laturo information stealer payload"
clamav_sig = "MALWARE.Win.Trojan.Laturo"
strings:
$str1 = "cmd.exe /c ping 127.0.0.1" ascii wide
$str2 = "cmd.exe /c start" ascii wide
$str3 = "\\RapidLoader\\" ascii
$str4 = "loader/gate.php" ascii wide
$str5 = "Hwid:" ascii wide
$str6 = "Special:" ascii wide
$str7 = "logs=%s" ascii
$data1 = "cookies.%u.txt" nocase ascii wide
$data2 = "passwords.%u.txt" nocase ascii wide
$data3 = "credentials.%u.txt" nocase ascii wide
$data4 = "cards.%u.txt" nocase ascii wide
$data5 = "autofill.%u.txt" nocase ascii wide
$data6 = "loginusers.vdf" ascii wide
$data7 = "screenshot.bmp" nocase ascii wide
$data8 = "webcam.bmp" nocase ascii wide
condition: uint16(0) == 0x5a4d and 5 of ($str*) and 1 of ($data*)
}
rule MALWARE_Win_XpertRAT {
meta:
author = "ditekSHen"
description = "XpertRAT payload"
snort_sid = "920003-920006"
clamav_sig = "MALWARE.Win.Trojan.XpertRAT"
strings:
$v1 = "[XpertRAT-Mutex]" fullword wide
$v2 = "XPERTPLUGIN" fullword wide
$v3 = "+Xpert+3." wide
$v4 = "keylog.tmp" fullword wide
$v5 = "\\TempReg.reg" fullword wide
$s1 = "ClsKeylogger" fullword ascii nocase
$s2 = "clsCamShot" fullword ascii nocase
$s3 = "ClsShellCommand" fullword ascii nocase
$s4 = "ClsRemoteDesktop" fullword ascii nocase
$s5 = "ClsScreenRemote" fullword ascii nocase
$s6 = "ClsSoundRemote" fullword ascii nocase
$s7 = "MdlHidder" fullword ascii
$s8 = "modKeylog" fullword ascii
$s9 = "modWipe" fullword ascii
$s10 = "modDelProcInUse" fullword ascii
$s11= "Socket_DataArrival" fullword ascii
$s12 = "cZip_EndCompress" fullword ascii
condition: uint16(0) == 0x5a4d and (3 of ($v*) or 6 of ($s*))
}
rule MALWARE_Win_AgentTeslaV2 {
meta:
author = "ditekSHen"
description = "AgenetTesla Type 2 Keylogger payload"
strings:
$s1 = "get_kbHook" ascii
$s2 = "GetPrivateProfileString" ascii
$s3 = "get_OSFullName" ascii
$s4 = "get_PasswordHash" ascii
$s5 = "remove_Key" ascii
$s6 = "FtpWebRequest" ascii
$s7 = "logins" fullword wide
$s8 = "keylog" fullword wide
$s9 = "1.85 (Hash, version 2, native byte-order)" wide
$cl1 = "Postbox" fullword ascii
$cl2 = "BlackHawk" fullword ascii
$cl3 = "WaterFox" fullword ascii
$cl4 = "CyberFox" fullword ascii
$cl5 = "IceDragon" fullword ascii
$cl6 = "Thunderbird" fullword ascii
condition: (uint16(0) == 0x5a4d and 6 of ($s*)) or (6 of ($s*) and 2 of ($cl*))
}
rule MALWARE_Win_AveMaria {
meta:
author = "ditekSHen"
description = "AveMaria variant payload"
strings:
$s1_1 = "PK11_CheckUserPassword" fullword ascii
$s1_2 = "PK11_Authenticate" fullword ascii
$s1_3 = "PK11SDR_Decrypt" fullword ascii
$s1_4 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" fullword ascii
$s1_5 = "AVE_MARIA" ascii wide
$s1_6 = "127.0.0." ascii
$s2_1 = "RDPClip" fullword wide
$s2_2 = "Grabber" fullword wide
$s2_3 = "Ave_Maria Stealer OpenSource" wide
$s2_4 = "\\MidgetPorn\\workspace\\MsgBox.exe" wide
$s2_5 = "@\\cmd.exe" wide
$s2_6 = "/n:%temp%\\ellocnak.xml" wide
$s2_7 = "Hey I'm Admin" wide
$s2_8 = "warzone160" fullword ascii
$d1 = "softokn3.dll" fullword wide
$d2 = "nss3.dll" fullword wide
$d3 = "logins.json" wide
$d4 = "Asend.db" fullword wide
condition: (uint16(0) == 0x5a4d and (4 of ($s2*) and 2 of ($d*)) or (all of ($s1*))) or ((4 of ($s1*) and 2 of ($d*)) or (all of ($s1*)))
}
rule MALWARE_Win_ISRStealer {
meta:
author = "ditekSHen"
description = "ISRStealer payload"
clamav_sig = "MALWARE.Win.Trojan.ISRStealer"
strings:
$s1 = "&password=" wide
$s2 = "&pcname=" wide
$s3 = "MSVBVM60.DLL" ascii
$s4 = "MSVBVM60.DLL" wide
$s5 = "Core Software For : Public" wide
$s6 = "</Host>" wide
$s7 = "</Pass>" wide
$s8 = "/scomma" wide
condition: (uint16(0) == 0x5a4d and filesize < 4000KB and 6 of them) or all of them
}
rule MALWARE_Win_QuasarRAT {
meta:
author = "ditekSHen"
description = "QuasarRAT payload"
strings:
$s1 = "GetKeyloggerLogsResponse" fullword ascii
$s2 = "GetKeyloggerLogs" fullword ascii
$s3 = "/>Log created on" wide
$s4 = "User: {0}{3}Pass: {1}{3}Host: {2}" wide
$s5 = "Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}" wide
$s6 = "grabber_" wide
$s7 = "<virtualKeyCode>" ascii
$s8 = "<RunHidden>k__BackingField" fullword ascii
$s9 = "<keyboardHookStruct>" ascii
$s10 = "add_OnHotKeysDown" ascii
$mutex = "QSR_MUTEX_" ascii wide
$ua1 = "Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0" fullword wide
$us2 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" fullword wide
condition: uint16(0) == 0x5a4d and ($mutex or (all of ($ua*) and 2 of them) or 6 of ($s*))
}
rule MALWARE_Win_LimeRAT {
meta:
author = "ditekSHen"
description = "LimeRAT payload"
strings:
$s1 = "schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr" wide
$s2 = "\\vboxhook.dll" fullword wide
$s3 = "Win32_Processor.deviceid=\"CPU0\"" fullword wide
$s4 = "select CommandLine from Win32_Process where Name='{0}'" wide
$s5 = "Minning..." fullword wide
$s6 = "Regasm.exe" fullword wide
$s7 = "Flood!" fullword wide
$s8 = "Rans-Status" fullword wide
$s9 = "cmd.exe /c ping 0" wide
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_GuLoader {
meta:
author = "ditekSHen"
description = "Shellcode injector and downloader"
strings:
$s1 = "wininet.dll" fullword ascii
$s2 = "ShellExecuteW" fullword ascii
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" fullword ascii
$s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
$s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii
$s6 = "Startup key" fullword ascii
$s7 = "\\qemu-ga\\qga.state" ascii nocase
$s8 = "\\qga\\qga.exe" ascii nocase
$s9 = "\\Qemu-ga\\qemu-ga.exe" ascii nocase
$s10 = "WScript.Shell" ascii
$l1 = "shell32" fullword ascii
$l2 = "kernel32" fullword ascii
$l3 = "advapi32" fullword ascii
$l4 = "user32" fullword ascii
$o1 = "msvbvm60.dll" fullword wide
$o2 = "\\syswow64\\" fullword wide
$o3 = "\\system32\\" fullword wide
$o4 = "\\Microsoft.NET\\Framework\\" fullword wide
$o5 = "USERPROFILE=" fullword wide
$o6 = "windir=" fullword wide
$o7 = "APPDATA=" fullword wide
$o8 = "RegAsm.exe" fullword wide
$o9 = "ProgramFiles=" fullword wide
$o10 = "TEMP=" fullword wide
$url1 = "https://drive.google.com/uc?export=download&id=" ascii
$url2 = "https://onedrive.live.com/download?cid=" ascii
$url3 = "http://myurl/myfile.bin" fullword ascii
$url4 = "http" ascii // fallback
condition: (3 of ($s*) and 2 of ($l*) and 2 of ($o*) and 1 of ($url*)) or (4 of ($s*) and 3 of ($l*) and 2 of ($o*))
}
rule MALWARE_Win_Arkei {
meta:
author = "ditekSHen"
description = "Detect Arkei infostealer variants"
strings:
$s1 = "C:\\Windows\\System32\\cmd.exe" fullword ascii wide
$s2 = "/c taskkill /im " fullword ascii
$s3 = "card_number_encrypted FROM credit_cards" ascii
$s4 = "\\wallet.dat" ascii
$s5 = "Arkei/" wide
$s6 = "files\\passwords." ascii wide
$s7 = "files\\cc_" ascii wide
$s8 = "files\\autofill_" ascii wide
$s9 = "files\\cookies_" ascii wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_DCRat {
meta:
author = "ditekSHen"
description = "DCRat payload"
strings:
// DCRat
$dc1 = "DCRatBuild" ascii
$dc2 = "DCStlr" ascii
$x1 = "px\"><center>DCRat Keylogger" wide
$x2 = "DCRat-Log#" wide
$x3 = "DCRat.Code" wide
$string1 = "CaptureBrowsers" fullword ascii
$string2 = "DecryptBrowsers" fullword ascii
$string3 = "Browsers.IE10" ascii
$string4 = "Browsers.Chromium" ascii
$string5 = "WshShell" ascii
$string6 = "SysMngmts" fullword ascii
$string7 = "LoggerData" fullword ascii
// DCRat Plugins/Libraries
$plugin = "DCRatPlugin" fullword ascii
// AntiVM
$av1 = "AntiVM" ascii wide
$av2 = "vmware" fullword wide
$av3 = "VirtualBox" fullword wide
$av4 = "microsoft corporation" fullword wide
$av5 = "VIRTUAL" fullword wide
$av6 = "DetectVirtualMachine" fullword ascii
$av7 = "Select * from Win32_ComputerSystem" fullword wide
// Plugin_AutoStealer, Plugin_AutoKeylogger
$pl1 = "dcratAPI" fullword ascii
$pl2 = "dsockapi" fullword ascii
$pl3 = "file_get_contents" fullword ascii
$pl4 = "classthis" fullword ascii
$pl5 = "typemdt" fullword ascii
$pl6 = "Plugin_AutoStealer" ascii wide
$pl7 = "Plugin_AutoKeylogger" ascii wide
// variant
$v1 = "Plugin couldn't process this action!" wide
$v2 = "Unknown command!" wide
$v3 = "PLUGINCONFIGS" wide
$v4 = "Saving log..." wide
$v5 = "~Work.log" wide
$v6 = "MicrophoneNum" fullword wide
$v7 = "WebcamNum" fullword wide
$v8 = "%SystemDrive% - Slow" wide
$v9 = "%UsersFolder% - Fast" wide
$v10 = "%AppData% - Very Fast" wide
$v11 = /<span style=\"color: #F85C50;\">\[(Up|Down|Enter|ESC|CTRL|Shift|Win|Tab|CAPSLOCK: (ON|OFF))\]<\/span>/ wide
$px1 = "[Browsers] Scanned elements: " wide
$px2 = "[Browsers] Grabbing cookies" wide
$px3 = "[Browsers] Grabbing passwords" wide
$px4 = "[Browsers] Grabbing forms" wide
$px5 = "[Browsers] Grabbing CC" wide
$px6 = "[Browsers] Grabbing history" wide
$px7 = "[StealerPlugin] Invoke: " wide
$px8 = "[Other] Grabbing steam" wide
$px9 = "[Other] Grabbing telegram" wide
$px10 = "[Other] Grabbing discord tokens" wide
$px11 = "[Other] Grabbing filezilla" wide
$px12 = "[Other] Screenshots:" wide
$px13 = "[Other] Clipboard" wide
$px14 = "[Other] Saving system information" wide
condition: uint16(0) == 0x5a4d and (all of ($dc*) or all of ($string*) or 2 of ($x*) or 6 of ($v*) or 5 of ($px*)) or ($plugin and (4 of ($av*) or 5 of ($pl*)))
}
rule MALWARE_Win_ObliqueRAT {
meta:
author = "ditekSHen"
description = "ObliqueRAT payload"
strings:
$s1 = "C:\\ProgramData\\auto.txt" fullword ascii
$s2 = "C:\\ProgramData\\System\\Dump\\" fullword ascii
$s3 = "C:\\ProgramData\\a.txt" fullword ascii
$s4 = "Oblique" fullword ascii
$s5 = /(Removable|Hard|Network|CD|RAM)\sDisk\|/ ascii
$s6 = "backed" fullword ascii
$s7 = "restart" fullword ascii
$s8 = "kill" fullword ascii
$s9 = /(John|JOHN|Test|TEST|Johsnson|Artifact|Vince|Serena|Lisa|JOHNSON|VINCE|SERENA)/ ascii nocase
$v1 = "C:\\ProgramData" fullword ascii
$v2 = "auto" fullword ascii
$v3 = "plit" fullword ascii
$v4 = ":image/jpeg" fullword wide
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_FirebirdRAT {
meta:
author = "ditekSHen"
description = "Firebird/Hive RAT payload"
clamav_sig = "MALWARE.Win.Trojan.Firebird-HiveRAT"
strings:
$id1 = "Firebird Remote Administration Tool" fullword wide
$id2 = "Welcome to Firebird! Your system is currently being monitored" wide
$id3 = "Hive Remote Administration Tool" fullword wide
$id4 = "Welcome to Hive! Your system is currently being monitored" wide
$s1 = "REPLACETHESEKEYSTROKES" fullword wide
$s2 = "_ENABLE_PROFILING" fullword wide
$s3 = ": KeylogSubject" wide
$s4 = "Firebird.CommandHandler" fullword wide
$s5 = "webcamenabled" fullword ascii
$s6 = "screenlogs" fullword ascii
$s7 = "encryptedconnection" fullword ascii
$s8 = "monitoron" fullword ascii
$s9 = "screenGrab" fullword ascii
$s10 = "TCP_TABLE_OWNER_PID_ALL" fullword ascii
$s11 = "de4fuckyou" fullword ascii
condition: uint16(0) == 0x5a4d and (1 of ($id*) or 7 of ($s*))
}
rule MALWARE_Win_Phoenix {
meta:
author = "ditekSHen"
description = "Phoenix/404KeyLogger keylogger payload"
clamav_sig = "MALWARE.Win.Trojan.Phoenix-Keylogger"
strings:
$s1 = "FirefoxPassReader" fullword ascii
$s2 = "StartKeylogger" fullword ascii
$s3 = "CRYPTPROTECT_" ascii
$s4 = "Chrome_Killer" fullword ascii
$s5 = "Clipboardlog.txt" fullword wide
$s6 = "Leyboardlogs.txt" fullword wide
$s7 = "Persistence'" wide
$s8 = "set_HKB" fullword ascii
$s9 = "loloa" fullword ascii
$s10 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)" fullword wide
// Memory
$m1 = "- Screenshot -------|" ascii wide
$m2 = "- Clipboard -------|" ascii wide
$m3 = "- Logs -------|" ascii wide
$m4 = "- Passwords -------|" ascii wide
$m5 = "PSWD" ascii wide
$m6 = "Screenshot |" ascii wide
$m7 = "Logs |" ascii wide
condition: (uint16(0) == 0x5a4d and 6 of ($s*) or 3 of ($m*)) or 9 of them
}
rule MALWARE_Win_BackNet {
meta:
author = "ditekSHen"
description = "BackNet payload"
clamav_sig = "MALWARE.Win.Trojan.BackNet"
strings:
$s1 = "Slave.Commands." fullword ascii
$s2 = "StartKeylogger" fullword ascii
$s3 = "StopKeylogger" fullword ascii
$s4 = "KeyLoggerCommand" fullword ascii
$s5 = "get_keyLoggerManager" fullword ascii
$s6 = "get_IgnoreMutex" fullword ascii
$s7 = "ListProcesses" fullword ascii
$s8 = "downloadurl" fullword wide
$pdb = "\\BackNet-master\\Slave\\obj\\Release\\Slave.pdb" ascii
condition: uint16(0) == 0x5a4d and ($pdb or all of ($s*))
}
rule MALWARE_Win_AcridRain {
meta:
author = "ditekSHen"
description = "AcidRain stealer payload"
strings:
$s1 = { 43 6f 6f 6b 69 65 73 (5c|2e) }
$s2 = { 74 65 6d 70 6c 6f 67 69 ?? }
$s3 = { 74 65 6d 70 50 ?? 68 }
$s4 = "Connecting to hostname: %s%s%s" fullword ascii
$s5 = "Found bundle for host %s: %p [%s]" fullword ascii
$s6 = "encryptedUsernamencryptedPassworERROR Don't copy string" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Linux_ChaChaDDoS {
meta:
author = "ditekSHen"
description = "ChaChaDDoS variant of XorDDoS payload"
strings:
$x1 = "[kworker/1:1]" ascii
$x2 = "-- LuaSocket toolkit." ascii
$x3 = "/etc/resolv.conf" ascii
$x4 = "\"macaddress=\" .. DEVICE_MAC .. \"&device=\" .." ascii
$x5 = "easy_attack_dns" ascii
$x6 = "easy_attack_udp" ascii
$x7 = "easy_attack_syn" ascii
$x8 = "syn_probe" ascii
condition:
uint16(0) == 0x457f and 6 of them
}
rule MALWARE_Multi_Exaramel {
meta:
author = "ditekSHen"
description = "Exaramel Windows/Linux backdoor payload"
clamav_sig1 = "MALWARE_Linux.Backdoor.Exaramel"
clamav_sig2 = "MALWARE_Win.Backdoor.Exaramel"
strings:
// Linux payload
$s1 = "vendor/golang_org/x/crypto/" ascii
$s2 = "vendor/golang_org/x/net/http2" ascii
$s3 = "vendor/golang_org/x/text/unicode" ascii
$s4 = "vendor/golang_org/x/text/transform" ascii
$s5 = "config.json" ascii
$cmd1 = "App.Update" ascii
$cmd2 = "App.Delete" ascii
$cmd3 = "App.SetProxy" ascii
$cmd4 = "App.SetServer" ascii
$cmd5 = "App.SetTimeout" ascii
$cmd6 = "IO.WriteFile" ascii
$cmd7 = "IO.ReadFile" ascii
$cmd8 = "OS.ShellExecute" ascii
$cmd9 = "awk 'match($0, /(upstart|systemd|sysvinit)/){ print substr($0, RSTART, RLENGTH);exit;" ascii
// Windows payload
$ws1 = "/commands/@slp" wide
$ws2 = "/commands/cmd" wide
$ws3 = "/settings/proxy/@password" wide
$ws4 = "/settings/servers/server[@current='true']" wide
$ws5 = "/settings/servers/server/@current[text()='true']" wide
$ws6 = "/settings/servers/server[text()='%s']/@current" wide
$ws7 = "/settings/servers/server[%d]" wide
$ws8 = "/settings/storage" wide
$ws9 = "/settings/check" wide
$ws10 = "/settings/interval" wide
$ws11 = "report.txt" wide
$ws12 = "stg%02d.cab" ascii
$ws13 = "urlmon.dll" ascii
$ws14 = "ReportDir" ascii
condition: (uint16(0) == 0x457f and (all of ($s*) and 6 of ($cmd*))) or (uint16(0) == 0x5a4d and 12 of ($ws*))
}
rule MALWARE_Linux_HiddenWasp {
meta:
author = "ditekSHen"
description = "HiddenWasp backdoor payload"
clamav_sig1 = "MALWARE_Linux.Trojan.HiddenWasp-ELF"
clamav_sig2 = "MALWARE_Linux.Trojan.HiddenWasp-Script"
strings:
$x1 = "I_AM_HIDDEN" fullword ascii
$x2 = "HIDE_THIS_SHELL" fullword ascii
$x3 = "NewUploadFile" ascii
$x4 = "fake_processname" ascii
$x5 = "swapPayload" ascii
$x6 = /Trojan-(Platform|Machine|Hostname|OSersion)/ fullword ascii
$s1 = "FileOpration::GetFileData" fullword ascii
$s2 = "FileOpration::NewUploadFile" fullword ascii
$s3 = "Connection::writeBlock" fullword ascii
$s4 = /hiding_(hidefile|enable_logging|hideproc|makeroot)/ fullword ascii
$s5 = "Reverse-Port" fullword ascii
$s6 = "hidden_services" fullword ascii
$s7 = "check_config" fullword ascii
$s8 = "__data_start" fullword ascii
$s9 = /patch_(suger_lib|ld|lib)/ fullword ascii
$s10 = "hexdump -ve '1/1 \"%%.2X\"' %s | sed \"s/%s/%s/g\" | xxd -r -p > %s.tmp"
condition: uint16(0) == 0x457f and (4 of ($x*) or all of ($s*) or (3 of ($x*) and 5 of ($s*)))
}
rule MALWARE_Multi_WellMess {
meta:
author = "ditekSHen"
description = "WellMess Windows/Linux backdoor payload"
clamav_sig1 = "MALWARE_Win.Trojan.WellMess_DotNet"
clamav_sig2 = "MALWARE_Win.Trojan.WellMess_Golang"
clamav_sig3 = "MALWARE_Linux.Trojan.WellMess_Golang"
strings:
// Linux and Windows payload
$s1 = "-----BEGIN PUBLIC KEY-----" ascii
$s2 = "-----END PUBLIC KEY-----" ascii
$s3 = "net/http.(*persistConn).readResponse" ascii
$s4 = "net/http/cookiejar.(*Jar).SetCookies" ascii
$s5 = "_/home/ubuntu/GoProject/src/bot/botlib" ascii
$s6 = "<;head;><;title;>" ascii
$s7 = "<;title;><;service;>" ascii
$s8 = "http://invalidlookup" ascii
$s9 = "<autogenerated>" ascii wide
//$ua1 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" ascii
//$ua2 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0" ascii
condition: (uint16(0) == 0x457f or uint16(0) == 0x5a4d) and all of them
}
rule MALWARE_Win_Konni {
meta:
author = "ditekSHen"
description = "Konni payload"
strings:
$s1 = "uplog.tmp" fullword wide
$s2 = "upfile.tmp" fullword wide
$s3 = "%s-log-%s" fullword ascii wide
$s4 = "%s-down" ascii wide
$s5 = "%s-file-%s" fullword ascii wide
$s6 = "\"rundll32.exe\" \"%s\" install" fullword wide
$s7 = "subject=%s&data=" fullword ascii
$s8 = "dll-x64.dll" fullword ascii
$s9 = "dll-x32.dll" fullword ascii
$pdb1 = "\\virus-dropper\\Release\\virus-dropper.pdb" ascii
$pdb2 = "\\virus-init\\Release\\virus-init.pdb" ascii
condition: uint16(0) == 0x5a4d and (7 of ($s*) or (3 of ($s*) and 1 of ($pdb*)))
}
rule MALWARE_Win_BitterRAT {
meta:
author = "ditekSHen"
description = "BitterRAT payload"
clamav_sig = "MALWARE.Win.Trojan.BitterRAT"
strings:
$s1 = "getfile" fullword wide
$s2 = "getfolder" fullword wide
$s3 = "winmgmts://./root/default:StdRegProv" fullword wide
$s4 = "winlog" fullword wide
$s5 = "winprt" fullword wide
$s6 = "c:\\intel\\" fullword ascii
$s7 = "AXE: #" fullword ascii
$s8 = "Bld: %s.%s.%s" fullword ascii
$s9 = "53656C656374202A2066726F6D2057696E33325F436F6D707574657253797374656D" wide nocase
$pdb1 = "\\28NovDwn\\Release\\28NovDwn.pdb" ascii
$pdb2 = "\\Shellcode\\Release\\Shellcode.pdb" ascii
condition: uint16(0) == 0x5a4d and (7 of ($*) or (4 of ($s*) and 1 of ($pdb*)))
}
rule MALWARE_Win_TJKeylogger {
meta:
author = "ditekSHen"
description = "TJKeylogger payload"
strings:
$s1 = "TJKeyLogger" fullword ascii
$s2 = "software\\microsoft\\windows\\currentversion\\run" fullword ascii
$s3 = "\\Passwords.txt" ascii
$s4 = "TJKeyLogItem" fullword ascii
$s5 = "TJKeyAsyncLog" fullword ascii
$s6 = "FM_GETDSKLST" fullword ascii
$s7 = "KL_GETMODE" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_W1RAT {
meta:
author = "ditekSHen"
description = "W1 RAT payload"
strings:
$s1 = "/c /Ox /Fa\"%s/%s.asm\" /Fo\"%s/%s.obj\" \"%s/%s.%s\"" ascii
$s2 = "this->piProcInfo.hProcess" fullword ascii
$s3 = "index >= 0 && index < this->reg_tab->GetLen()" fullword ascii
$s4 = "strcpy(log_font.lfFaceName,\"%s\");" fullword ascii
$s5 = "WorkShop -- [%s]" fullword ascii
$s6 = "HeaderFile.cpp" fullword ascii
$s7 = "WndLog.cpp" fullword ascii
$s8 = "assertion fail \"%s\" at file=%s line=%d" fullword ascii
$s9 = "Stdin pipe creation failed" fullword ascii
condition: (uint16(0) == 0x5a4d and 6 of ($s*)) or (all of them)
}
rule MALWARE_Win_Raccoon {
meta:
author = "ditekSHen"
description = "Raccoon stealer payload"
strings:
$s1 = "inetcomm server passwords" fullword wide
$s2 = "content-disposition: form-data; name=\"file\"; filename=\"data.zip\"" fullword ascii
$s3 = ".?AVfilesystem_error@v1@filesystem@experimental@std@@" fullword ascii
$s4 = "CredEnumerateW" fullword ascii
$s5 = "%[^:]://%[^/]%[^" fullword ascii
$s6 = "%99[^:]://%99[^/]%99[^" fullword ascii
$s7 = "Login Data" wide
$s8 = "m_it.object_iterator != m_object->m_value.object->end()" fullword wide
$x1 = "endptr == token_buffer.data() + token_buffer.size()" fullword wide
$x2 = "\\json.hpp" wide
$x3 = "Microsoft_WinInet_" fullword wide
$x4 = "Microsoft_WinInet_*" fullword wide
condition: uint16(0) == 0x5a4d and ((3 of ($x*) and 2 of ($s*)) or (4 of ($s*) and 1 of ($x*)))
}
rule MALWARE_Win_Amadey {
meta:
author = "ditekSHen"
description = "Amadey downloader payload"
strings:
$s1 = "_ZZ14aGetProgramDirvE11UsersDirRes" fullword ascii
$s2 = "_libshell32_a" ascii
$s3 = "_ShellExecuteExA@4" ascii
$s4 = "aGetTempDirvE10TempDirRes" ascii
$s5 = "aGetHostNamevE7InfoBuf" ascii
$s6 = "aCreateProcessPc" ascii
$s7 = "aGetHostNamev" ascii
$s8 = "aGetSelfDestinationiE22aGetSelfDestinationRes" ascii
$s9 = "aGetSelfPathvE15aGetSelfPathRes" ascii
$s10 = "aResolveHostPcE15aResolveHostRes" ascii
$s11 = "aUrlMonDownloadPcS" ascii
$s12 = "aWinSockPostPcS_S_" ascii
$s13 = "aCreateProcessPc" ascii
$v1 = "hii^" fullword ascii
$v2 = "plugins/" fullword ascii
$v3 = "ProgramData\\" fullword ascii
$v4 = "&unit=" fullword ascii
$v5 = "runas" fullword ascii wide
$v6 = "Microsoft Internet Explorer" fullword wide
$v7 = "stoi argument" ascii
$av1 = "AVAST Software" fullword ascii
$av2 = "Avira" fullword ascii
$av3 = "Kaspersky Lab" fullword ascii
$av4 = "ESET" fullword ascii
$av5 = "Panda Security" fullword ascii
$av6 = "Doctor Web" fullword ascii
$av7 = "360TotalSecurity" fullword ascii
$av8 = "Bitdefender" fullword ascii
$av9 = "Norton" fullword ascii
$av10 = "Sophos" fullword ascii
$av11 = "Comodo" fullword ascii
$pdb1 = "Amadey\\Release\\Amadey.pdb" ascii wide
condition: uint16(0) == 0x5a4d and (7 of ($s*) or (6 of ($v*) and 2 of ($av*)) or 1 of ($pdb*))
}
rule MALWARE_Win_Tefosteal {
meta:
author = "ditekSHen"
description = "Tefosteal payload"
clamav_sig = "MALWARE.Win.Trojan.Tefosteal"
strings:
$s1 = "netsh wlan show networks mode=bssid" nocase fullword wide
$s2 = "LoginCredentialService.GetLoginCredentials$" ascii
$s3 = "DefaultLoginCredentials.LoginEventUsrPw$" ascii
$s4 = "SEC_E_NO_KERB_KEY" wide
$s5 = "TList<System.Zip.TZipHeader>." ascii
$s6 = "_Password.txt" fullword wide nocase
$s7 = "_Cookies.txt" fullword wide nocase
$f1 = "\\InfoPC\\BSSID.txt" wide
$f2 = "\\Files\\Telegram\\" wide
$f3 = "\\InfoPC\\Screenshot.png" wide
$f4 = "\\InfoPC\\Systeminfo.txt" wide
$f5 = "\\Steam\\config" wide
$f6 = "\\delete.vbs" wide
condition: uint16(0) == 0x5a4d and 4 of ($s*) and 2 of ($f*)
}
rule MALWARE_Win_CryptoStealerGo {
meta:
author = "ditekSHen"
description = "CryptoStealerGo payload"
strings:
$s1 = "Go build ID: \"" ascii
$s2 = "file_upload.go" ascii
$s3 = "grequests.FileUpload" ascii
$s4 = "runtime.newproc" ascii
$s5 = "credit_cards" ascii
$s6 = "zip.(*fileWriter).Write" ascii
$s7 = "autofill_" ascii
$s8 = "XFxVc2VyIERhdGFcXA==" ascii
$s9 = "XFxBcHBEYXRhXFxMb2NhbFxc" ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_M00nD3v {
meta:
author = "ditekSHen"
description = "M00nD3v keylogger payload"
strings:
$s1 = "M00nD3v Stub" ascii wide
$s2 = "M00nD3v{0}{1} Logs{0}{2} \\ {3}{0}{0}{4}" fullword wide
$s3 = "Anti-Keylogger Elite" wide
$s4 = "/C TASKKILL /F /IM" wide
$s5 = "echo.>{0}:Zone.Identifier" fullword wide
$s6 = "> Nul & Del \"{0}\" & start \"\" \"{1}.exe\"" wide
$s7 = "> Nul & start \"\" \"{1}.exe\"" wide
$s8 = "Stealer" fullword wide
$s9 = "{0}{0}++++++++++++{1} {2}++++++++++++{0}{0}" wide
$s10 = "{4}Application: {3}{4}URL: {0}{4}Username: {1}{4}Password: {2}{4}" wide
$s11 = "encrypted_key\":\"(?<Key>.+?)\"" wide
$s12 = "Botkiller" fullword ascii
$s13 = "AVKiller" fullword ascii
$s14 = "get_pnlPawns" fullword ascii
condition: (uint16(0) == 0x5a4d and 6 of them) or (9 of them)
}
rule MALWARE_Win_VSSDestroy {
meta:
author = "ditekSHen"
description = "VSSDestroy/Matrix ransomware payload"
snort_sid = "920008-920009"
clamav_sig = "MALWARE.Win.Ransomware.VSSDestroy"
strings:
$o1 = "[SHARESSCAN]" wide
$o2 = "[LDRIVESSCAN]" wide
$o3 = "[LOGSAVED]" wide
$o4 = "[LPROGRESS]" wide
$o5 = "[FINISHSAVED]" wide
$o6 = "[ALL_LOCAL_KID]" wide
$o7 = "[DIRSCAN" wide
$o8 = "[GENKEY]" wide
$s1 = "\\cmd.exe" nocase wide
$s2 = "/C powershell \"" nocase wide
$s3 = "%COMPUTERNAME%" wide
$s4 = "%USERNAME%" wide
$s5 = "Error loading Socket interface (ws2_32.dll)!" wide
$s6 = "Old file list dump found. Want to load it? (y/n):" fullword wide
condition: (uint16(0) == 0x5a4d and 4 of ($o*) and 3 of ($s*)) or (5 of ($o*) and 4 of ($s*))
}
rule MALWARE_Win_GoldenAxe {
meta:
author = "ditekSHen"
description = "GoldenAxe ransomware payload"
clamav_sig = "MALWARE.Win.Ransomware.GoldenAxe"
strings:
$s1 = "Go build ID: " ascii
$s2 = "taskkill.exe" ascii
$s3 = "cmd.exe" ascii
$s4 = "Speak.Speak" ascii
$s5 = "CLNTSRVRnull" ascii
$s6 = "-----END" ascii
$s7 = "-----BEGIN" ascii
$s8 = ".EncryptFile" ascii
$g1 = "GoldenAxe/Utils." ascii
$g2 = "GoldenAxe/Cryptography." ascii
$g3 = "GoldenAxe/Walker." ascii
$g4 = "C:/Users/alpha/go/src/GoldenAxe/" ascii
$g5 = "'Golden Axe ransomware'" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or (1 of ($g*) and 1 of ($s*)))
}
rule MALWARE_Win_Robbinhood {
meta:
author = "ditekSHen"
description = "Robbinhood ransomware payload"
clamav_sig = "MALWARE.Win.Ransomware.Robbinhood"
strings:
$go = "Go build ID:" ascii
$cmd1 = "cmd.exe /c" ascii
$cmd2 = "net use * /DELETE" nocase ascii
$cmd3 = "sc.exe stop" ascii
$cmd4 = "vssadmin resize shadowstorage" nocase ascii
$s1 = /Skipping\s(file|dir)/ ascii
$s2 = "Encrypt[ERR] GET Size:" ascii
$s3 = ".taskkilltasklistunknown(" ascii
$s4 = ".sysvssadmin.exewevtutil.exe MB released" ascii
$s5 = ".sysvssadmin.exewevtutil.exewinlogin.exewinlogon.exe MB released" ascii
$s6 = ".enc_robbinhood" ascii
$s7 = "c:\\windows\\temp\\pub.key" nocase ascii
$s8 = "main.CoolMaker" ascii
$s9 = "/valery/go/src/oldboy/" ascii
condition: uint16(0) == 0x5a4d and ($go and 1 of ($cmd*) and 3 of ($s*))
}
rule MALWARE_Win_GetCrypt {
meta:
author = "ditekSHen"
description = "GetCrypt ransomware payload"
clamav_sig1 = "MALWARE_Win.Ransomware.GetCrypt-1"
clamav_sig2 = "MALWARE_Win.Ransomware.GetCrypt-2"
strings:
$x1 = "delete shadows /all /quiet" wide
$x2 = "C:\\Windows\\System32\\svchost.exe" fullword wide
$x3 = "desk.bmp" fullword wide
$x4 = ":\\Boot" fullword wide
$x5 = "\\encrypted_key.bin" fullword wide
$x6 = "vssadmin.exe" fullword wide
$x7 = ":\\Recovery" fullword wide
$s1 = "CryptEncrypt" fullword ascii
$s2 = "NtWow64ReadVirtualMemory64" fullword ascii
$s3 = "MPR.dll" fullword ascii
$s4 = "%key%" fullword ascii
$s5 = "CryptDestroyKey" fullword ascii
$s6 = "ntdll.dll" fullword ascii
$s7 = "WNetCancelConnection2W" fullword ascii
$s8 = ".%c%c%c%c" fullword wide
// is slowing down scanning
//$s9 = /([Gg]uest|[Aa]dministrator|[Dd]eveloper|[Rr][0Oo]{2}t|[Aa]dmin)/ fullword ascii wide
$s10 = { 43 72 79 70 74 49 6d 70 6f 72 74 4b 65 79 00 00
cb 00 43 72 79 70 74 45 6e 63 72 79 70 74 00 00
c1 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f
6e 74 65 78 74 41 00 00 c8 00 43 72 79 70 74 44
65 73 74 72 6f 79 4b 65 79 00 d2 00 43 72 79 70
74 47 65 6e 52 61 6e 64 6f 6d 00 00 c2 00 43 72
79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78
74 57 00 00 41 44 56 41 50 49 33 32 2e 64 6c 6c
00 00 b5 01 53 68 65 6c 6c 45 78 65 63 75 74 65
45 78 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00 }
condition: uint16(0) == 0x5a4d and (3 of ($x*) or 8 of ($s*))
}
rule MALWARE_JoeGo {
meta:
author = "ditekSHen"
description = "JoeGo ransomware payload"
clamav_sig = "MALWARE.Win.Ransomware.JoeGo"
strings:
$go = "Go build ID:" ascii
$s1 = "%SystemRoot%\\system32\\%v." ascii
$s2 = "REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V" ascii
$s3 = "/t REG_SZ /F /D %userprofile%\\" ascii
$s4 = "(sensitive) [recovered]" ascii
$s5 = "/dev/stderr/dev/stdout/index.html" ascii
$s6 = "%userprofile%\\SystemApps" ascii
$s7 = "p=<br>ACDTACSTAEDTAESTAKDTAKSTAWSTA" ascii
$cnc1 = "/detail.php" ascii
$cnc2 = "/checkin.php" ascii
$cnc3 = "/platebni_brana.php" ascii
$cnc4 = "://nebezpecnyweb.eu/" ascii
condition: uint16(0) == 0x5a4d and $go and (all of ($s*) or (3 of ($s*) and 1 of ($cnc*)))
}
rule MALWARE_Win_Aurora {
meta:
author = "ditekSHen"
description = "Aurora ransomware payload"
strings:
$s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" fullword ascii wide
$s2 = "#DECRYPT_MY_FILES#.txt" fullword ascii
$s3 = "/gen.php?generate=" fullword ascii
$s4 = "geoplugin.net/php.gp" ascii
$s5 = "/end.php?id=" fullword ascii
$s6 = "wotreplay" fullword ascii
$s7 = "moneywell" fullword ascii
$s8 = "{btc}" fullword ascii
$s9 = ".?AV_Locimp@locale@std@@" ascii
$s10 = ".?AV?$codecvt@DDU_Mbstatet@@@std@@" ascii
$s11 = ".?AU_Crt_new_delete@std@@" ascii
$pdb1 = "\\z0ddak\\Desktop\\source\\Release\\Ransom.pdb" ascii
$pdb2 = "\\Desktop\\source\\Release\\Ransom.pdb" ascii
condition: uint16(0) == 0x5a4d and ((1 of ($pdb*) and 5 of ($s*)) or (8 of them))
}
rule MALWARE_Win_Buran {
meta:
author = "ditekSHen"
description = "Buran ransomware payload"
clamav_sig = "MALWARE.Win.Ransomware.Buran"
strings:
// Variant 1
$v1_1 = "U?$error_info_injector@V" ascii
$v1_2 = "Browse for Folder (FTP)" fullword ascii
$v1_3 = "Find/Replace in Files" fullword ascii
$v1_4 = "PAHKLM" fullword ascii
$v1_5 = "PAHKCR" fullword ascii
$v1_6 = "chkOpt_" ascii
$h1 = "Search <a href=\"location\" class=\"menu\">in this folder</a>" ascii
$h2 = "<br>to find where the text below" ascii
$h3 = "</a> files with these extensions (separate with semi-colons)" ascii
$h4 = "Need help with <a href=\"" ascii
$path = "\\work\\cr\\nata\\libs\\boost_" wide
// Variant 2
$v2_1 = "(ShlObj" fullword ascii
$v2_2 = "\\StreamUnit" fullword ascii
$v2_3 = "TReadme" fullword ascii
$v2_4 = "TDrivesAndShares" fullword ascii
$v2_5 = "TCustomMemoryStreamD" fullword ascii
$v2_6 = "OpenProcessToken" fullword ascii
$v2_7 = "UrlMon" fullword ascii
$v2_8 = "HttpSendRequestA" fullword ascii
$v2_9 = "InternetConnectA" fullword ascii
$v2_10 = "FindFiles" fullword ascii
$v2_12 = "$*@@@*$@@@$" ascii
condition: uint16(0) == 0x5a4d and (((all of ($v1*) and 1 of ($h*)) or ($path and 2 of ($v1*) and 1 of ($h*)) or 10 of them) or all of ($v2*))
}
rule MALWARE_Win_MassLogger {
meta:
author = "ditekSHen"
description = "MassLogger keylogger payload"
strings:
$s1 = "MassLogger v" ascii wide
$s2 = "MassLogger Started:" ascii wide
$s3 = "MassLogger Process:" ascii wide
$s4 = "/panel/upload.php" wide
$s5 = "ftp://" wide
$s6 = "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" fullword wide
$s7 = "^(.*/)?([^/\\\\.]+/\\\\.\\\\./)(.+)$" fullword wide
$s8 = "Bot Killer" ascii
$s9 = "Keylogger And Clipboard" ascii
$c1 = "costura.ionic.zip.reduced.dll.compressed" fullword ascii
$c2 = "CHECKvUNIQUEq" fullword ascii
$c3 = "HOOK/MEMORY6" fullword ascii
$c4 = "Massfile" ascii wide
$c5 = "Fz=[0-9]*'skips*" fullword ascii
$c6 = ":=65535zO" fullword ascii
$c7 = "!$!%!&!'!(!)!*!.!/!0!4!" fullword ascii
$c8 = "5!9!:!<!>!@!E!G!J!K!L!N!O!P!`!" fullword ascii
$c9 = "dllToLoad" fullword ascii
$c10 = "set_CreateNoWindow" fullword ascii
$c11 = "FtpWebRequest" fullword ascii
$c12 = "encryptedUsername" fullword ascii
$c13 = "encryptedPassword" fullword ascii
condition: (uint16(0) == 0x5a4d and 9 of ($c*)) or (5 of ($s*) or 9 of ($c*))
}
rule MALWARE_Win_Echelon {
meta:
author = "ditekSHen"
description = "Echelon information stealer payload"
strings:
$s1 = "<GetStealer>b__" ascii
$s2 = "clearMac" fullword ascii
$s3 = "path2save" fullword ascii
$s4 = "Echelon_Size" fullword ascii
$s5 = "Echelon Stealer by" wide
$s6 = "get__masterPassword" fullword ascii
$s7 = "DomainDetect" fullword ascii
$s8 = "[^\\u0020-\\u007F]" fullword wide
$s9 = "/sendDocument?chat_id=" wide
$s10 = "//setting[@name='Password']/value" wide
$s11 = "Passwords_Mozilla.txt" fullword wide
$s12 = "Passwords_Edge.txt" fullword wide
$s13 = "@madcod" ascii wide
$pdb = "\\Echelon-Stealer-master\\obj\\Release\\Echelon.pdb" ascii
condition: (uint16(0) == 0x5a4d and (8 of ($s*) or $pdb)) or (8 of ($s*) or $pdb)
}
rule MALWARE_Win_Qulab {
meta:
author = "ditekSHen"
description = "Qulab information stealer payload or artifacts"
clamav_sig = "MALWARE.Win.Trojan.QulabZ-Stealer"
strings:
$x1 = "QULAB CLIPPER + STEALER" ascii wide
$x2 = "MASAD CLIPPER + STEALER" ascii wide
$x3 = "http://teleg.run/Qulab" ascii wide
$x4 = "http://teleg.run/jew_seller" ascii wide
$x5 = "BUY CLIPPER + STEALER" ascii wide
$s1 = "\\Screen.jpg" ascii wide
$s2 = "attrib +s +h \"" ascii wide
$s3 = "\\x86_microsoft-windows-" ascii wide
$s4 = "\\amd64_microsoft-windows-" ascii wide
$s5 = "Desktop TXT File" ascii wide
$s6 = "\\AutoFills.txt" ascii wide
$s7 = "\\CreditCards.txt" ascii wide
$s8 = "a -y -mx9 -ssw" ascii wide
$s9 = "\\Passwords.txt" ascii wide
$s10 = "\\Information.txt" ascii wide
$s11 = "\\getMe" ascii wide
condition: 9 of them or ((1 of ($x*) and 4 of ($s*)) or 1 of ($x*))
}
rule MALWARE_Win_Orion {
meta:
author = "ditekSHen"
description = "Orion Keylogger payload"
strings:
$s1 = "\\Ranger.BrowserLogging" ascii wide nocase
$s2 = "GrabAccounts" fullword ascii
$s3 = "DownloadFile" fullword ascii
$s4 = "Internet Explorer Recovery" wide
$s5 = "Outlook Recovery" wide
$s6 = "Thunderbird Recovery" wide
$s7 = "Keylogs -" wide
$s8 = "WebCam_Capture.dll" wide
$s9 = " is not installed on this computer!" wide
$s10 = "cmd /c bfsvc.exe \"" wide
$s11 = "/Keylogs - PC:" fullword wide
$s12 = "/PC:" fullword wide
$s13 = "<p style=\"color:#CC7A00\">[" wide
condition: (uint16(0) == 0x5a4d and 5 of ($s*)) or (6 of ($s*))
}
rule MALWARE_Win_Aspire {
meta:
author = "ditekSHen"
description = "Aspire Keylogger payload"
strings:
$s1 = "AspireLogger -" wide
$s2 = "Application: @" wide
$s3 = "encryptedUsername" wide
$s4 = "encryptedPassword" wide
$s5 = "Fetch users fron logins" wide
$s6 = "URI=file:" wide
$s7 = "signons.sqlite" wide
$s8 = "logins.json" wide
condition: (uint16(0) == 0x5a4d and 6 of ($s*)) or (7 of ($s*))
}
rule MALWARE_Win_S05Kitty {
meta:
author = "ditekSHen"
description = "Sector05 Kitty RAT payload"
strings:
$s1 = "Execute Comand" ascii
$s2 = "InjectExplorer" ascii
$s3 = "targetProcess = %s" fullword ascii
$s4 = "Process attach (%s)" fullword ascii
$s5 = "process name: %s" fullword ascii
$s6 = "cmd /c %s >%s" fullword ascii
$s7 = "CmdDown: %s, failed" fullword ascii
$s8 = "http://%s%s/%s" fullword ascii
$s9 = "tmp.LOG" fullword ascii
$x1 = "zerodll.dll" fullword ascii
$x2 = "OneDll.dll" fullword ascii
$x3 = "kkd.bat" fullword ascii
$x4 = "%s\\regsvr32.exe /s \"%s\"" fullword ascii
$x5 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\fontchk.jse" fullword ascii
condition: uint16(0) == 0x5a4d and (8 of ($s*) or all of ($x*))
}
rule MALWARE_Win_FakeWMI {
meta:
author = "ditekSHen"
description = "FakeWMI payload"
clamav_sig = "MALWARE.Win.Trojan.Fakewmi"
strings:
$s1 = "-BEGIN RSA PUBLIC KEY-" ascii
$s2 = ".exe|" ascii
$s3 = "cmd /c wmic " ascii
$s4 = "cmd /c sc " ascii
$s5 = "schtasks" ascii
$s6 = "taskkill" ascii
$s7 = "findstr" ascii
$s8 = "netsh interface" ascii
$s9 = "CreateService" ascii
condition:
uint16(0) == 0x5a4d and (all of ($s*) and #s2 > 10)
}
rule MALWARE_Win_Baldr {
meta:
author = "ditekSHen"
description = "Baldr payload"
clamav_sig = "MALWARE.Win.Trojan.Baldr"
strings:
$x1 = "BALDR VERSION : {0}" fullword wide
$x2 = "Baldr" fullword ascii wide
$x3 = "{0}\\{1:n}.exe" fullword wide
$x4 = ".doc;.docx;.log;.txt;" fullword wide
$s1 = "<GetMAC>b__" ascii
$s2 = "<ExtractPrivateKey3>b__" ascii
$s3 = "UploadData" fullword ascii
$s6 = "get_NetworkInterfaceType" fullword ascii
$s5 = "get_Passwordcheck" fullword ascii
condition: (uint16(0) == 0x5a4d and all of ($x*)) or (2 of ($x*) and 4 of ($s*))
}
rule MALWARE_Win_Megumin {
meta:
author = "ditekSHen"
description = "Megumin payload"
clamav_sig = "MALWARE.Win.Trojan.Megumin"
strings:
$s1 = "loadpe|" fullword ascii
$s2 = "Megumin/2.0" fullword ascii
$s3 = "/c start /I \"\" \"" fullword ascii
$s4 = "jsbypass|" fullword ascii
$cnc1 = "Mozilla/5.0 (Windows NT 6.1) Megumin/2.0" fullword ascii
$cnc2 = "/cdn-cgi/l/chk_jschl?s=" fullword ascii
$cnc3 = "/newclip?hwid=" fullword ascii
$cnc4 = "/isClipper" fullword ascii
$cnc5 = "/task?hwid=" fullword ascii
$cnc6 = "/completed?hwid=" fullword ascii
$cnc7 = "/gate?hwid=" fullword ascii
$cnc8 = "/addbot?hwid=" fullword ascii
$pdb = "\\MeguminV2\\Release\\MeguminV2.pdb" ascii
condition: (uint16(0) == 0x5a4d and (all of ($s*) or 5 of ($cnc*) or $pdb)) or 11 of them
}
rule MALWARE_Win_Rietspoof {
meta:
author = "ditekSHen"
description = "Rietspoof payload"
clamav_sig = "MALWARE.Win.Trojan.Rietspoof"
strings:
$c1 = "%s%s%s USER: user" fullword ascii
$c2 = "cmd /c %s" fullword ascii
$c3 = "CreateObject(\"Scripting.FileSystemObject\").DeleteFile(" ascii
$c4 = "WScript.Quit" fullword ascii
$c5 = "CPU: %s(%d)" fullword ascii
$c6 = "RAM: %lld Mb" fullword ascii
$c7 = "data.dat" fullword ascii
$c8 = "%s%s%s USER:" ascii
$v1_1 = ".vbs" ascii
$v1_2 = "HELLO" ascii
$v1_3 = "Wscript.Sleep" ascii
$v1_4 = "User-agent:Mozilla/5.0 (Windows; U;" ascii
$v2_1 = "Xjoepxt!" ascii
$v2_2 = "Content-MD5:%s" fullword ascii
$v2_3 = "M9h5an8f8zTjnyTwQVh6hYBdYsMqHiAz" fullword ascii
$v2_4 = "GET /%s?%s HTTP/1.1" fullword ascii
$v2_5 = "GET /?%s HTTP/1.1" fullword ascii
$pdb1 = "\\techloader\\loader\\loader.odb" ascii wide
$pdb2 = "\\loader\\Release\\loader_v1.0.pdb" ascii wide
condition: uint16(0) == 0x5a4d and (7 of ($c*) and (3 of ($v*) or 1 of ($pdb*)))
}
rule MALWARE_Win_MoDiRAT {
meta:
author = "ditekSHen"
description = "MoDiRAT payload"
strings:
$s1 = "add_Connected" fullword ascii
$s2 = "Statconnected" fullword ascii
$s3 = "StartConnect" fullword ascii
$s4 = "TelegramTitleDetect" fullword ascii
$s5 = "StartTitleTelegram" fullword ascii
$s6 = "Check_titles" fullword ascii
$s7 = "\\MoDi RAT V" ascii
$s8 = "IsBuzy" fullword ascii
$s9 = "Recording_Time" fullword wide
condition: (uint16(0) == 0x5a4d and 7 of them) or all of them
}
rule MALWARE_DOC_KoadicDOC {
meta:
author = "ditekSHen"
description = "Koadic post-exploitation framework document payload"
strings:
$s1 = "&@cls&@set" ascii
$s2 = /:~\d+,1%+/ ascii
$s3 = "Header Char" fullword wide
$s4 = "EMBED Package" ascii
$b1 = ".bat\"%" ascii
$b2 = ".bat');\\\"%" ascii
$b3 = ".bat',%" ascii
condition: uint16(0) == 0xcfd0 and all of ($s*) and 2 of ($b*)
}
rule MALWARE_BAT_KoadicBAT {
meta:
author = "ditekSHen"
description = "Koadic post-exploitation framework BAT payload"
strings:
$v1_1 = "&@cls&@set" ascii
$v2_1 = { 26 63 6c 73 0d 0a 40 25 }
$m1 = /:~\d+,1%+/ ascii
condition: uint16(0) == 0xfeff and ((1 of ($v1*) or 1 of ($v2*)) and #m1 > 100)
}
rule MALWARE_JS_KoadicJS {
meta:
author = "ditekSHen"
description = "Koadic post-exploitation framework JS payload"
strings:
$s1 = "window.moveTo(-" ascii
$s2 = "window.onerror = function(sMsg, sUrl, sLine) { return false; }" fullword ascii
$s3 = "window.onfocus = function() { window.blur(); }" fullword ascii
$s4 = "window.resizeTo(" ascii
$s5 = "window.blur();" fullword ascii
$hf1 = "<hta:application caption=\"no\" windowState=\"minimize\" showInTaskBar=\"no\"" fullword ascii
$hf2 = "<hta:application caption=\"no\" showInTaskBar=\"no\" windowState=\"minimize\" navigable=\"no\" scroll=\"no\""
$ht1 = "<hta:application" ascii
$ht2 = "caption=\"no\"" ascii
$ht3 = "showInTaskBar=\"no\"" ascii
$ht4 = "windowState=\"minimize\"" ascii
$ht5 = "navigable=\"no\"" ascii
$ht6 = "scroll=\"no\"" ascii
condition: all of ($s*) and (1 of ($hf*) or all of ($ht*))
}
rule MALWARE_Win_NETEAGLE {
meta:
author = "ditekSHen"
description = "NETEAGLE backdoor payload"
strings:
$s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword ascii
$s2 = "System\\CurrentControlSet\\control\\ComputerName\\ComputerName" fullword ascii
$s3 = "Mozilla/4.0 (compatible; MSIE 5.0; Win32)" fullword ascii
$s4 = "/index.htm" fullword ascii
$s5 = "Help_ME" fullword ascii
$s6 = "GOTO ERROR" ascii
$s7 = "127.0.0.1" fullword ascii
$s8 = /pic\d\.bmp/ ascii wide
condition: uint16(0) == 0x5a4d and 7 of them
}
rule MALWARE_WIN_BACKSPACE {
meta:
author = "ditekSHen"
description = "BACKSPACE backdoor payload"
strings:
$s1 = "Software\\Microsoft\\PnpSetup" ascii wide
$s2 = "Mutex_lnkword_little" ascii wide
$s3 = "(Prxy%c-%s:%u)" fullword ascii
$s4 = "(Prxy-No)" fullword ascii
$s5 = "/index.htm" fullword ascii
$s6 = "CONNECT %s:%d" ascii
$s7 = "\\$NtRecDoc$" fullword ascii
$s8 = "qazWSX123$%^" ascii
$s9 = "Software\\Microsoft\\Core" ascii wide
$s10 = "Mutex_lnkch" ascii wide
$s11 = "Event__lnkch__" ascii wide
$s12 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)" fullword ascii
$s13 = "User-Agent: Mozilla/5.00 (compatible; MSIE 6.0; Win32)" fullword ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_RHttpCtrl {
meta:
author = "ditekSHen"
description = "RHttpCtrl backdoor payload"
strings:
$s1 = "%d_%04d%02d%02d%02d%02d%02d." ascii
$s2 = "ver=%s&id=%06d&type=" ascii
$s3 = "ver=%d&id=%s&random=%d&" ascii
$s4 = "id=%d&output=%s" ascii
$s5 = "Error:WinHttpCrackUrl failed!/n" ascii
$s6 = "Error:SendRequest failed!/n" ascii
$s7 = ".exe a %s %s" ascii
$s8 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" fullword wide
$pdb = "\\WorkSources\\RHttpCtrl\\Server\\Release\\svchost.pdb" ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or ($pdb and 2 of ($s*)))
}
rule MALWARE_Win_PillowMint {
meta:
author = "ditekSHen"
description = "PillowMint POS payload"
strings:
$s1 = "system32\\sysvols\\" ascii nocase
$s2 = "Sysnative\\sysvols\\" ascii nocase
$s3 = "critical.log" fullword ascii
$s4 = "log.log" fullword ascii
$s5 = "commands.txt" fullword ascii
$s6 = "_EV0LuTi0N_" ascii
$s7 = /(file|reg)\scmd:/ fullword ascii
$s8 = "dumper_nologs_" ascii
$s9 = "ReflectiveLoader" ascii
condition:
uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_BlackshadesRAT {
meta:
author = "ditekSHen"
description = "BlackshadesRAT / Cambot POS payload"
snort_sid = "920208-920210"
strings:
$s1 = "bhookpl.dll" fullword wide
$s2 = "drvloadn.dll" fullword wide
$s3 = "drvloadx.dll" fullword wide
$s4 = "SPY_NET_RATMUTEX" fullword wide
$s5 = "\\dump.txt" fullword wide
$s6 = "AUTHLOADERDEFAULT" fullword wide
$pdb = "*\\AC:\\Users\\Admin\\Desktop_old\\Blackshades project\\bs_bot\\bots\\bot\\bs_bot.vbp" fullword wide
condition: uint16(0) == 0x5a4d and (4 of ($s*) or ($pdb and 2 of ($s*)))
}
rule MALWARE_Win_GoldenSpy {
meta:
author = "SpiderLabs Trustwave"
description = "GoldenSpy dropper payload"
reference = "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf"
strings:
$reg = "Software\\IDG\\DA" nocase wide ascii // registry entry
$str1 = "requestStr" nocase wide ascii // POST request the machine details with this parameter
$str2 = "nb_app_log_mutex" nocase wide ascii // Mutex
$str3 = { 510F4345[0-10]50518D8DCCFE[0-20]837D1C[0-20]8D45[0-15]0F4345[0-20]505157 } // Data collection and passed to requestStr in POST
condition: (uint16(0) == 0x5A4D) and $reg and 2 of ($str*)
}
rule MALWARE_Win_Plurox {
meta:
author = "ditekSHen"
description = "Plurox backdoor payload"
strings:
$s1 = "autorun.c" fullword ascii
$s2 = "launcher.c" fullword ascii
$s3 = "loader.c" fullword ascii
$s4 = "stealth.c" fullword ascii
$s5 = "RunFromMemory" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Avalon {
meta:
author = "ditekSHen"
description = "Avalon infostealer payload"
strings:
$s1 = "Parsecards" fullword ascii
$s2 = "Please_Gofuckyouself" fullword ascii
$s3 = "GetDomainDetect" fullword ascii
$s4 = "GetTotalCommander" fullword ascii
$s5 = "KnownFolder" fullword ascii
$s6 = "set_hidden" fullword ascii
$s7 = "set_system" fullword ascii
$l1 = "\\DomainDetect.txt" wide
$l2 = "\\Grabber_Log.txt" wide
$l3 = "\\Programs.txt" wide
$l4 = "\\Passwords_Edge.txt" wide
$l5 = "\\KL.txt" wide
$w1 = "dont touch" fullword wide
$w2 = "Grabber" fullword wide
$w3 = "Keylogger" fullword wide
$w4 = "password-check" fullword wide
$w5 = "H4sIAAAAAAAEA" wide
$p1 = "^(?!:\\/\\/)([a-zA-Z0-9-_]+\\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\\.[a-zA-Z]{2,11}?$" wide
$p2 = "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" wide
condition:
uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Linux_Kinsing {
meta:
author = "ditekSHen"
description = "Kinsing RAT payload"
strings:
$s1 = "backconnect" ascii
$s2 = "connectForSocks" ascii
$s3 = "downloadAndExecute" ascii
$s4 = "download_and_exec" ascii
$s5 = "masscan" ascii
$s6 = "UpdateCommand:" ascii
$s7 = "exec_out" ascii
$s8 = "doTask with type %s" ascii
condition:
uint16(0) == 0x457f and 6 of them
}
rule MALWARE_Win_Avaddon {
meta:
author = "ditekSHen"
description = "Avaddon ransomware payload"
strings:
$s1 = "\\IMAGEM~1.%d\\VISUA~1\\BIN\\%s.exe" ascii
$s2 = "\\IMAGEM~1.%.2d-\\VISUA~1\\BIN\\%s.exe" ascii
$s3 = "\\IMAGEM~1.%d-Q\\VISUA~1\\BIN\\%s.exe" ascii
$s4 = "\\IMAGEM~1.%d\\%s.exe" ascii
$s5 = "EW6]>mFXDS?YBi?W5] CY 4Z8Y BY7Y BZ8Z CY7Y AY8Z CZ8Y!Y:Z" ascii
$s6 = "FY AY 'Z ;W @Y @Y 'Z Y @Y (Z" ascii
$s7 = "\"rcid\":\"" fullword ascii
$s8 = "\"ip\":\"" fullword ascii wide
$s9 = ".?AUANEventIsGetExternalIP@@" fullword ascii
$s10 = ".?AUANEventGetCpuMax@@" fullword ascii
condition:
uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_ProLock {
meta:
author = "ditekSHen"
description = "ProLock ransomware payload"
clamav_sig = "MALWARE.Win.Ransomware.ProLock"
strings:
$s1 = ".flat" fullword ascii
$s2 = ".data" fullword ascii
$s3 = ".api" fullword ascii
$s4 = "RtlZeroMemory" fullword ascii
$s5 = "LoadLibraryA" fullword ascii
$s6 = "Sleep" fullword ascii
$s7 = "lstrcatA" fullword ascii
$s8 = { 55 89 E5 8B 45 08 EB 00 89 45 EC 8D 15 4F 10 40 00 8D 05 08 10 40 00 83 E8 08 29 C2 8B 45 EC 01 C2 31 }
condition:
uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_PurpleWave {
meta:
author = "ditekSHen"
description = "PurpleWave infostealer payload"
strings:
$s1 = "/loader/" fullword ascii
$s2 = "\\load_" fullword wide
$s3 = "boundaryaswell" fullword ascii
$s4 = "[passwords]" ascii
$s5 = "[is_encrypted]" ascii
$s6 = "[cookies]" ascii
$s7 = ".?AVMozillaBrowser@@" fullword ascii
$s8 = ".?AVChromeBrowser@@" fullword ascii
$s9 = ".?AV?$money" ascii
$s10 = "at t.me/LuckyStoreSupport" ascii
condition:
uint16(0) == 0x5a4d and 7 of them
}
rule MALWARE_Java_Pyrogenic {
meta:
author = "ditekSHen"
description = "Pyrogenic/Qealler infostealer payload"
strings:
$s1 = "bbb6fec5ebef0d93" ascii wide
$s2 = "2a898bc98aaf6c96f2054bb1eadc9848eb77633039e9e9ffd833184ce553fe9b" ascii wide
$s3 = "addShutdownHook" ascii wide
$s4 = "obfuscated/META-INF/QeallerV" ascii wide
$s5 = "globalIpAddress" ascii wide
condition:
all of them
}
rule MALWARE_Win_AgentTeslaV3 {
meta:
author = "ditekSHen"
description = "AgentTeslaV3 infostealer payload"
strings:
$s1 = "get_kbok" fullword ascii
$s2 = "get_CHoo" fullword ascii
$s3 = "set_passwordIsSet" fullword ascii
$s4 = "get_enableLog" fullword ascii
$s5 = "bot%telegramapi%" wide
$s6 = "KillTorProcess" fullword ascii
$s7 = "GetMozilla" ascii
$s8 = "torbrowser" wide
$s9 = "%chatid%" wide
$s10 = "logins" fullword wide
$s11 = "credential" fullword wide
$s12 = "AccountConfiguration+" wide
$s13 = "<a.+?href\\s*=\\s*([\"'])(?<href>.+?)\\1[^>]*>" fullword wide
$g1 = "get_Clipboard" fullword ascii
$g2 = "get_Keyboard" fullword ascii
$g3 = "get_Password" fullword ascii
$g4 = "get_CtrlKeyDown" fullword ascii
$g5 = "get_ShiftKeyDown" fullword ascii
$g6 = "get_AltKeyDown" fullword ascii
$m1 = "yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time" ascii
$m2 = "%image/jpg:Zone.Identifier\\tmpG.tmp%urlkey%-f \\Data\\Tor\\torrcp=%PostURL%127.0.0.1POST+%2B" ascii
$m3 = ">{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\\WScript.ShellRegReadg401" ascii
$m4 = "%startupfolder%\\%insfolder%\\%insname%/\\%insfolder%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%insregname%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\RunTruehttp" ascii
$m5 = "\\WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera" ascii
condition:
(uint16(0) == 0x5a4d and (8 of ($s*) or (6 of ($*) and all of ($g*)))) or (2 of ($m*))
}
rule MALWARE_Win_Taurus {
meta:
author = "ditekSHen"
description = "Taurus infostealer payload"
strings:
$s1 = "t.me/taurus_se" ascii
$s2 = "rus_seller@explo" ascii
$s3 = "/c timeout /t 3 & del /f /q" ascii
$s4 = "MyAwesomePrefix" ascii
$txt1 = "LogInfo.txt" fullword ascii
$txt2 = "Information.txt" fullword ascii
$txt3 = "General\\passwords.txt" fullword ascii
$txt4 = "General\\forms.txt" fullword ascii
$txt5 = "General\\cards.txt" fullword ascii
$txt6 = "Installed Software.txt" fullword ascii
$txt7 = "Crypto Wallets\\WalletInfo.txt" fullword ascii
$txt8 = "cookies.txt" fullword ascii
$url1 = "/cfg/" wide
$url2 = "/loader/complete/" wide
$url3 = "/log/" wide
$url4 = "/dlls/" wide
$upat = /\.exe;;;\d;\d;\d\]\|\[http/
$x1 = "Vaultcli.dll" fullword ascii
$x2 = "Bcrypt.dll" fullword ascii
$x3 = "*.localstor" ascii
$x4 = "operator<=>" fullword ascii
$x5 = ".data$rs" fullword ascii
$x6 = "https_discordap" ascii
$o1 = { 53 56 8b 75 08 8d 85 64 ff ff ff 57 6a ff 6a 01 }
$o2 = { 6a 00 68 00 04 00 00 ff b5 a8 fe ff ff ff b5 ac }
$o3 = { ff 75 0c 8d 85 44 ff ff ff 50 e8 aa f7 ff ff 8b }
$o4 = { 8b 47 04 c6 40 19 01 8d 85 6c ff ff ff 8b 0f 50 }
$o5 = { 8d 8d ?? ff ff ff e8 5b }
condition:
((3 of ($s*) or (6 of ($txt*) and 2 of ($s*)) or ($upat and 1 of ($s*) and 2 of ($txt*)) or (all of ($url*) and (2 of ($txt*) or 1 of ($s*)))) or (uint16(0) == 0x5a4d and all of ($x*) or (all of ($o*) and 3 of ($x*))))
}
rule MALWARE_Win_RemoteUtilitiesRAT {
meta:
author = "ditekSHen"
description = "RemoteUtilitiesRAT RAT payload"
clamav_sig = "MALWARE.Win.Trojan.RemoteUtilitiesRAT"
strings:
$s1 = "rman_message" wide
$s2 = "rms_invitation" wide
$s3 = "rms_host_" wide
$s4 = "rman_av_capture_settings" wide
$s5 = "rman_registry_key" wide
$s6 = "rms_system_information" wide
$s7 = "_rms_log.txt" wide
$s8 = "rms_internet_id_settings" wide
condition:
uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_SlothfulMedia {
meta:
author = "ditekSHen"
description = "SlothfulMedia backdoor payload"
strings:
$x1 = /ExtKeylogger(Start|Stop)/ fullword ascii
$x2 = /ExtService(Add|Delete|Start|Stop)/ fullword ascii
$x3 = /ExtRegKey(Add|Del)/ fullword ascii
$x4 = /ExtRegItem(Add|Del)/ fullword ascii
$x5 = "ExtUnload" fullword ascii
$s1 = "Local Security Process" fullword wide
$s2 = "Global%s%d" fullword wide
$s3 = "%s%s_%d.dat" fullword wide
$s4 = "\\AppIni" fullword wide
$s5 = "%s.tmp" fullword wide
$s6 = "\\SetupUi" fullword wide
$s7 = "%s|%s|%s|%s" fullword wide
$s8 = "\\ExtInfo" fullword wide
$cnc1 = "/v?m=" fullword ascii
$cnc2 = "%s&i=%d" fullword ascii
$cnc3 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75" fullword ascii
$cnc4 = "Content-Length: %d" fullword ascii
condition:
uint16(0) == 0x5a4d and (3 of ($x*) or 7 of ($s*) or all of ($cnc*) or (1 of ($x*) and 4 of ($s*)))
}
rule MALWARE_Win_IRCBot {
meta:
author = "ditekSHen"
description = "IRCBot payload"
strings:
$s1 = ".okuninstall" fullword wide
$s2 = ".oksnapshot" fullword wide
$s3 = "\\uspread.vbs" fullword wide
$s4 = "KEYLogger" ascii nocase
$s5 = "GetKeyLogs" fullword ascii
$s6 = "GetLoocationInfo" fullword ascii
$s7 = "CaputerScreenshot" fullword ascii
$s8 = "get_SCRIPT_DATA" fullword ascii
$s9 = /irc_(server|nickname|password|channle)/ fullword ascii
$s10 = "machine_screenshot" fullword ascii
$s11 = "CollectPassword" fullword ascii
$s12 = "USBInfection" fullword ascii nocase
$cnc1 = "&command=UpdateAndGetTasks&machine_id=" wide
$cnc2 = "&machine_os=1&privateip=" wide
$cnc3 = "&command=InsertTaskExecution&excuter_id=" wide
$cnc4 = "&command=RegisterNewMachine" wide
$cnc5 = "&command=UpdateNewMachine" wide
$cnc6 = "&command=GetPayloads&keys=" wide
$cnc7 = "&command=SaveSnapshot" wide
$pdb = "\\Projects\\USBStarter\\USBStarter\\obj\\Release\\USBStarter.pdb" ascii
condition: uint16(0) == 0x5a4d and (7 of ($s*) or 3 of ($cnc*) or ($pdb and 2 of them))
}
rule MALWARE_Win_Apocalypse {
meta:
author = "ditekSHen"
description = "Apocalypse infostealer payload"
strings:
$s1 = "OpenClipboard" fullword ascii
$s2 = "SendARP" fullword ascii
$s3 = "GetWebRequest" fullword ascii
$s4 = "DotNetGuard" fullword ascii
$s5 = "set_CreateNoWindow" fullword ascii
$s6 = "UploadFile" fullword ascii
$s7 = "GetHINSTANCE" fullword ascii
$s8 = "Kill" fullword ascii
$s9 = "GetProcesses" fullword ascii
$s10 = "get_PrimaryScreen" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Osno {
meta:
author = "ditekSHen"
description = "Osno ransomware and infostealer payload"
strings:
$s1 = ".HolyGate+<>c+<<FinalBoss>" ascii
$s2 = /Osno(Keylogger|Stealer|Ransom)/ wide
$s3 = "password,executeWebhook('Account credentials" wide
$s4 = "-Name Osno -PropertyType" wide
$s5 = "process.env.hook" ascii
$s6 = "Stealer.JSON.JsonValue" ascii
$s7 = "<DetectBrowserss>b_" ascii
$s8 = "<TryGetDiscordPath>b_" ascii
$s9 = "antiVM" fullword ascii
$s10 = "downloadurl" fullword ascii
$s11 = "set_sPassword" fullword ascii
$txt0 = "{0} {1} .txt" fullword wide
$txt1 = "\\ScanningNetworks.txt" fullword wide
$txt2 = "\\SteamApps.txt" fullword wide
$txt3 = "-ErrorsLogs.txt" fullword wide
$txt4 = "-keylogs.txt" fullword wide
$txt5 = "Hardware & Soft.txt" fullword wide
$cnc0 = "/csharp/" ascii wide
$cnc1 = "token=" ascii wide
$cnc2 = "&timestamp=" ascii wide
$cnc3 = "&session_id=" ascii wide
$cnc4 = "&aid=" ascii wide
$cnc5 = "&secret=" ascii wide
$cnc6 = "&api_key" ascii wide
$cnc7 = "&session_key=" ascii wide
$cnc8 = "&type=" ascii wide
condition: (uint16(0) == 0x5a4d and (6 of ($s*) or 4 of ($txt*) or (4 of ($s*) and 2 of ($txt*)))) or (7 of ($cnc*))
}
rule MALWARE_Win_BetaBot {
meta:
author = "ditekSHen"
description = "BetaBot payload"
strings:
$s1 = "__restart" fullword ascii
$s2 = "%SystemRoot%\\SysWOW64\\tapi3.dll" fullword wide
$s3 = "%SystemRoot%\\system32\\tapi3.dll" fullword wide
$s4 = "publicKeyToken=\"6595b64144ccf1df\"" ascii
$s5 = "VirtualProtectEx" fullword ascii
condition: uint16(0) == 0x5a4d and filesize < 600KB and all of them
}
rule MALWARE_Win_WSHRATPlugin {
meta:
author = "ditekSHen"
description = "WSHRAT keylogger plugin payload"
snort_sid = "920010-920012"
clamav_sig = "MALWARE.Win.Trojan.WSHRAT-KLG"
strings:
$s1 = "GET /open-keylogger HTTP/1.1" fullword wide
$s2 = "KeyboardChange: nCode={0}, wParam={1}, vkCode={2}, scanCode={3}, flags={4}, dwExtraInfo={6}" wide
$s3 = "MouseChange: nCode={0}, wParam={1}, x={2}, y={3}, mouseData={4}, flags={5}, dwExtraInfo={7}" wide
$s4 = "sendKeyLog" fullword ascii
$s5 = "saveKeyLog" fullword ascii
$s6 = "get_TotalKeyboardClick" fullword ascii
$s7 = "get_SessionMouseClick" fullword ascii
$pdb = "\\Android\\documents\\visual studio 2010\\Projects\\Keylogger\\Keylogger\\obj\\x86\\Debug\\Keylogger.pdb" ascii
condition: uint16(0) == 0x5a4d and filesize < 100KB and 4 of them
}
rule MALWARE_Win_RevengeRAT {
meta:
author = "ditekSHen"
description = "RevengeRAT and variants payload"
snort_sid = "920000-920002"
strings:
$l1 = "Lime.Connection" fullword ascii
$l2 = "Lime.Packets" fullword ascii
$l3 = "Lime.Settings" fullword ascii
$l4 = "Lime.NativeMethods" fullword ascii
$s1 = "GetAV" fullword ascii
$s2 = "keepAlivePing!" fullword ascii wide
$s3 = "Revenge-RAT" fullword ascii wide
$s4 = "*-]NK[-*" fullword ascii wide
$s5 = "RV_MUTEX" fullword ascii wide
$s6 = "set_SendBufferSize" fullword ascii
$s7 = "03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8" fullword ascii
$s8 = "5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41" fullword ascii
$s9 = "\\RevengeRAT\\" ascii
$q1 = "Select * from AntiVirusProduct" fullword ascii wide
$q2 = "SELECT * FROM FirewallProduct" fullword ascii wide
$q3 = "select * from Win32_Processor" fullword ascii wide
condition: uint16(0) == 0x5a4d and ((1 of ($l*) and 3 of ($s*)) or (all of ($q*) and 3 of ($s*)) or 3 of ($s*))
}
rule MALWARE_Win_TRAT {
meta:
author = "ditekSHen"
description = "TRAT payload"
clamav_sig = "MALWARE.Win.Trojan.TRAT"
strings:
$s1 = "^STEAM_0:[0-1]:([0-9]{1,10})$" fullword wide
$s2 = "^7656119([0-9]{10})$" fullword wide
$s3 = "Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)" ascii
$s4 = "\"schtasks\", \"/delete /tn UpdateWindows /f\");" ascii
$s5 = "ProcessWindowStyle.Hidden" ascii
$s6 = "+<>c+<<ListCommands>" ascii
$s7 = "//B //Nologo *Y" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_CryptBot {
meta:
author = "ditekSHen"
description = "CryptBot/Fugrafa stealer payload"
snort2_sid = "920110"
snort3_sid = "920108"
clamav_sig = "MALWARE.Win.Trojan.CryptBot"
strings:
$s1 = "Username: %wS" fullword wide
$s2 = "Computername: %wS" fullword wide
$s3 = "/c rd /s /q %" wide
$s4 = "IP: N0t_IP" fullword wide
$s5 = "Country: N0t_Country" fullword wide
$s6 = "password-check" fullword ascii
$s7 = "Content-Disposition: form-data; name=\"file\"; filename=\"" ascii wide
$s8 = "[ %wS ]" wide
$s9 = "EXE_PATH:" wide
$s10 = "Username (Computername):" wide
$s11 = "Operating system language:" wide
$s12 = "/index.php" wide
$f1 = "*ledger*.txt" fullword wide
$f2 = "*crypto*.xlsx" fullword wide
$f3 = "*private*.txt" fullword wide
$f4 = "*wallet*.dat" fullword wide
$f5 = "*pass*.txt" fullword wide
$f6 = "*bitcoin*.txt" fullword wide
$p1 = "%USERPROFILE%\\Desktop\\*.txt" fullword wide
$p2 = "%USERPROFILE%\\Desktop\\secret.txt" fullword wide
$p3 = "%USERPROFILE%\\Desktop\\report.doc" fullword wide
$pattern1 = /(files_|_Files)\\(_?)(cookies|cryptocurrency|forms|passwords|system_info|screenshot|screen_desktop|information|files|wallet|cc|Coinomi)\\?(\.txt|\.jpg|\.jpeg)?/ ascii wide nocase
$pattern2 = /%(s|ws)\\%(s|ws)\\(Login Data|Cookies|Web Data)/ fullword wide
$pattern3 = /(_AllPasswords_list.txt|_AllForms_list.txt|_AllCookies_list.txt|_All_CC_list.txt|_Information.txt|_Info.txt|_Screen_Desktop.jpeg)/ fullword wide
condition: uint16(0) == 0x5a4d and ((5 of ($s*) and 1 of ($p*)) or (4 of ($s*) and 1 of ($f*) and 1 of ($p*)) or (2 of ($pattern*) and 3 of ($s*)) or (#pattern1 > 6 and (2 of ($s*) or 1 of ($p*))))
}
rule MALWARE_Win_Matiex {
meta:
author = "ditekSHen"
description = "Matiex/XetimaLogger keylogger payload"
clamav_sig = "MALWARE.Win.Trojan.MatiexKeylogger"
strings:
$id = "--M-A-T-I-E-X--K-E-Y-L-O-G-E-R--" ascii wide
$s1 = "StartKeylogger" fullword ascii
$s2 = "_KeyboardLoggerTimer" ascii
$s3 = "_ScreenshotLoggerTimer" ascii
$s4 = "_VoiceRecordLogger" ascii
$s5 = "_ClipboardLoggerTimer" ascii
$s6 = "get_logins" fullword ascii
$s7 = "get_processhackerFucked" fullword ascii
$s8 = "_ThePSWDSenders" fullword ascii
$pdb = "\\Before FprmT\\Document VB project\\FireFox Stub\\FireFox Stub\\obj\\Debug\\VNXT.pdb" ascii
condition:
uint16(0) == 0x5a4d and ($id or 4 of ($s*) or ($pdb and 2 of them))
}
rule MALWARE_Win_IAmTheKingKeylogger {
meta:
author = "ditekSHen"
description = "IAmTheKing Keylogger payload"
clamav_sig = "MALWARE.Win.Trojan.IAmTheKingKeylogger"
strings:
$s1 = "[TIME:]%d/%d/%d %02d:%02d:%02d" fullword ascii
$s2 = "[TITLE:]" fullword ascii
$s3 = "%s-%02d-%02d-%02d-%02d" fullword ascii
$s4 = "[DATA]:" fullword ascii
$s5 = "[BK]" fullword ascii
$s6 = "Log.txt" fullword ascii
$s7 = "sonme hting is wrong x" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_IAmTheKingScrCap {
meta:
author = "ditekSHen"
description = "IAmTheKing screen capture payload"
strings:
$s1 = "@MyScreen.jpg" fullword wide
$s2 = "DISPLAY" fullword wide
$s3 = ".?AVCImage@ATL@@" fullword ascii
$s4 = ".?AVGdiplusBase@Gdiplus@@" fullword ascii
$s5 = ".?AVImage@Gdiplus@@" fullword ascii
$s6 = ".?AVBitmap@Gdiplus@@" fullword ascii
$s7 = ".?AVCAtlException@ATL@@" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_IAmTheKingKingOfHearts {
meta:
author = "ditekSHen"
description = "IAmTheKing King Of Hearts payload"
strings:
$s1 = "write info fail!!! GetLastError-->%u" fullword ascii
$s2 = "LookupAccountSid Error %u" fullword ascii
$s3 = "CreateServiceErrorID:%d" fullword ascii
$s4 = "In ControlServiceErrorID:%d" fullword ascii
$s5 = "In QueryServiceStatus ErrorID:%d" fullword ascii
$s6 = "Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"" fullword ascii
$s7 = "hello%s" fullword ascii
$s8 = "additional header failed..." fullword ascii
$s9 = "Set Option failed errcode: %ld" fullword ascii
$s10 = "add cookie failed..." fullword ascii
$u1 = "Mozilla/4.0 (compatible; )" fullword ascii
$u2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($u*) and 4 of ($s*)) or (all of ($u*) and 3 of ($s*)) or (5 of them))
}
rule MALWARE_Win_CobaltStrike {
meta:
author = "ditekSHen"
description = "CobaltStrike payload"
strings:
$s1 = "%%IMPORT%%" fullword ascii
$s2 = "www6.%x%x.%s" fullword ascii
$s3 = "cdn.%x%x.%s" fullword ascii
$s4 = "api.%x%x.%s" fullword ascii
$s5 = "%s (admin)" fullword ascii
$s6 = "could not spawn %s: %d" fullword ascii
$s7 = "Could not kill %d: %d" fullword ascii
$s8 = "Could not connect to pipe (%s): %d" fullword ascii
$s9 = /%s\.\d[(%08x).]+\.%x%x\.%s/ ascii
$pwsh1 = "IEX (New-Object Net.Webclient).DownloadString('http" ascii
$pwsh2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or (all of ($pwsh*) and 2 of ($s*)) or (#s9 > 6 and 4 of them))
}
rule MALWARE_Win_RedLineDropperAHK {
meta:
author = "ditekSHen"
description = "Detects AutoIt/AutoHotKey executables dropping RedLine infostealer"
clamav_sig = "MALWARE.Win.Trojan.RedLineDropper-AHK"
strings:
$s1 = ".SetRequestHeader(\"User-Agent\",\" ( \" OSName \" | \" bit \" | \" CPUNAme \"\"" ascii
$s2 = ":= \" | Windows Defender\"" ascii
$s3 = "WindowSpy.ahk" wide
$s4 = ">AUTOHOTKEY SCRIPT<" fullword wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_DLAgent01 {
meta:
author = "ditekSHen"
description = "Detects known downloader agent"
snort_sid = "920007"
clamav_sig = "MALWARE.Win.Trojan.DLAgent01"
strings:
$s1 = "Mozilla/5.0 Gecko/41.0 Firefox/41.0" fullword wide
$s2 = "/Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List" fullword wide
$s3 = "GUID.log" fullword wide
$s4 = "NO AV" fullword wide
$s5 = "%d:%I64d:%I64d:%I64d" fullword wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Linux_PLEAD {
meta:
author = "ditekSHen"
description = "PLEAD Linux payload"
clamav_sig = "MALWARE.Linux.Trojan.PLEAD"
strings:
$x1 = "CFileTransfer" ascii
$x2 = "CFileManager" ascii
$x3 = "CPortForward" ascii
$x4 = "CPortForwardManager" ascii
$x5 = "CRemoteShell" ascii
$x6 = "CSockClient" ascii
$s1 = "/proc/self/exe" fullword ascii
$s2 = "/bin/sh" fullword ascii
$s3 = "echo -e '" ascii
$s4 = "%s <DIR> %s" ascii
$s5 = "%s %lld %s" ascii
$s6 = "Files: %d Size: %lld" ascii
$s7 = "Dirs: %d" ascii
$s8 = "%s(%s)/" ascii
$s9 = "%s %s %s %s" ascii
condition:
uint16(0) == 0x457f and (all of ($x*) or all of ($s*) or 12 of them)
}
rule MALWARE_Win_CRAT {
meta:
author = "ditekSHen"
description = "Detects CRAT main DLL"
strings:
$s1 = "cmd /c \"dir %s /s >> %s\"" wide
$s2 = "Set-Cookie:\\b*{.+?}\\n" wide
$s3 = "Location: {[0-9]+}" wide
$s4 = "Content-Disposition: form-data; name=\"%s\"; filename=\"" ascii
$s6 = "%serror.log" wide
$v2x_1 = "?timestamp=%u" wide
$v2x_2 = "config.txt" wide
$v2x_3 = "entdll.dll" wide
$v2x_4 = "\\cmd.exe" wide
$v2x_5 = "[MyDocuments]" wide
$v2x_6 = "@SetWindowTextW FindFileExA" wide
$v2x_7 = "Microsoft\\Windows\\WinX\\Group1\\*.exe" wide
$v2s_1 = "Installed Anti Virus Programs" ascii
$v2s_2 = "Running Processes" ascii
$v2s_3 = "id=%u&content=" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or 6 of ($v2x*) or all of ($v2s*) or (2 of ($v2s*) and 4 of ($v2x*)))
}
rule MALWARE_Win_CRATPluginKeylogger {
meta:
author = "ditekSHen"
description = "Detects CRAT keylogger plugin DLL"
clamav_sig = "MALWARE.Win.Trojan.CRAT"
strings:
$ai1 = "VM detected!" fullword wide
$ai2 = "Sandbox detected!" fullword wide
$ai3 = "Debug detected!" fullword wide
$ai4 = "Analysis process detected!" fullword wide
$s1 = "Create KeyLogMutex %s failure %d" wide
$s2 = "Key Log Mutex already created! %s" wide
$s3 = /KeyLogThread\s(started|finished|terminated)!/ wide
$s4 = /KeyLog_(x64|x32|Win64|Win32)_DllRelease\.dll/ fullword ascii
condition: uint16(0) == 0x5a4d and ((all of ($ai*) and 1 of ($s*)) or (3 of ($s*) and 1 of ($ai*)) or 5 of them)
}
rule MALWARE_Win_CRATPluginClipboardMonitor {
meta:
author = "ditekSHen"
description = "Detects CRAT Clipboad Monitor plugin DLL"
strings:
$ai1 = "VM detected!" fullword wide
$ai2 = "Sandbox detected!" fullword wide
$ai3 = "Debug detected!" fullword wide
$ai4 = "Analysis process detected!" fullword wide
$s1 = "Clipboard Monitor Mutex [%s] already created!" wide
$s2 = "ClipboardMonitorThread started!" fullword wide
$s3 = /MonitorClipboardThread\s(finished|terminated)!/ wide
$s4 = /ClipboardMonitor_(x64|x32|Win64|Win32)_DllRelease\.dll/ fullword ascii
condition: uint16(0) == 0x5a4d and ((all of ($ai*) and 1 of ($s*)) or (3 of ($s*) and 1 of ($ai*)) or 5 of them)
}
rule MALWARE_Win_CRATPluginScreenCapture {
meta:
author = "ditekSHen"
description = "Detects CRAT Screen Capture plugin DLL"
strings:
$ai1 = "VM detected!" fullword wide
$ai2 = "Sandbox detected!" fullword wide
$ai3 = "Debug detected!" fullword wide
$ai4 = "Analysis process detected!" fullword wide
$s1 = "User is inactive!, give up capture" wide
$s2 = "Capturing screen..." wide
$s3 = "%s\\P%02d%lu.tmp" fullword wide
$s4 = "CloseHandle ScreenCaptureMutex failure! %d" fullword wide
$s5 = "ScreenCaptureMutex already created! %s" fullword wide
$s6 = "Create ScreenCaptureMutex %s failure %d" fullword wide
$s7 = /ScreenCaptureThread\s(finished|terminated)!/ wide
$s8 = /ScreenCapture_(x64|x32|Win64|Win32)_DllRelease\.dll/ fullword ascii
condition: uint16(0) == 0x5a4d and ((all of ($ai*) and 1 of ($s*)) or (3 of ($s*) and 1 of ($ai*)) or 6 of them)
}
rule MALWARE_Win_CRATPluginRansomHansom {
meta:
author = "ditekSHen"
description = "Detects CRAT Hansom Ransomware plugin DLL"
strings:
$cmd1 = "/f /im \"%s\"" wide
$cmd2 = "add HKLM\\%s /v %s /t REG_DWORD /d %d /F" wide
$cmd3 = "add HKCU\\%s /v %s /t REG_DWORD /d %d /F" wide
$cmd4 = "\"%s\" a -y -ep -k -r -s -ibck -df -m0 -hp%s -ri1:%d \"%s\" \"%s\"" wide
$s1 = "\\hansom.jpg" wide
$s2 = "HansomMain" fullword ascii wide
$s3 = "ExtractHansom" fullword ascii wide
$s4 = "Hansom2008" fullword ascii
$s5 = ".hansomkey" fullword wide
$s6 = ".hansom" fullword wide
$s7 = /Ransom_(x64|x32|Win64|Win32)_DllRelease\.dll/ fullword ascii
condition: uint16(0) == 0x5a4d and ((2 of ($cmd*) and 2 of ($s*)) or (4 of ($s*) and 1 of ($cmd*)) or 6 of them)
}
rule MALWARE_Win_AlienCrypter {
meta:
author = "ditekSHen"
description = "Detects AlienCrypter injector/downloader/obfuscator"
strings:
$s1 = ".AlienRunPE." ascii wide
$s2 = "RunAsNewUser_RunDLL" fullword wide
$s3 = { 00 50 52 4f 43 45 53 53 5f 53 55 53 50 45 4e 44 5f 52 45 53 55 4d 45 00 64 6e 6c 69 62 2e 50 45 00 }
$s4 = { 2e 41 6c 69 65 6e 52 75 6e 50 45 00 50 52 4f 43 45 53 53 5f 54 45 52 4d 49 4e 41 54 45 00 }
$s5 = "@@@http" wide
$resp1 = "</p><p>@@@77,90," ascii wide
$resp2 = "</p><p>@@@HH,JA," ascii wide
condition: (uint16(0) == 0x5a4d and 3 of them) or (1 of ($resp*) and 2 of ($s*))
}
rule MALWARE_Win_Ficker {
meta:
author = "ditekSHen"
description = "Detects Ficker infostealer"
clamav_sig = "MALWARE.Win.Trojan.Ficker"
strings:
$s1 = "JNOde\\" ascii
$s2 = "\"SomeNone" fullword ascii
$s3 = "kindmessage" fullword ascii
$s4 = "..\\\\?\\.\\UNC\\Windows stdio in console mode does not support writting non-UTF-8 byte sequences" ascii
$s5 = "..\\\\?\\.\\UNC\\Windows stdio in console mode does not support writing non-UTF-8 byte sequences" ascii
$s6 = "(os error other os erroroperation interrruptedwrite zerotimed" ascii
$s7 = "(os error other os erroroperation interruptedwrite zerotimed" ascii
$s8 = "nPipeAlreadyExistsWouldBlockInvalidInputInvalidDataTimedOutWriteZeroInterruptedOtherN" fullword ascii
$s9 = "_matherr(): %s in %s(%g, %g) (retval=%g)" ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_Xorist {
meta:
author = "ditekSHen"
description = "Detects Xorist ransomware"
clamav_sig = "MALWARE.Win.Ransomware.Xorist"
strings:
$x1 = { 00 4d 00 41 00 47 00 45 00 0b 00 50 00 55 00
53 00 53 00 59 00 4c 00 49 00 43 00 4b 00 45
00 52 00 }
$x2 = { 30 70 33 6e 53 4f 75 72 63 33 20 58 30 72 31 35
37 2c 20 6d 6f 74 68 65 72 66 75 63 6b 65 72 21
00 70 75 73 73 79 6c 69 63 6b 65 72 00 2e 62 6d
70 00 2e 00 2e 2e 00 6f 70 65 6e 00 2e 65 78 65 }
$s1 = "\\shell\\open\\command" fullword ascii
$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword ascii
$s3 = "CRYPTED!" fullword ascii
$s4 = "Attention!" fullword ascii
$s5 = "Password:" fullword ascii
$s6 = { 43 6f 6d 53 70 65 63 00 2f 63 20 64 65 6c 20 22 00 22 20 3e 3e 20 4e 55 4c }
condition: uint16(0) == 0x5a4d and (all of ($x*) or 5 of ($s*) or (1 of ($x*) and 3 of ($s*)))
}
rule MALWARE_Win_PYSA {
meta:
author = "ditekSHen"
description = "Detects PYSA/Mespinoza ransomware"
clamav_sig = "MALWARE.Win.Ransomware.PYSA"
strings:
$s1 = "%s\\Readme.README" fullword wide
$s2 = "Every byte on any types of your devices was encrypted" ascii
$s3 = { 6c 65 67 61 6c 6e 6f 74 69 63 65 74 65 78 74 00 (50|70) (59|79) (53|73) (41|61) }
$s4 = { 6c 65 67 61 6c 6e 6f 74 69 63 65 63 61 70 74 69 6f 6e 00 00 (50|70) (59|79) (53|73) (41|61) }
$s5 = { 2e 62 61 74 00 00 6f 70 65 6e 00 00 00 00 53
4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f
66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72
65 6e 74 56 65 72 73 69 6f 6e 5c 50 6f 6c 69
63 69 65 73 5c 53 79 73 74 65 6d 00 00 00 }
$f1 = ".?AVPK_EncryptorFilter@CryptoPP@@" ascii
$f2 = ".?AV?$TF_EncryptorImpl@" ascii
$f3 = "@VTF_EncryptorBase@CryptoPP@@" ascii
condition: uint16(0) == 0x5a4d and all of ($f*) and 3 of ($s*)
}
rule MALWARE_Win_Polar {
meta:
author = "ditekSHen"
description = "Detects Polar ransomware"
clamav_sig = "MALWARE.Win.Ransomware.Polar"
strings:
$s1 = "Encrypt Failed ! ErrorMessage :" wide
$s2 = ".locked" fullword wide
$s3 = ".cryptd" fullword wide
$s4 = "$SysReset" fullword wide
$s5 = "Polar.Properties.Resources" ascii wide
$s6 = "AES_EnDecryptor.Basement" fullword ascii
$s7 = "RunCMDCommand" fullword ascii
$s8 = "killerps_list" fullword ascii
$s9 = "clearlog" fullword ascii
$s10 = "encryptFile" fullword ascii
$s11 = "changeBackPictrue" fullword ascii
$pdb1 = "\\Ransomware_ALL_encode\\dir_file\\obj\\x86\\Release\\Encode.pdb" ascii
$pdb2 = "\\Ransomware_ALL_encode\\dir_file\\obj\\x64\\Release\\Encode.pdb" ascii
condition: uint16(0) == 0x5a4d and (8 of ($s*) or (1 of ($pdb*) and 2 of ($s*)))
}
rule MALWARE_Win_BitRAT {
meta:
author = "ditekSHen"
description = "Detects BitRAT RAT"
clamav_sig = "MALWARE.Win.Trojan.BitRAT"
strings:
$s1 = "\\plg\\" fullword ascii
$s2 = "klgoff_del" fullword ascii
$s3 = "files_delete" ascii
$s4 = "files_zip_start" fullword ascii
$s5 = "files_exec" fullword ascii
$s6 = "drives_get" fullword ascii
$s7 = "srv_list" fullword ascii
$s8 = "con_list" fullword ascii
$s9 = "ddos_stop" fullword ascii
$s10 = "socks5_srv_start" fullword ascii
$s11 = "/getUpdates?offset=" fullword ascii
$s12 = "Action: /dlex" fullword ascii
$s13 = "Action: /clsbrw" fullword ascii
$s14 = "Action: /usb" fullword ascii
$s15 = "/klg" fullword ascii
$s16 = "klg|" fullword ascii
$s17 = "Slowloris" fullword ascii
$s18 = "Bot ID:" ascii
$t1 = "<sz>N/A</sz>" fullword ascii
$t2 = "<silent>N/A</silent>" fullword ascii
condition: uint16(0) == 0x5a4d and (7 of ($s*) or (4 of ($s*) and 1 of ($t*)))
}
rule MALWARE_Win_Poullight {
meta:
author = "ditekSHen"
description = "Detects Poullight infostealer"
snort2_sid = "920074-920075"
snort3_sid = "920074-920075"
clamav_sig = "MALWARE.Win.Trojan.Poullight"
strings:
$s1 = "zipx" fullword wide
$s2 = "{0}Windows Defender.exe" fullword wide
$s3 = "pll_test" fullword wide
$s4 = "loginusers.vdf" wide
$s5 = "Stealer by Nixscare" wide
$s6 = "path_lad" fullword ascii
$s7 = "<CheckVM>" ascii
$s8 = "Poullight.Properties" ascii
$s9 = "</ulfile>" fullword wide
$s10 = "{0}processlist.txt" fullword wide
$s11 = "{0}Browsers\\Passwords.txt" fullword wide
condition: uint16(0) == 0x5a4d and 7 of them
}
rule MALWARE_Win_SnakeKeylogger {
meta:
author = "ditekSHen"
description = "Detects Snake Keylogger"
clamav_sig = "MALWARE.Win.Trojan.SnakeKeylogger"
strings:
$id1 = "SNAKE-KEYLOGGER" fullword ascii
$id2 = "----------------S--------N--------A--------K--------E----------------" ascii
$s1 = "_KPPlogS" fullword ascii
$s2 = "_Scrlogtimerrr" fullword ascii
$s3 = "_Clpreptimerr" fullword ascii
$s4 = "_clprEPs" fullword ascii
$s5 = "_kLLTIm" fullword ascii
$s6 = "_TPSSends" fullword ascii
$s7 = "_ProHfutimer" fullword ascii
$s8 = "GrabbedClp" fullword ascii
$s9 = "StartKeylogger" fullword ascii
// Snake Keylogger Stub New
$x1 = "$%SMTPDV$" wide
$x2 = "$#TheHashHere%&" wide
$x3 = "%FTPDV$" wide
$x4 = "$%TelegramDv$" wide
$x5 = "KeyLoggerEventArgs" ascii
$m1 = "| Snake Keylogger" ascii wide
$m2 = /(Screenshot|Clipboard|keystroke) Logs ID/ ascii wide
$m3 = "SnakePW" ascii wide
$m4 = "\\SnakeKeylogger\\" ascii wide
condition: (uint16(0) == 0x5a4d and (all of ($id*) or 6 of ($s*) or (1 of ($id*) and 3 of ($s*)) or 4 of ($x*))) or (2 of ($m*))
}
rule MALWARE_Linux_XORDDoS {
meta:
author = "ditekSHen"
description = "Detects XORDDoS"
strings:
$s1 = "for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done" fullword ascii
$s2 = "cp /lib/libudev.so /lib/libudev.so.6" fullword ascii
$s3 = "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab" fullword ascii
$s4 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)" fullword ascii
condition:
uint32(0) == 0x464c457f and 3 of them
}
rule MALWARE_Win_BlackNET {
meta:
author = "ditekSHen"
description = "Detects BlackNET RAT"
snort2_sid = "920079-920082"
snort3_sid = "920079-920082"
clamav_sig = "MALWARE.Win.Trojan.BlackNET"
strings:
$s1 = "SbieCtrl" fullword wide
$s2 = "SpyTheSpy" fullword wide
$s3 = "\\BlackNET.dat" fullword wide
$s4 = "StartDDOS" fullword wide
$s5 = "UDPAttack" fullword wide
$s6 = "ARMEAttack" fullword wide
$s7 = "TCPAttack" fullword wide
$s8 = "HTTPGetAttack" fullword wide
$s9 = "RetriveLogs" fullword wide
$s10 = "StealPassword" fullword wide
$s11 = "/create /f /sc ONSTART /RL HIGHEST /tn \"'" fullword wide
$b1 = "DeleteScript|BN|" fullword wide
$b2 = "|BN|Online" fullword wide
$b3 = "NewLog|BN|" fullword wide
$cnc1 = "/getCommand.php?id=" fullword wide
$cnc2 = "/upload.php?id=" fullword wide
$cnc3 = "connection.php?data=" fullword wide
$cnc4 = "/receive.php?command=" fullword wide
condition: uint16(0) == 0x5a4d and (9 of ($s*) or all of ($cnc*) or all of ($b*) or 12 of them)
}
rule MALWARE_Win_StormKitty {
meta:
author = "ditekSHen"
description = "Detects StormKitty infostealer"
clamav_sig = "MALWARE.Win.Trojan.StormKitty"
strings:
$x1 = "\\ARTIKA\\Videos\\Chrome-Password-Recovery" ascii
$x2 = "https://github.com/LimerBoy/StormKitty" fullword ascii
$x3 = "StormKitty" fullword ascii
$s1 = "GetBSSID" fullword ascii
$s2 = "GetAntivirus" fullword ascii
$s3 = "C:\\Users\\Public\\credentials.txt" fullword wide
$s4 = "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" fullword wide
$s5 = "BCrypt.BCryptGetProperty() (get size) failed with status code:{0}" fullword wide
$s6 = "\"encrypted_key\":\"(.*?)\"" fullword wide
condition: uint16(0) == 0x5a4d and (2 of ($x*) or 5 of ($s*) or (3 of ($s*) and 1 of ($x*)))
}
rule MALWARE_Win_Bulz01 {
meta:
author = "ditekSHen"
description = "Detects trojan loader"
strings:
$s1 = "DisableTrivet.dll" fullword ascii
condition: uint16(0) == 0x5a4d and pe.is_dll() and all of ($s*) and (
pe.exports("Ordinal") or pe.exports("Chechako") or pe.exports("Originator") or pe.exports("Repressions")
)
}
rule MALWARE_Win_RevCodeRAT {
meta:
author = "ditekSHen"
description = "Detects RevCode/WebMonitor RAT"
snort2_sid = "920070"
snort3_sid = "920070"
clamav_sig = "MALWARE.Win.Trojan.RevCodeRAT"
strings:
$x1 = "rev-novm.dat" fullword wide
$x2 = "WebMonitor-" fullword wide
$x3 = "WebMonitor Client" fullword wide
$x4 = "Launch WebMonitor" fullword wide
$s1 = "KEYLOG_DEL" fullword ascii
$s2 = "KEYLOG_STREAM_START" fullword ascii
$s3 = "send_keylog_del" fullword ascii
$s4 = "send_keylog_stream_" ascii
$s5 = "send_shell_exec" fullword ascii
$s6 = "send_file_download_exec" fullword ascii
$s7 = "send_pdg_exec" fullword ascii
$s8 = "send_app_cmd_upd" fullword ascii
$s9 = "send_webcamstream_start" fullword ascii
$s10 = "send_screenstream_start" fullword ascii
$s11 = "send_clipboard_get" fullword ascii
$s12 = "send_pdg_rev_proxy_stop" fullword ascii
$s13 = "send_shell_stop" fullword ascii
$s14 = "send_wnd_cmd" fullword ascii
$s15 = "SCREEN_STREAM_LEGACY(): Started..." fullword ascii
$s16 = "SYSTEM_INFORMATION(): Failed! (Error:" fullword ascii
$s17 = "TARGET_HOST_UPDATE(): Sync successful!" fullword ascii
$s18 = "PLUGIN_PROCESS_REVERSE_PROXY: Plugin" ascii
$s19 = "PLUGIN_PROCESS: Plugin" ascii
$s20 = "PLUGIN_EXEC: Plugin" ascii
$s21 = "PLUGIN_PROCESS_SCREEN_STREAM: Plugin" ascii
$cnc1 = "?task_id=" fullword ascii
$cnc2 = "&operation=" fullword ascii
$cnc3 = "&filesize=" fullword ascii
$cnc4 = "pos=" fullword ascii
$cnc5 = "&mode=" fullword ascii
$cnc6 = "&cmp=1" fullword ascii
$cnc7 = "&cmp=0" fullword ascii
$cnc8 = "&enc=1" fullword ascii
$cnc9 = "&enc=0" fullword ascii
$cnc10 = "&user=" fullword ascii
$cnc11 = "&uid=" fullword ascii
$cnc12 = "&key=" fullword ascii
condition: uint16(0) == 0x5a4d and (3 of ($x*) or all of ($cnc*) or 8 of ($s*) or (1 of ($x*) and 6 of ($s*)) or (6 of ($cnc*) and 6 of ($s*)))
}
rule MALWARE_Win_PowerPool_STG1 {
meta:
author = "ditekSHen"
description = "Detects first stage PowerPool backdoor"
snort2_sid = "920088"
snort3_sid = "920086"
clamav_sig = "MALWARE.Win.Trojan.PowerPool-STG-1"
strings:
$s1 = "cmd /c powershell.exe $PSVersionTable.PSVersion > \"%s\"" fullword wide
$s2 = "cmd /c powershell.exe \"%s\" > \"%s\"" fullword wide
$s3 = "rar.exe a -r %s.rar -ta%04d%02d%02d%02d%02d%02d -tb%04d%02d%02d%02d%02d%02d" fullword wide
$s4 = "MyDemonMutex%d" fullword wide
$s5 = "MyScreen.jpg" fullword wide
$s6 = "proxy.log" fullword wide
$s7 = "myjt.exe" fullword wide
$s8 = "/?id=%s&info=%s" fullword wide
$s9 = "auto.cfg" fullword ascii
$s10 = "Mozilla/5.0 (Windows NT 6.1; WOW64)" fullword wide
$s11 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)" fullword wide
$s12 = "CMD COMMAND EXCUTE ERROR!" fullword ascii
$c1 = "run.afishaonline.eu" fullword wide
$c2 = "home.Sports-Collectors.com" fullword wide
$c3 = "about.Sports-Collectors.com" fullword
$c4 = "179.43.158.15" fullword wide
$c5 = "185.227.82.35" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($s*) or (1 of ($c*) and 5 of ($s*)))
}
rule MALWARE_Win_PowerPool_STG2 {
meta:
author = "ditekSHen"
description = "Detects second stage PowerPool backdoor"
snort2_sid = "920089-920091"
snort3_sid = "920087-920089"
clamav_sig = "MALWARE.Win.Trojan.PowerPool-STG-2"
strings:
$s1 = "write info fail!!! GetLastError-->%u" fullword ascii
$s2 = "LookupAccountSid Error %u" fullword ascii
$s3 = "Mozilla/4.0 (compatible; )" fullword ascii
$s4 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)" fullword ascii
$s5 = "Content-Disposition: form-data; name=\"%s\"" fullword ascii
$s6 = "Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"" fullword ascii
$s7 = "Content-Type: multipart/form-data; boundary=--MULTI-PARTS-FORM-DATA-BOUNDARY" fullword ascii
$s8 = "in Json::Value::find" fullword ascii
$s9 = "in Json::Value::resolveReference" fullword ascii
$s10 = "in Json::Value::duplicateAndPrefixStringValue" fullword ascii
$s11 = ".?AVLogicError@Json@@" fullword ascii
$s12 = ".?AVRuntimeError@Json@@" fullword ascii
$s13 = "http:\\\\82.221.101.157:80" ascii
$s14 = "http://172.223.112.130:80" ascii
$s15 = "http://172.223.112.130:443" ascii
$s16 = "http://info.newsrental.net:80" ascii
$s17 = "%s|%I64d" ascii
$s18 = "open internet failed..." ascii
$s19 = "connect failed..." ascii
$s20 = "handle not opened..." ascii
$s21 = "corrupted regex pattern" fullword ascii
$s22 = "add cookie failed..." ascii
condition: uint16(0) == 0x5a4d and 14 of them
}
rule MALWARE_Win_Egregor {
meta:
author = "ditekSHen"
description = "Detects Egregor ransomware variants"
clamav_sig = "MALWARE.Win.Ransomware.Egregor"
strings:
$s1 = "C:\\Logmein\\{888-8888-9999}\\Logmein.log" fullword wide
$p1 = "--deinstall" fullword wide
$p2 = "--del" fullword wide
$p3 = "--exit" fullword wide
$p4 = "--kill" fullword wide
$p5 = "--loud" fullword wide
$p6 = "--nooperation" fullword wide
$p7 = "--nop" fullword wide
$p8 = "--skip" fullword wide
$p9 = "--useless" fullword wide
$p10 = "--yourmommy" fullword wide
$p11 = "-passegregor" ascii wide
$p12 = "-peguard" ascii wide
$p13 = "--nomimikatz" ascii wide
$p14 = "--multiproc" ascii wide
$p15 = "--killrdp" ascii wide
$p16 = "--nonet" ascii wide
$p17 = "--norename" ascii wide
$p18 = "--greetings" ascii wide
condition: (uint16(0) == 0x5a4d and pe.is_dll() and ((all of ($s*) and 1 of ($p*)) or
(
2 of them and filesize < 1000KB and
for any i in (0 .. pe.number_of_sections) : (
(
pe.sections[i].name == ".00cfg"
)
)
)
)
) or 8 of ($p*)
}
rule MALWARE_Win_DLAgent02 {
meta:
author = "ditekSHen"
description = "Detects known downloader agent downloading encoded binaries in patches from paste-like websites, most notably hastebin"
clamav_sig = "MALWARE.Win.Trojan.DLAgent02"
strings:
$x1 = "/c timeout {0}" fullword wide
$x2 = "^(https?|ftp):\\/\\/" fullword wide
$x3 = "{0}{1}{2}{3}" wide
$x4 = "timeout {0}" fullword wide
$s1 = "HttpWebRequest" fullword ascii
$s2 = "GetResponseStream" fullword ascii
$s3 = "set_FileName" fullword ascii
$s4 = "set_UseShellExecute" fullword ascii
$s5 = "WebClient" fullword ascii
$s6 = "set_CreateNoWindow" fullword ascii
$s7 = "DownloadString" fullword ascii
$s8 = "WriteByte" fullword ascii
$s9 = "CreateUrlCacheEntryW" fullword ascii
$s10 = "HttpStatusCode" fullword ascii
$s11 = "FILETIME" fullword ascii
condition: uint16(0) == 0x5a4d and filesize < 5000KB and ((2 of ($x*) and 2 of ($s*)) or (#x3 > 2 and 4 of ($s*)))
}
rule MALWARE_Win_RedLineDropperEXE {
meta:
author = "ditekSHen"
description = "Detects executables dropping RedLine infostealer"
clamav_sig = "MALWARE.Win.Trojan.RedLineDropper-EXE"
strings:
$s1 = "Wizutezinod togeto0Rowadufevomuki futenujilazem jic lefogatenezinor" fullword wide
$s2 = "6Tatafamobevofaj bizafoju peyovavacoco lizine kezakajuj" fullword wide
$s3 = "Lawuherusozeru kucu zam0Zorizeyuk lepaposupu gala kinarusot ruvasaxehuwo" fullword wide
$s4 = "ClearEventLogW" fullword ascii
$s5 = "ProductionVersion" fullword wide
$s6 = "Vasuko)Yugenizugilobo toxocivoriye yexozoyohuzeb" wide
$s7 = "Yikezevavuzus gucajanesan#Rolapucededoxu xewulep fuwehofiwifi" wide
condition: uint16(0) == 0x5a4d and (pe.exports("_fgeek@8") and 2 of them) or
(
2 of them and
for any i in (0 .. pe.number_of_sections) : (
(
pe.sections[i].name == ".rig"
)
)
)
}
rule MALWARE_Win_Nibiru {
meta:
author = "ditekSHen"
description = "Detects Nibiru ransomware"
clamav_sig = "MALWARE.Win.Ransomware.Nibiru"
strings:
$s1 = ".encrypt" fullword wide
$s2 = "crypted" fullword wide
$s3 = ".Nibiru" fullword wide
$s4 = "Encryption Complete" fullword wide
$s5 = "All your files,documents,important datas,mp4,mp3 and anything valuable" ascii
$s6 = "EncryptOrDecryptFile" fullword ascii
$s7 = "get_hacker" ascii
$s8 = "/C choice /C Y /N /D Y /T 3 & Del \"" fullword wide
$s9 = "Once You pay,you get the KEY to decrypt files" ascii
$pdb = "\\Projects\\Nibiru\\Nibiru\\obj\\x86\\Release\\Nibiru.pdb" ascii
condition: uint16(0) == 0x5a4d and (7 of them or ($pdb and 2 of ($s*)))
}
rule MALWARE_Win_MedusaLocker {
meta:
author = "ditekshen"
description = "Detects MedusaLocker ransomware"
clamav_sig = "MALWARE.Win.Ransomware.MedusaLocker"
strings:
$x1 = "\\MedusaLockerInfo\\MedusaLockerProject\\MedusaLocker\\Release\\MedusaLocker.pdb" ascii
$x2 = "SOFTWARE\\Medusa" wide
$x3 = "=?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?=" ascii
$s1 = "Recovery_Instructions.mht" fullword wide
$s2 = "README_LOCK.TXT" fullword wide
$s3 = "C:\\Users\\Public\\Desktop" wide
$s4 = "[LOCKER] " wide
$s5 = "TmV3LUl0ZW0gJ2" ascii
$s6 = "<HEAD>=20" ascii
$s7 = "LIST OF ENCRYPTED FILES" ascii
$s8 = "KEY.FILE" ascii
$cmd1 = { 2f 00 63 00 20 00 64 00 65 00 6c 00 20 00 00 00 20 00 3e 00 3e 00 20 00 4e 00 55 00 4c 00 }
$cmd2 = "vssadmin.exe delete" wide nocase
$cmd3 = "bcdedit.exe /set {default}" wide
$cmd4 = "wbadmin delete systemstatebackup" wide nocase
$mut1 = "{8761ABBD-7F85-42EE-B272-A76179687C63}" fullword wide
$mut2 = "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" fullword wide
$mut3 = "{6EDD6D74-C007-4E75-B76A-E5740995E24C}" fullword wide
$ext1 = { 2e 00 52 00 65 00 61 00 64 00 49 00 6e 00 73 00
74 00 72 00 75 00 63 00 74 00 69 00 6f 00 6e 00
73 00 00 00 00 00 00 00 2e 00 6b 00 65 00 76 00
65 00 72 00 73 00 65 00 6e }
$ext2 = ".exe,.dll,.sys,.ini,.lnk,.rdp,.encrypted" fullword ascii
condition:
uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and (4 of ($s*) or 1 of ($mut*))) or 6 of ($s*) or (1 of ($mut*) and 2 of ($cmd*)) or (1 of ($ext*) and 5 of them))
}
rule MALWARE_Win_RansomEXX {
meta:
author = "ditekshen"
description = "Detects RansomEXX ransomware"
clamav_sig = "MALWARE.Win.Ransomware.RansomEXX"
strings:
$id = "ransom.exx" ascii
$s1 = "!TXDOT_READ_ME!.txt" fullword wide
$s2 = "debug.txt" fullword wide
$s3 = ".txd0t" fullword wide
$s4 = "crypt_detect" fullword wide
$s5 = "powershell.exe" fullword wide
$s6 = "cipher.exe" fullword ascii wide
$s7 = "?ReflectiveLoader@@" ascii
condition:
uint16(0) == 0x5a4d and (($id and 3 of ($s*)) or all of ($*))
}
rule MALWARE_Win_QuasarStealer {
meta:
author = "ditekshen"
description = "Detects Quasar infostealer"
clamav_sig = "MALWARE.Win.Trojan.QuasarStealer"
strings:
$s1 = "PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null" fullword ascii
$s2 = "DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null" fullword ascii
$s3 = "Process already elevated." fullword wide
$s4 = "get_PotentiallyVulnerablePasswords" fullword ascii
$s5 = "GetKeyloggerLogsDirectory" ascii
$s6 = "set_PotentiallyVulnerablePasswords" fullword ascii
$s7 = "BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>" ascii
condition:
uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_RedLine {
meta:
author = "ditekSHen"
description = "Detects RedLine infostealer"
snort2_sid = "920072-920073"
snort3_sid = "920072-920073"
clamav_sig = "MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2"
strings:
$s1 = { 23 00 2b 00 33 00 3b 00 43 00 53 00 63 00 73 00 }
$s2 = { 68 10 84 2d 2c 71 ea 7e 2c 71 ea 7e 2c 71 ea 7e
32 23 7f 7e 3f 71 ea 7e 0b b7 91 7e 2b 71 ea 7e
2c 71 eb 7e 5c 71 ea 7e 32 23 6e 7e 1c 71 ea 7e
32 23 69 7e a2 71 ea 7e 32 23 7b 7e 2d 71 ea 7e }
$s3 = { 83 ec 38 53 b0 ?? 88 44 24 2b 88 44 24 2f b0 ??
88 44 24 30 88 44 24 31 88 44 24 33 55 56 8b f1
b8 0c 00 fe ff 2b c6 89 44 24 14 b8 0d 00 fe ff
2b c6 89 44 24 1c b8 02 00 fe ff 2b c6 89 44 24
18 b3 32 b8 0e 00 fe ff 2b c6 88 5c 24 32 88 5c
24 41 89 44 24 28 57 b1 ?? bb 0b 00 fe ff b8 03
00 fe ff 2b de 2b c6 bf 00 00 fe ff b2 ?? 2b fe
88 4c 24 38 88 4c 24 42 88 4c 24 47 c6 44 24 34
78 c6 44 24 35 61 88 54 24 3a c6 44 24 3e 66 c6
44 24 41 33 c6 44 24 43 ?? c6 44 24 44 74 88 54
24 46 c6 44 24 40 ?? c6 44 24 39 62 c7 44 24 10 }
$s4 = "B|BxBtBpBlBhBdB`B\\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B" fullword wide
$s5 = " delete[]" fullword ascii
$s6 = "constructor or from DllMain." ascii
$x1 = "RedLine.Reburn" ascii
$x2 = "RedLine.Client." ascii
$x3 = "hostIRemotePanel, CommandLine: " fullword wide
$u1 = "<ParseCoinomi>" ascii
$u2 = "<ParseBrowsers>" ascii
$u3 = "<GrabScreenshot>" ascii
$u4 = "UserLog" ascii nocase
$u5 = "FingerPrintT" fullword ascii
$u6 = "InstalledBrowserInfoT" fullword ascii
$u7 = "RunPE" fullword ascii
$u8 = "DownloadAndEx" fullword ascii
$u9 = ".Data.Applications.Wallets" ascii
$u10 = ".Data.Browsers" ascii
$u11 = ".Models.WMI" ascii
$u12 = "DefenderSucks" wide
$pat1 = "(((([0-9.])\\d)+){1})" fullword wide
$pat2 = "^(?:2131|1800|35\\\\d{3})\\\\d{11}$" fullword wide
$pat3 = "6(?:011|5[0-9]{2})[0-9]{12}$/C" fullword wide
$pat4 = "Telegramprofiles^(6304|6706|6709|6771)[0-9]{12,15}$" fullword wide
$pat5 = "host_key^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$" fullword wide
$pat6 = "^3(?:0[0-5]|[68][0-9])[0-9]{11}$" wide
$pat7 = "settingsprotocol^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$" wide
$pat8 = "Opera GX4[0-9]{12}(?:[0-9]{3})?$cookies" wide
$pat9 = "^9[0-9]{15}$Coinomi" wide
$pat10 = "wallets^(62[0-9]{14,17})$" wide
$pat11 = "hostpasswordUsername_value" wide
$pat12 = "credit_cards^389[0-9]{11}$" wide
$pat13 = "NWinordVWinpn.eWinxe*WinhostUsername_value" wide
$pat14 = /(\/|,\s)CommandLine:/ wide
// another variant
$v2_1 = "ListOfProcesses" fullword ascii
$v2_2 = /get_Scan(ned)?(Browsers|ChromeBrowsersPaths|Discord|FTP|GeckoBrowsersPaths|Screen|Steam|Telegram|VPN|Wallets)/ fullword ascii
$v2_3 = "GetArguments" fullword ascii
$v2_4 = "VerifyUpdate" fullword ascii
$v2_5 = "VerifyScanRequest" fullword ascii
$v2_6 = "GetUpdates" fullword ascii
// yet another variant
$v3_1 = "localhost.IUserServiceu" fullword ascii
$v3_2 = "ParseNetworkInterfaces" fullword ascii
$v3_3 = "ReplyAction0http://tempuri.org/IUserService/GetUsersResponse" fullword ascii
$v3_4 = "Action(http://tempuri.org/IUserService/GetUsersT" fullword ascii
$v3_5 = "basicCfg" fullword wide
// more variants
$vx4_1 = "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\AddInProcess32.exe" fullword wide
$v4_2 = "isWow64" fullword ascii
$v4_3 = "base64str" fullword ascii
$v4_4 = "stringKey" fullword ascii
$v4_5 = "BytesToStringConverted" fullword ascii
$v4_6 = "FromBase64" fullword ascii
$v4_7 = "xoredString" fullword ascii
$v4_8 = "procName" fullword ascii
$v4_9 = "base64EncodedData" fullword ascii
// another variant 2021-10-23
$v5_1 = "DownloadAndExecuteUpdate" fullword ascii
$v5_2 = "ITaskProcessor" fullword ascii
$v5_3 = "CommandLineUpdate" fullword ascii
$v5_4 = "DownloadUpdate" fullword ascii
$v5_5 = "FileScanning" fullword ascii
$v5_6 = "GetLenToPosState" fullword ascii
$v5_7 = "RecordHeaderField" fullword ascii
$v5_8 = "EndpointConnection" fullword ascii
$v5_9 = "BCRYPT_KEY_LENGTHS_STRUCT" fullword ascii
// another variant (v11?)
$v6_1 = "%localappdata%\\" fullword wide
$v6_2 = "GetDecoded" fullword ascii
$v6_3 = "//settinString.Removeg[@name=\\PasswString.Removeord\\]/valuString.RemoveeROOT\\SecurityCenter" fullword wide
$v6_4 = "AppData\\Roaming\\ //settString.Replaceing[@name=\\UString.Replacesername\\]/vaString.Replaceluemoz_cookies" wide
$v6_5 = "<GetWindowsVersion>g__HKLM_GetString|11_0" fullword ascii
$v6_6 = "net.tcp://" fullword wide
condition: (uint16(0) == 0x5a4d and (all of ($s*) or 2 of ($x*) or 7 of ($u*) or 7 of ($pat*) or (1 of ($x*) and (5 of ($u*) or 2 of ($pat*))) or 5 of ($v2*) or 4 of ($v3*) or (3 of ($v2*) and (2 of ($pat*) or 2 of ($u*)) or (1 of ($vx4*) and 5 of ($v4*)) or 5 of ($v4*) or 6 of ($v5*)) or 5 of ($v6*) or (4 of ($v6*) and 3 of them ))) or ((all of ($x*) and 4 of ($s*)) or (4 of ($v6*) and 4 of them))
}
rule MALWARE_Win_Bandook {
meta:
author = "ditekshen"
description = "Detects Bandook backdoor"
clamav_sig = "MALWARE.Win.Trojan.Bandook"
strings:
$s1 = "\"%sLib\\dpx.pyc\" \"%ws\" \"%ws\" \"%ws\" \"%ws\" \"%ws\"" fullword wide
$s2 = "%s\\usd\\dv-%s.dat" fullword ascii
$s3 = "%sprd.dat" fullword ascii
$s4 = "%sfile\\shell\\open\\command" fullword ascii
$s5 = "explorer.exe , %s" fullword ascii
$f1 = "CaptureScreen" fullword ascii
$f2 = "StartShell" fullword ascii
$f3 = "ClearCred" fullword ascii
$f4 = "GrabFileFromDevice" fullword ascii
$f5 = "PutFileOnDevice" fullword ascii
$f6 = "ChromeInject" fullword ascii
$f7 = "StartFileMonitor" fullword ascii
$f8 = "DisableMouseCapture" fullword ascii
$f9 = "StealUSB" fullword ascii
$f10 = "DDOSON" fullword ascii
$f11 = "InstallMac" fullword ascii
$f12 = "SendCam" fullword ascii
$x1 = "RTC-TGUBP" fullword ascii
$x2 = "AVE_MARIA" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or 6 of ($f*) or (2 of ($s*) and 3 of ($f*)) or (all of ($x*) and (2 of ($f*) or 3 of ($s*))))
}
rule MALWARE_Win_Kimsuky {
meta:
author = "ditekshen"
description = "Detects Kimsuky backdoor"
clamav_sig = "MALWARE.Win.Trojan.Kimsuky"
strings:
$s1 = "Win%d.%d.%dx64" fullword ascii
$s2 = ".zip" fullword ascii
$s3 = ".enc" fullword ascii
$s4 = "&p2=a" fullword ascii
$s5 = "Content-Disposition: form-data; name=\"binary\"; filename=\"" fullword ascii
$s6 = "%s/?m=a&p1=%s&p2=%s-%s-v%d" fullword ascii
$s7 = "/?m=b&p1=" fullword ascii
$s8 = "/?m=c&p1=" fullword ascii
$s9 = "/?m=d&p1=" fullword ascii
$s10 = "http://%s/%s/?m=e&p1=%s&p2=%s&p3=%s" fullword ascii
$s11 = "taskkill.exe /im iexplore.exe /f" fullword ascii
$s12 = "GetParent" fullword ascii
$s13 = "DllRegisterServer" fullword ascii
$dll1 = "AutoUpdate.dll" fullword ascii
$dll2 = "dropper-ie64.dll" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($dll*) and 7 of ($s*)) or (11 of ($*)))
}
rule MALWARE_Win_DLAgent03 {
meta:
author = "ditekSHen"
description = "Detects known Delphi downloader agent downloading second stage payload, notably from discord"
clamav_sig = "MALWARE.Win.Trojan.DLAgent03"
strings:
$delph1 = "FastMM Borland Edition" fullword ascii
$delph2 = "SOFTWARE\\Borland\\Delphi" ascii
$v1_1 = "InternetOpenUrlA" fullword ascii
$v1_2 = "CreateFileA" fullword ascii
$v1_3 = "WriteFile" fullword ascii
$v2_1 = "WinHttp.WinHttpRequest.5.1" fullword ascii
$v2_2 = { 6f 70 65 6e ?? ?? ?? ?? ?? 73 65 6e 64 ?? ?? ?? ?? 72 65 73 70 6f 6e 73 65 74 65 78 74 }
// $pat is slowing down scanning
//$pat = /[a-f0-9]{168}/ fullword ascii
$url1 = "https://discord.com/" fullword ascii
$url2 = "http://www.superutils.com" fullword ascii
$url3 = "http://www.xboxharddrive.com" fullword ascii
condition: //uint16(0) == 0x5a4d and 1 of ($delph*) and $discord and ((all of ($v1*) or all of ($v2*)) or $pat)
uint16(0) == 0x5a4d and 1 of ($delph*) and 1 of ($url*) and (all of ($v1*) or 1 of ($v2*))
}
rule MALWARE_Win_Salfram {
meta:
author = "ditekSHen"
description = "Detects Salfram executables"
snort2_sid = "920085-920087"
snort3_sid = "920085"
clamav_sig = "MALWARE.Win.Trojan.Salfram"
strings:
$s1 = "!This Salfram cannot be run in DOS mode." fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_HawkEyeV9 {
meta:
author = "ditekshen"
description = "Detects HawkEyeV9 payload"
clamav_sig = "MALWARE.Win.Trojan.HawkEyeV9"
strings:
$id1 = "HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \\ {2}" wide
$id2 = "HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \\ {3}{0}{0}{4}" wide
$str1 = "_PasswordStealer" ascii
$str2 = "_KeyStrokeLogger" ascii
$str3 = "_ScreenshotLogger" ascii
$str4 = "_ClipboardLogger" ascii
$str5 = "_WebCamLogger" ascii
$str6 = "_AntiVirusKiller" ascii
$str7 = "_ProcessElevation" ascii
$str8 = "_DisableCommandPrompt" ascii
$str9 = "_WebsiteBlocker" ascii
$str10 = "_DisableTaskManager" ascii
$str11 = "_AntiDebugger" ascii
$str12 = "_WebsiteVisitorSites" ascii
$str13 = "_DisableRegEdit" ascii
$str14 = "_ExecutionDelay" ascii
$str15 = "_InstallStartupPersistance" ascii
condition: int16(0) == 0x5a4d and (1 of ($id*) or 5 of ($str*))
}
rule MALWARE_Win_HyperBro {
meta:
author = "ditekSHen"
description = "Detects HyperBro (class names) payload"
clamav_sig = "MALWARE.Win.Trojan.HyperBro"
strings:
$s1 = "VTClipboardInfo" ascii wide
$s2 = "VTClipboardMgr" ascii wide
$s3 = "VTFileRename" ascii wide
$s4 = "VTFileRetime" ascii wide
$s5 = "VTKeyboardInfo" ascii wide
$s6 = "VTKeyboardMgr" ascii wide
$s7 = "VTRegeditKeyInfo" ascii wide
$s8 = "VTRegeditMgr" ascii wide
$s9 = "VTRegeditValueInfo" ascii wide
$s10 = "VTFileDataRes" ascii wide
condition: uint16(0) == 0x5a4d and 9 of them
}
rule MALWARE_Linux_UNK01 {
meta:
author = "ditekSHen"
description = "Detects unknown/unidentified Linux malware"
strings:
$f1 = "%sresponse.php?status" ascii
$f2 = "%supstream.php?mid=%s&os=%s" ascii fullword
$f3 = "%supstream.php?tid=%" ascii
$f4 = "%sindex.php?token=%.32s&flag=%d&name=%s" ascii fullword
$f5 = "%sactive_off.php?id=%d&uniqu=%d" ascii fullword
$s1 = "lock:%i usable num:%i n:%i" fullword ascii
$s2 = "tid:%.*s tNumber:%i" fullword ascii
$s3 = "init.php" fullword ascii
$s4 = "mod_drone" fullword ascii
$s5 = "new_mid" fullword ascii
$s6 = "&exists[]=" fullword ascii
$s7 = "&mod[]=" fullword ascii
$s8 = "shutdown" fullword ascii
$s9 = "&mac[]=%02X%02X%02X%02X%02X%02X" fullword ascii
condition: uint16(0) == 0x457f and (3 of ($f*) or 6 of ($s*))
}
rule MALWARE_Linux_UNK02 {
meta:
author = "ditekSHen"
description = "Detects unknown/unidentified Linux malware"
strings:
$rf1 = "[]A\\A]A^A_" ascii
$rf2 = "[A\\A]A^A_]" ascii
$f1 = "/bin/basH" ascii fullword
$f2 = "/proc/seH" ascii fullword
$f3 = "/dev/ptsH" ascii fullword
$f4 = "pqrstuvwxyzabcde" ascii fullword
$f5 = "libnss_%s.so.%d.%d" ascii fullword
condition: uint16(0) == 0x457f and (all of ($f*) and #rf1 > 3 and #rf2 > 3)
}
rule MALWARE_Win_iTranslatorEXE {
meta:
author = "ditekSHen"
description = "Detects iTranslator EXE payload"
clamav_sig = "MALWARE.Win.Trojan.iTranslator_EXE"
strings:
$s1 = "\\itranslator\\wintrans.exe" fullword wide
$s2 = "\\SuperX\\SuperX\\Obj\\Release\\SharpX.pdb" fullword ascii
$s3 = "\\itranslator\\itranslator.dll" fullword ascii
$s4 = ":Intoskrnl.exe" fullword ascii
$s5 = "InjectDrv.sys" fullword ascii
$s6 = "SharpX.dll" fullword wide
$s7 = "GetMicrosoftEdgeProcessId" ascii
$s8 = ".php?type=is&ch=" ascii
$s9 = ".php?uid=" ascii
$s10 = "&mc=" fullword ascii
$s11 = "&os=" fullword ascii
$s12 = "&x=32" fullword ascii
condition: uint16(0) == 0x5a4d and 8 of ($s*)
}
rule MALWARE_Win_iTranslatorDLL {
meta:
author = "ditekSHen"
description = "Detects iTranslator DLL payload"
clamav_sig = "MALWARE.Win.Trojan.iTranslator_DLL"
strings:
$d1 = "system32\\drivers\\%S.sys" fullword wide
$d2 = "\\windows\\system32\\winlogon.exe" fullword ascii
$d3 = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\%s" fullword wide
$d4 = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\webssx" fullword wide
$d5 = "\\Device\\CtrlSM" fullword wide
$d6 = "\\DosDevices\\CtrlSM" fullword wide
$d7 = "\\driver_wfp\\CbFlt\\Bin\\CbFlt.pdb" ascii
$d8 = ".php" ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWWARE_Win_Octopus {
meta:
author = "ditekSHen"
description = "Detects Octopus trojan payload"
clamav_sig = "MALWARE.Win.Trojan.Octopus"
strings:
$s1 = "\\Mozilla\\Firefox\\Profiles\\" fullword wide
$s2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
$s3 = "\\wbem\\WMIC.exe" fullword wide
$s4 = ".profiles.ini" fullword wide
$s5 = "PushEBP_" ascii
$s6 = "MovEBP_ESP_" ascii
$s7 = "Embarcadero Delphi for Win32 compiler" ascii
$s8 = "TempWmicBatchFile.bat" fullword wide
$wq1 = "computersystem get Name /format:list" wide
$wq2 = "os get installdate /format:list" wide
$wq3= "get serialnumber /format:list" wide
$wq4 = "\\\\\\\\.\\\\PHYSICALDRIVE" wide
$wq5= "path CIM_LogicalDiskBasedOnPartition" wide
$wq6 = "get Antecedent,Dependent" wide
$wq7 = "path win32_physicalmedia" wide
condition: uint16(0) == 0x5a4d and (6 of ($s*) and 5 of ($wq*))
}
rule MALWARE_Win_CasperTroy {
meta:
author = "ditekSHen"
description = "Detects CasperTroy payload"
strings:
$s1 = "DllTroy.dll" fullword ascii
$s2 = "Content-Disposition: form-data; name=\"image\"; filename=\"title.gif\"" fullword ascii
$s3 = "Content-Disposition: form-data; name=\"COOKIE_ID\"" fullword ascii
$s4 = "Content-Disposition: form-data; name=\"PHP_SESS_ID\"" fullword ascii
$s5 = "Content-Disposition: form-data; name=\"SESS_ID\"" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_Rasftuby {
meta:
author = "ditekSHen"
description = "Detects Rasftuby/DarkCrystal"
clamav_sig = "MALWARE.Win.Trojan.DarkCrystal.RAT-Rasftuby"
strings:
$s1 = "/DCRS/main.php?data=active" fullword ascii wide
$s2 = "/socket.php?type=__ds_" ascii wide
$s3 = "/uploader.php" fullword ascii wide
$s4 = "del \\\"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\System.lnk\\\"" fullword ascii wide
$s5 = "Host:{0},Port:{1},User:{2},Pass:{3}<STR>" fullword ascii wide
$s6 = "keyloggerstart_status" fullword ascii wide
$s7 = "keyloggerstop_status" fullword ascii wide
$s8 = "[PRINT SCREEN]" fullword ascii wide
$s9 = "DCS.Internal" ascii
condition: uint16(0) == 0x5a4d and 5 of ($s*)
}
rule MALWARE_Win_ProtonBot {
meta:
author = "ditekSHen"
description = "Detects ProtonBot loader"
clamav_sig = "MALWARE.Win.Trojan.ProtonBot"
strings:
$x1 = "\\PROTON\\Release\\build.pdb" ascii
$x2 = "\\proton\\proton bot\\json.hpp" wide
$x3 = "proton bot" ascii wide
$s1 = "endptr == token_buffer.data() + token_buffer.size()" fullword wide
$s2 = "ranges.size() == 2 or ranges.size() == 4 or ranges.size() == 6" fullword wide
$s3 = "ref_stack.back()->is_array() or ref_stack.back()->is_object()" fullword wide
$s4 = "ktmw32.dll" fullword ascii
$s5 = "@detail@nlohmann@@" ascii
$s6 = "urlmon.dll" fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($x*) or (all of ($s*) and 1 of ($x*)))
}
rule MALWARE_Win_ImminentRAT {
meta:
author = "ditekSHen"
description = "Detects ImminentRAT"
strings:
$x1 = "abuse@imminentmethods.net" ascii
$x2 = "Imminent-Monitor-" ascii
$x3 = "AddressChangeListener" fullword ascii
$x4 = "SevenZipHelper" fullword ascii
$x5 = "WrapNonExceptionThrows" fullword ascii
$s1 = "_ENABLE_PROFILING" wide
$s2 = "Anti-Virus: {0}" wide
$s3 = "File downloaded & executed" wide
$s4 = "Chat - You are speaking with" wide
$s5 = "\\Imminent\\Plugins" wide
$s6 = "\\Imminent\\Path.dat" wide
$s7 = "\\Imminent\\Geo.dat" wide
$s8 = "DisableTaskManager = {0}" wide
$s9 = "This client is already mining" wide
$s10 = "Couldn't get AV!" wide
$s11 = "Couldn't get FW!" wide
condition: uint16(0) == 0x5a4d and (4 of ($x*) or 5 of ($s*))
}
rule MALWARE_Win_WarzoneRAT {
meta:
author = "ditekSHen"
description = "Detects AveMaria/WarzoneRAT"
strings:
$s1 = "RDPClip" fullword wide
$s2 = "Grabber" fullword wide
$s3 = "Ave_Maria Stealer OpenSource" wide
$s4 = "\\MidgetPorn\\workspace\\MsgBox.exe" wide
$s5 = "@\\cmd.exe" wide
$s6 = "/n:%temp%\\ellocnak.xml" wide
$s7 = "Hey I'm Admin" wide
$s8 = "warzone160" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of ($s*)
}
rule MALWARE_Win_KaraganyCore {
meta:
author = "ditekSHen"
description = "Detects Karagany/xFrost core plugin"
strings:
$s1 = "127.0.0.1" fullword ascii
$s2 = "port" fullword ascii
$s3 = "C:\\Windows\\System32\\Kernel32.dll" fullword ascii
$s4 = "kernel32.dll" fullword ascii
$s5 = "http" ascii
$s6 = "Move" fullword ascii
$s7 = "<supportedOS Id=\"{" ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_KaraganyKeylogger {
meta:
author = "ditekSHen"
description = "Detects Karagany/xFrost keylogger plugin"
strings:
$s1 = "__klg__" fullword wide
$s2 = "__klgkillsoft__" fullword wide
$s3 = "CLIPBOARD_PASTE" wide
$s4 = "%s\\k%d.txt" wide
$s5 = "\\Update\\Tmp" wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_KaraganyScreenUtil {
meta:
author = "ditekSHen"
description = "Detects Karagany/xFrost ScreenUtil module"
strings:
$s1 = "__pic__" ascii wide
$s2 = "__pickill__" ascii wide
$s3 = "\\picture.png" fullword wide
$s4 = "%d.jpg" wide
$s5 = "\\Update\\Tmp" wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_KaraganyListrix {
meta:
author = "ditekSHen"
description = "Detects Karagany/xFrost Listrix module"
strings:
$s1 = "\\Update\\Tmp\\" wide
$s2 = "*pass*.*" fullword wide
$s3 = ">> NUL" wide
$s4 = "%02d.%02d.%04d %02d:%02d" wide
$s5 = "/c del" wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Osx_MacSearch {
meta:
author = "ditekSHen"
description = "Detects MacSearch adware"
strings:
$s1 = "open -a safari" ascii
$s2 = "/INDownloader" ascii
$s3 = "/safefinder" ascii
$s4 = "/INEncryptor" ascii
$s5 = "/INInstallerFlow" ascii
$s6 = "/INConfiguration" ascii
$s7 = "/INChromeAndFFSetter" ascii
$s8 = "/INSafariSetter" ascii
$s9 = "/bin/launchctl" fullword ascii
$s10 = "/usr/bin/csrutil" fullword ascii
$s11 = "_Tt%cSs%zu%.*s%s" fullword ascii
$s12 = "_Tt%c%zu%.*s%zu%.*s%s" fullword ascii
$s13 = "/macap/safefinder_Obf/safefinder/" ascii
$s14 = "/safefinder.build/Release/macsearch.build/" ascii
condition: uint16(0) == 0xfacf and 10 of them
}
rule MALWARE_Osx_Genieo {
meta:
author = "ditekSHen"
description = "Detects LinqurySearch/Genieo adware"
clamav_sig = "MALWARE.Osx.Trojan.Genieo"
strings:
$s1 = "<key>com.apple.security.get-task-allow</key>" fullword ascii
$s2 = "U1QQFXAfCxAfRUNCH1JZXh9" ascii
$s3 = "XVFTQ1VRQlNYH" ascii
$s4 = "dF9HXlxfUVQQVUJCX0IQHRB" ascii
$s5 = "Value:forHTTPHeaderField:" ascii
$s6 = "postContent:::" fullword ascii
$s7 = "postLog:" fullword ascii
$s8 = "initWithBase64EncodedString:options:" fullword ascii
$s9 = "do shell script \"%@\" with administrator privileges" fullword ascii
$s10 = /LinqurySearch-[a-f0-9]{40,}/
condition: uint16(0) == 0xfacf and 6 of them
}
rule MALWARE_Osx_AMCPCVARK {
meta:
author = "ditekSHen"
description = "Detects OSX TechyUtils/PCVARK adware"
clamav_sig = "MALWARE.Osx.Adware.AMC-PCVARK-TechyUtils"
strings:
$s1 = "Mac Auto Fixer.app" fullword ascii
$s2 = "com.techyutil.macautofixer" fullword ascii
$s3 = "com.findApp.findApp" ascii
$s4 = "Library/Preferences/%@.plist" fullword ascii
$s5 = "Library/%@/%@" fullword ascii
$s6 = "Library/Application Support/%@/%@" fullword ascii
$s7 = "sleep 3; rm -rf \"%@\"" fullword ascii
$s8 = "Silently calling url: %@" ascii
$cnc1 = "cloudfront.net/getdetails" ascii
$cnc2 = "trk.entiretrack.com/trackerwcfsrv/tracker.svc/trackOffersAccepted/?" ascii
$cnc3 = "pxl=%@&x-count=1&utm_source=%@&lpid=0&utm_content=&utm_term=&x-base=&utm_medium=%@&utm_publisher=%@&offerpxl=&x-fetch=1&utm_campaign=@&affiliateid=&x-at=&btnid=" ascii
$x1 = "mafsysinfo" fullword ascii
$x2 = "MAF4497_MAF4399_MAF2204" ascii
$developerid = "Developer ID Application: Rahul Gahlot (RZ74UYT742)" ascii
condition: uint16(0) == 0xfacf and (6 of ($s*) or 2 of ($cnc*) or all of ($x*) or $developerid)
}
rule MALWARE_Osx_RealtimeSpy {
meta:
author = "ditekSHen"
description = "Detects macOS RealtimeSpy monitoring app"
clamav_sig = "MALWARE.Osx.Trojan.RealtimeSpy"
strings:
$x1 = "SPYAGENT4HASHCIPHER" fullword ascii
$x2 = ":username:password:acctid:compUser:compName:" ascii
$x3 = ":username:password:acctid:compName:" ascii
$x4 = "://www.realtime-spy-mac.com/" ascii
$x5 = "/Users/spytech/" ascii
$x6 = "shell script \"touch /private/var/db/.AccessibilityAPIEnabled\" password \"pwd\" with administrator privileges" ascii
$x7 = "Content-Disposition: form-data; name=\"raptor_" ascii
$c1 = "_OBJC_CLASS_$_LocationLogger" fullword ascii
$c2 = "_OBJC_CLASS_$_MonitoringFunctions" fullword ascii
$c3 = "_OBJC_CLASS_$_ProcessLogger" fullword ascii
$c4 = "_OBJC_CLASS_$_RealtimeLoggingFunctions" fullword ascii
$c5 = "_OBJC_CLASS_$_Realtime_SpyAppDelegate" fullword ascii
$c6 = "_OBJC_CLASS_$_ScreenshotLogger" fullword ascii
$c7 = "_OBJC_CLASS_$_Uploader" fullword ascii
$c8 = "_OBJC_CLASS_$_UsageLogger" fullword ascii
$c9 = "_OBJC_CLASS_$_WebsiteLogger" fullword ascii
condition: uint16(0) == 0xfacf and (2 of ($x*) or 2 of ($c*))
}
rule MALWARE_Osx_MaxOfferDeal {
meta:
author = "ditekSHen"
description = "Detects macOS MaxOfferDeal adware"
clamav_sig = "MALWARE.Osx.Adware.MaxOfferDeal"
strings:
$s1 = "clEvE15obfuscated_data" ascii
$s2 = "%.*s.%.*s" fullword ascii
$s3 = "_Tt%cSs%zu%.*s%s" fullword ascii
$s4 = "_Tt%c%zu%.*s%zu%.*s%s" fullword ascii
$s5 = "__ZL20tFirefoxProfilesPath" ascii
$s6 = "__ZL22tFirefoxSearchFileName" ascii
$s7 = "__ZL37tFirefoxDefaultProfileFolderExtension" ascii
$s8 = "__ZL21tFirefoxPrefsFileName" ascii
$s9 = "__GLOBAL__sub_I_Firefox.mm" ascii
$s10 = "add_image_hook_" ascii
$s11 = "/Library/Caches/com.apple.xbs/Sources/arclite/arclite-66/source/" fullword ascii
condition: uint16(0) == 0xfacf and all of them
}
rule MALWARE_Osx_WindTrail {
meta:
author = "ditekSHen"
description = "Detects WindTrail OSX trojan"
clamav_sig = "MALWARE.Osx.Trojan.WindTrail"
strings:
$s1 = "m_ComputerName_UserName" fullword ascii
$s2 = "m_uploadURL" fullword ascii
$s3 = "m_logString" fullword ascii
$s4 = "GenrateDeviceName" fullword ascii
$s5 = "open -a" fullword ascii
$s6 = "AESEncryptFile:toFile:usingPassphrase:error:" fullword ascii
$s7 = "scheduledTimerWithTimeInterval:target:selector:userInfo:repeats:" fullword ascii
$s8 = "_kLSSharedFileListSessionLoginItems" fullword ascii
$developerid = "Developer ID Application: warren portman (95RKE2AA8F)" ascii
condition: uint16(0) == 0xfacf and (all of ($s*) or $developerid)
}
rule MALWARE_Osx_TechyUtils {
meta:
author = "ditekSHen"
description = "Detects TechyUtils OSX packages"
clamav_sig = "MALWARE.Osx.Trojan.TechyUtils"
strings:
$s1 = "__ZL58__arclite_NSMutableDictionary__" ascii
$s2 = "__ZL46__arclite_NSDictionary_" ascii
$s3 = "<key>com.apple.security.get-task-allow</key>" fullword ascii
$s4 = "/productprice.svc/GetCountryCode" ascii
$s5 = "@_pthread_mutex_lock" fullword ascii
$s6 = "_mh_execute_header" fullword ascii
$s7 = "/Users/prasoon/Documents/" ascii
$developerid = "Developer ID Application: Techyutils Software Private Limited (VS9Q8BRRRJ)" ascii
condition: uint16(0) == 0xfacf and (all of ($s*) or $developerid)
}
rule MALWARE_Osx_LamePyre {
meta:
description = "Detects LamePyre"
strings:
// wFlow
$s1 = "/Automator/Run Shell" ascii
$s2 = "curl " ascii
$s3 = "base64" ascii
$s4 = "screencapture" ascii
$s5 = "handler.php"
$s6 = "zip" ascii
// Persistence scripts
$ps1 = "base64.b64decode" ascii
$ps2 = "dXJsbGliM" ascii // urllib2
$ps3 = "c3VicHJvY2Vz" ascii // subprocess
$ps4 = "aW5kZXguYXN" ascii // index.asp
$sp5 = "YWRkaGVhZGVy" ascii // addheader
condition: all of ($ps*) or 5 of ($s*)
}
rule MALWARE_Win_DLAgent04 {
meta:
author = "ditekSHen"
description = "Detects known downloader agent downloading encoded binaries in patches from paste-like websites, most notably hastebin"
clamav_sig = "MALWARE.Win.Trojan.DLAgent04"
strings:
$x1 = "@@@http" ascii wide
$s1 = "HttpWebRequest" fullword ascii
$s2 = "GetResponseStream" fullword ascii
$s3 = "set_FileName" fullword ascii
$s4 = "set_UseShellExecute" fullword ascii
$s5 = "WebClient" fullword ascii
$s6 = "set_CreateNoWindow" fullword ascii
$s7 = "DownloadString" fullword ascii
condition: uint16(0) == 0x5a4d and filesize < 300KB and #x1 > 1 and 4 of ($s*)
}
rule MALWARE_Win_GDriveRAT {
meta:
author = "ditekSHen"
description = "Detects GDriveRAT"
clamav_sig = "MALWARE.Win.Trojan.GDriveRAT"
strings:
$h1 = "https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart" fullword wide
$h2 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" fullword wide
$h3 = "multipart/related; boundary=\"boundary_tag\"" fullword wide
$h4 = "https://www.googleapis.com/drive/v3/files" fullword wide
$s1 = "move gdrive.exe \"C:\\Users\\" fullword wide
$s2 = "file_data" fullword ascii
$s3 = "comp_id" fullword ascii
$s4 = "file_name" fullword ascii
$s5 = "refresh_token" fullword ascii
$s6 = "commands" fullword ascii
$s7 = "execute" fullword ascii
condition: uint16(0) == 0x5a4d and 3 of ($h*) and 5 of ($s*)
}
rule MALWARE_Win_STOP {
meta:
author = "ditekSHen"
description = "Detects STOP ransomware"
snort2_sid = "920113"
snort3_sid = "920111"
clamav_sig = "MALWARE.Win.Ransomware.STOP"
strings:
$x1 = "C:\\SystemID\\PersonalID.txt" fullword wide
$x2 = "/deny *S-1-1-0:(OI)(CI)(DE,DC)" wide
$x3 = "e:\\doc\\my work (c++)\\_git\\encryption\\" ascii wide nocase
$s1 = "\" --AutoStart" fullword ascii wide
$s2 = "--ForNetRes" fullword wide
$s3 = "--Admin" fullword wide
$s4 = "%username%" fullword wide
$s5 = "?pid=" fullword wide
$s6 = /&first=(true|false)/ fullword wide
$s7 = "delself.bat" ascii
$mutex1 = "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}" fullword ascii
$mutex2 = "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}" fullword ascii
$mutex3 = "{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}" fullword ascii
condition: uint16(0) == 0x5a4d and ((2 of ($x*) and 1 of ($mutex*)) or (all of ($x*)) or (6 of ($s*) and (1 of ($x*) or 1 of ($mutex*))) or (9 of them))
}
rule MALWARE_Win_ParallaxRAT {
meta:
author = "ditekSHen"
description = "Detects ParallaxRAT"
clamav_sig = "MALWARE.Win.Trojan.ParallaxRAT"
strings:
$s1 = "[Clipboard End]" fullword wide
$s2 = "[Ctrl +" fullword wide
$s3 = "[Alt +" fullword wide
$s4 = "Clipboard Start" wide
$s5 = "(Wscript.ScriptFullName)" wide
$s6 = "CSDVersion" fullword ascii
$s7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword ascii
$x1 = { 2e 65 78 65 00 00 84 00 00 4d 5a 90 00 }
$x2 = "This program cannot be run in DOS mode" ascii
condition: ((uint16(0) == 0x5a4d and all of ($s*)) or all of them)
}
rule MALWARE_Win_Meterpreter {
meta:
author = "ditekSHen"
description = "Detects Meterpreter payload"
strings:
$s1 = "PACKET TRANSMIT" fullword ascii
$s2 = "PACKET RECEIVE" fullword ascii
$s3 = "\\\\%s\\pipe\\%s" fullword ascii wide
$s4 = "%04x-%04x:%s" fullword wide
$s5 = "server.dll" fullword ascii
//$s6 = "tcp://" wide
condition: (uint16(0) == 0x5a4d and all of them) or (filesize < 300KB and all of them)
}
/*
rule MALWARE_Win_Raccoon {
meta:
author = "ditekSHen"
description = "Detects Raccoon/Racealer infostealer"
clamav_sig = "MALWARE.Win.Trojan.Raccoon"
strings:
$s1 = "endptr == token_buffer.data() + token_buffer.size()" fullword wide
$s2 = "inetcomm server passwords" fullword wide
$s3 = "\\json.hpp" wide
$s4 = "CredEnumerateW" fullword ascii
$s5 = "Microsoft_WinInet_" fullword wide
$s6 = "already connected" fullword ascii
$s7 = "copy_file" fullword ascii
$s8 = "\"; filename=\"" fullword ascii
$s9 = "%[^:]://%[^/]%[^" fullword ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
*/
rule MALWARE_Win_Trojan_ExpressCMS {
meta:
author = "ditekSHen"
description = "Detects ExpressCMS"
clamav_sig = "MALWARE.Win.Trojan.ExpressCMS"
strings:
$s1 = "/click.php?cnv_id=" fullword wide
$s2 = "/click.php?key=" wide
$s3 = "jdlnb" fullword wide
$s4 = "Gkjfdshfkjjd: dsdjdsjdhv" fullword wide
$s5 = "--elevated" fullword wide
$s6 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" wide
$s7 = "\\Microsoft\\Manager.exe" fullword wide
$s8 = "\\Microsoft\\svchost.exe" fullword wide
condition:
uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_MeterpreterStager {
meta:
author = "ditekSHen"
description = "Detects Meterpreter stager payload"
strings:
$s1 = "PAYLOAD:" fullword ascii
$s2 = "AQAPRQVH1" fullword ascii
$s3 = "ws2_32" fullword ascii
$s4 = "KERNEL32.dll" fullword ascii
condition: uint16(0) == 0x5a4d and all of them and filesize < 100KB
}
rule MALWARE_Win_Ziggy {
meta:
author = "ditekSHen"
description = "Detects Ziggy ransomware"
snort2_sid = "920098"
snort3_sid = "920096"
clamav_sig = "MALWARE.Win.Ransomware.Ziggy"
strings:
$id1 = "/Ziggy Info;component/mainwindow.xaml" fullword wide
$id2 = "AZiggy Info, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" fullword ascii
$id3 = "Ziggy Ransomware" fullword wide
$id4 = "clr-namespace:Zeggy" fullword ascii
$s1 = "GetCooldown" fullword ascii
$s2 = "checkCommandMappings" fullword ascii
$s3 = "add_OnExecuteCommand" fullword ascii
$s4 = "MindLated.jpg" fullword wide
$s5 = "http://fixfiles.xyz/ziggy/api/info.php?id=" fullword wide
$s6 = "Reamaining time:" fullword wide
$msg1 = "<:In case of no answer in 12 hours write us to this e-mail" ascii
$msg2 = "Free decryption as guarantee" fullword ascii
$msg3 = "# Do not try to decrypt your data using third party software, it may cause permanent data loss" ascii
$msg4 = "# Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can becom" ascii
condition: uint16(0) == 0x5a4d and (3 of ($id*) or 4 of ($s*) or 3 of ($msg*))
}
rule MALWARE_Win_NWorm {
meta:
author = "ditekSHen"
description = "Detects NWorm/N-W0rm payload"
clamav_sig = "MALWARE.Win.Trojan.NWorm"
strings:
$id1 = "N-W0rm" ascii
$id2 = "N_W0rm" ascii
$x1 = "pongPing" fullword wide
$x2 = "|NW|" fullword wide
$s1 = "runFile" fullword wide
$s2 = "runUrl" fullword wide
$s3 = "killer" fullword wide
$s4 = "powershell" fullword wide
$s5 = "wscript.exe" fullword wide
$s6 = "ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File \"" fullword wide
$s7 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" fullword wide
$s8 = "Start-Sleep -Seconds 1.5; Remove-Item -Path '" fullword wide
condition: uint16(0) == 0x5a4d and ((1 of ($id*) and (1 of ($x*) or 3 of ($s*))) or (all of ($x*) and 2 of ($s*)) or 7 of ($s*) or 10 of them)
}
rule MALWARE_Win_QakBot {
meta:
author = "ditekSHen"
description = "Detects variants of QakBot payload"
strings:
$s1 = "stager_1.dll" fullword ascii
$s2 = "_vsnwprintf" fullword ascii
$s3 = "DllRegisterServer" fullword ascii
$s4 = "Win32_PnPEntity" fullword wide
$s5 = "0>user32.dll" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Fonix {
meta:
author = "ditekSHen"
description = "Detects Fonix ransomware"
clamav_sig = "MALWARE.Win.Ransomware.Fonix"
strings:
$s1 = "dontcryptanyway" fullword wide
$s2 = "Cpriv.key" ascii wide
$s3 = "Cpub.key" ascii wide
$s4 = "NetShareEnum() failed!Error: % ld" fullword wide
$s5 = "<div class='title'> Attention!</div><ul><li><u><b>DO NOT</b> pay" wide
$s6 = "Encryption Completed !!!" fullword wide
$s7 = "kill process" fullword ascii
$s8 = "Copy SystemID C:\\ProgramData\\SystemID" ascii
$id1 = "].FONIX" fullword wide
$id2 = "xinofconfig.txt" fullword ascii wide
$id3 = "XINOF4MUTEX" wide
$id4 = ":\\Fonix\\cryptoPP\\" ascii
$id5 = "schtasks /CREATE /SC ONLOGON /TN fonix" ascii
$id6 = "Ransomware\\Fonix" ascii
condition: uint16(0) == 0x5a4d and (6 of ($s*) or 3 of ($id*) or (1 of ($id*) and 3 of ($s*)))
}
rule MALWARE_Win_Bobik {
meta:
author = "ditekSHen"
description = "Detects Bobik infostealer"
clamav_sig = "MALWARE.Win.Trojan.Bobik"
strings:
$s1 = "@Default\\Login Data" fullword ascii
$s2 = "@Default\\Cookies" fullword ascii
$s3 = "@logins.json" fullword ascii
$s4 = "@[EXECUTE]" fullword ascii
$s5 = "@C:\\Windows\\System32\\cmd.exe" fullword ascii
$s6 = /(CHROME|OPERA|FIREFOX)_BASED/ fullword ascii
$s7 = "threads.nim" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_RunningRAT {
meta:
author = "ditekSHen"
description = "Detects RunningRAT"
clamav_sig = "MALWARE.Win.Trojan.RunningRAT"
strings:
$s1 = "%s%d.dll" fullword ascii
$s2 = "/c ping 127.0.0.1 -n" ascii
$s3 = "del /f/q \"%s\"" ascii
$s4 = "GUpdate" fullword ascii
$s5 = "%s\\%d.bak" fullword ascii
$s6 = "\"%s\",MainThread" ascii
$s7 = "rundll32.exe" fullword ascii
$rev1 = "emankcosteg" fullword ascii
$rev2 = "ini.revreS\\" fullword ascii
$rev3 = "daerhTniaM,\"s%\" s%" ascii
$rev4 = "s% etadpUllD,\"s%\" 23lldnuR" ascii
$rev5 = "---DNE yromeMmorFdaoL" fullword ascii
$rev6 = "eMnigulP" fullword ascii
$rev7 = "exe.23lldnuR\\" fullword ascii
$rev8 = "dnammoc\\nepo\\llehs\\" ascii
$rev9 = "\"s%\" k- exe.tsohcvs\\23metsyS\\%%tooRmetsyS%" ascii
$rev10 = "emanybtsohteg" fullword ascii
$rev11 = "tekcosesolc" fullword ascii
$rev12 = "tpokcostes" fullword ascii
$rev13 = "emantsohteg" fullword ascii
// variant
$v2_1 = "%%SystemRoot%%\\System32\\svchost.exe -k \"%s\"" fullword ascii
$v2_2 = "LoadFromMemory END---" fullword ascii
$v2_3 = "hmProxy!= NULL" fullword ascii
$v2_4 = "Rundll32 \"%s\",DllUpdate %s" fullword ascii
$v2_5 = "ipip.website" fullword ascii
$v2_6 = "%d*%sMHz" fullword ascii
$v2_7 = "\\Server.ini" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or 5 of ($rev*) or 6 of ($v*) or 8 of them)
}
rule MALWARE_Win_DLAgent05 {
meta:
author = "ditekSHen"
description = "Detects an unknown dropper. Typically exisys as a DLL in base64-encoded gzip-compressed file embedded within another executable"
clamav_sig = "MALWARE.Win.Trojan.DLAgent05"
strings:
$s1 = "MARCUS.dll" fullword ascii wide
$s2 = "GZipStream" fullword ascii
$s3 = "MemoryStream" fullword ascii
$s4 = "proj_name" fullword ascii
$s5 = "res_name" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Nemty {
meta:
author = "ditekSHen"
description = "Detects Nemty/Nefilim ransomware"
strings:
$s1 = "Go build ID:" ascii
$s2 = "GOMAXPROCSGetIfEntryGetVersionGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEPhoenicianSaurasht" ascii
$s3 = "crypto/x509.ExtKeyUsage" ascii
$s4 = "crypto/x509.KeyUsageContentCommitment" ascii
$s5 = "DEK-Info header" ascii
$s6 = "GetUserProfileDirectoryWMagallanes Standard TimeMontevideo Standard TimeNorth Asia Standard TimePacific SA Standard TimeQueryPerformanceCounter" fullword ascii
$s7 = "*( - < = > k= m=%: +00+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12..." ascii
$s8 = "Go cmd/compile go1.10" fullword ascii
$s9 = ".dllprogramdatarecycle.bin" ascii
$s10 = ".dll.exe.lnk.sys.url" ascii
$vx1_1 = "Fa1led to os.OpenFile()" ascii
$vx1_2 = "-HELP.txt" ascii
$vf1_1 = "main.CTREncrypt" fullword ascii
$vf1_2 = "main.FileSearch" fullword ascii
$vf1_3 = "main.getdrives" fullword ascii
$vf1_4 = "main.RSAEncrypt" fullword ascii
$vf1_5 = "main.SaveNote" fullword ascii
condition: uint16(0) == 0x5a4d and (9 of ($s*) or (all of ($vx*) and 2 of ($s*)) or all of ($vf*))
}
rule MALWARE_Win_QnapCrypt {
meta:
author = "ditekSHen"
description = "Detects QnapCrypt/Lockedv1/Cryptfile2 ransomware"
strings:
$go = "Go build ID:" ascii
$s1 = "Encrypting %s..." ascii
$s2 = "\\Start Menu\\Programs\\StartUp\\READMEV" ascii
$s3 = "main.deleteRecycleBin" ascii
$s4 = "main.encryptFiles" ascii
$s5 = "main.antiVirtualBox" ascii
$s6 = "main.antiVmware" ascii
$s7 = "main.deleteShadows" ascii
$s8 = "main.delUAC" ascii
$s9 = "main.KillProcess" ascii
$s10 = "main.delExploit" ascii
$s11 = "main.encrypt" ascii
$s12 = "main.ClearLogDownload" ascii
$s13 = "main.ClearLog" ascii
$s14 = "main.EndEncrypt" ascii
$s15 = "main.RunFuckLogAndSoft" ascii
$s16 = "main.ClearUsercache" ascii
$s17 = "main.FirstDuty" ascii
$s18 = ".lockedv1" ascii
$s19 = "WSAStartup\\clear.bat\\ngrok.exe\\video.mp4" ascii
$s20 = "net stop " ascii
condition: uint16(0) == 0x5a4d and $go and 6 of ($s*)
}
rule MALWARE_Win_Alfonoso {
meta:
author = "ditekSHen"
description = "Detects Alfonoso / Shurk / HunterStealer infostealer"
snort2_sid = "920102"
snort3_sid = "920100"
clamav_sig = "MALWARE.Win.Trojan.Alfonso"
strings:
$s1 = "%s\\etilqs_" fullword ascii
$s2 = "SELECT name, rootpage, sql FROM '%q'.%s" fullword ascii
$s3 = "%s-mj%08X" fullword ascii
$s4 = "| Site:" ascii
$s5 = "| Login:" ascii
$s6 = "| Password:" ascii
$s7 = "| BUILD NAME:" ascii
$s8 = "recursive_directory_iterator" ascii
$s9 = { 2e 7a 69 70 00 00 00 00 2e 7a 6f 6f 00 00 00 00
2e 61 72 63 00 00 00 00 2e 6c 7a 68 00 00 00 00
2e 61 72 6a 00 00 00 00 2e 67 7a 00 2e 74 67 7a
00 00 00 00 }
$s10 = "Shurk Steal" fullword ascii
$s11 = ":memory:" fullword ascii
$s12 = "current_path()" fullword ascii
$s13 = "vtab:%p:%p" fullword ascii
$f1 = "chatlog.txt" ascii
$f2 = "servers.fav" ascii
$f3 = "\\USERDATA.DAT" fullword ascii
condition: uint16(0) == 0x5a4d and (8 of ($s*) or (6 of ($s*) and 2 of ($f*)) or (all of ($f*) and 5 of ($s*)))
}
rule MALWARE_Win_Vidar {
meta:
author = "ditekSHen"
description = "Detects Vidar / ArkeiStealer"
strings:
$s1 = "\"os_crypt\":{\"encrypted_key\":\"" fullword ascii
$s2 = "screenshot.jpg" fullword wide
$s3 = "Content-Disposition: form-data; name=\"" ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Babuk {
meta:
author = "ditekSHen"
description = "Detects Babuk ransomware"
strings:
$s1 = "ecdh_pub_k.bin" wide
$s2 = "How To Restore Your Files.txt" wide
$s3 = /(babuk|babyk)\s(ransomware|locker)/ ascii nocase
$s4 = "/login.php?id=" ascii
$s5 = "http://babuk" ascii
$s6 = "bootsect.bak" fullword wide
$s7 = "Can't open file after killHolder" ascii
$s8 = "Can't OpenProcess" ascii
$s9 = "DoYouWantToHaveSexWithCuongDong" ascii
$arg1 = "-lanfirst" fullword ascii
$arg2 = "-lansecond" fullword ascii
$arg3 = "-nolan" fullword ascii
$arg4 = "shares" fullword wide
$arg5 = "paths" fullword wide
$arg6 = "gdebug" fullword wide
condition: uint16(0) == 0x5a4d and (3 of ($s*) or (3 of ($arg*) and 2 of ($s*)))
}
rule MALWARE_Win_Nitol {
meta:
author = "ditekSHen"
description = "Detects Nitol backdoor"
strings:
$s1 = "%$#@!.aspGET ^&*().htmlGET" ascii
$s2 = "Applications\\iexplore.exe\\shell\\open\\command" fullword ascii
$s3 = "taskkill /f /im rundll32.exe" fullword ascii
$s4 = "\\Tencent\\Users\\*.*" fullword ascii
$s5 = "[Pause Break]" fullword ascii
$s6 = ":]%d-%d-%d %d:%d:%d" fullword ascii
$s7 = "GET %s HTTP/1.1" fullword ascii
$s8 = "GET %s%s HTTP/1.1" fullword ascii
$s9 = "Accept-Language: zh-cn" fullword ascii
$s10 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)" fullword ascii
$s11 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)" fullword ascii
$s12 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
$w1 = ".aspGET" ascii
$w2 = ".htmGET" ascii
$w3 = ".htmlGET" ascii
$domain = "www.xy999.com" fullword ascii
$v2_1 = "loglass" fullword ascii
$v2_2 = "rlehgs" fullword ascii
$v2_3 = "eherrali" fullword ascii
$v2_4 = "agesrlu" fullword ascii
$v2_5 = "lepejagas" fullword ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or (all of ($v2*)) or ($domain and 3 of them) or (#w1 > 2 and #w2 > 2 and #w3 > 2 and 3 of ($s*)))
}
rule MALWARE_Win_StrongPity {
meta:
author = "ditekSHen"
description = "Detects StrongPity"
strings:
$s1 = "Boundary%08X" ascii wide
$s2 = "Content-Disposition: form-data; name=\"file\";" fullword ascii
$s3 = "%sfilename=\"%ls\"" fullword ascii
$s4 = "name=%ls&delete=" fullword ascii
$s5 = "Content-Type: application/octet-stream" fullword ascii
$s6 = "cmd.exe /C ping" wide
$s7 = "& rmdir /Q /S \"" wide
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_JSSLoader {
meta:
author = "ditekSHen"
description = "Detects JSSLoader RAT/backdoor"
strings:
$cmd1 = "Cmd_UPDATE" fullword ascii
$cmd2 = "Cmd_IDLE" fullword ascii
$cmd3 = "Cmd_EXE" fullword ascii
$cmd4 = "Cmd_VBS" fullword ascii
$cmd5 = "Cmd_JS" fullword ascii
$cmd6 = "Cmd_PWS" fullword ascii
$cmd7 = "Cmd_RAT" fullword ascii
$cmd8 = "Cmd_UNINST" fullword ascii
$cmd9 = "Cmd_RunDll" fullword ascii
$s1 = "ANSWER_OK" fullword ascii
$s2 = "GatherDFiles" ascii
$s3 = "CommandCd" fullword ascii
$s4 = "URL_GetCmd" fullword ascii
$s5 = "\"host\": \"{0}\", \"domain\": \"{1}\", \"user\": \"{2}\"" wide
$s6 = "pc_dns_host_name" wide
$s7 = "\"adinfo\": { \"adinformation\":" wide
$e1 = "//e:vbscript" wide
$e2 = "//e:jscript" wide
$e3 = "/c rundll32.exe" wide
$e4 = "/C powershell" wide
$e5 = "C:\\Windows\\System32\\cmd.exe" wide
$e6 = "echo del /f" wide
$e7 = "AT.U() {0}. format" wide
condition: uint16(0) == 0x5a4d and (5 of ($cmd*) or 5 of ($s*) or all of ($e*) or 7 of them)
}
rule MALWARE_Win_CHUWI_Seth {
meta:
author = "ditekSHen"
description = "Detects detected unknown RAT. Called CHUWI based on PDB, and promoted to Seth Ransomware."
snort2_sid = "920103-920105"
snort3_sid = "920101-920103"
notes = "First sighting on 2020-01-05 didn't include ransomware artificats. Second sighting on 2020-01-24 with several correlations between the two samples now include ransomware artifacts."
strings:
// First sighting on 2020-01-05
// No ransomware artifcats
// 80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
$cmd1 = "shell_command" fullword ascii
$cmd2 = "check_command" fullword ascii
$cmd3 = "down_exec" fullword ascii
$cmd4 = "open_link" fullword ascii
$cmd5 = "down_exec" fullword ascii
$cmd6 = "exe_link" fullword ascii
$cmd7 = "shellCommand" fullword ascii
$cmd8 = "R_CMMAND" fullword ascii
$cnc1 = "/check_command.php?HWID=" ascii
$cnc2 = "&act=get_command" ascii
$cnc3 = "/get_command.php?hwid=" ascii
$cnc4 = "&command=down_exec" ascii
$cnc5 = "&command=message" ascii
$cnc6 = "&command=open_link" ascii
$cnc7 = "&command=down_exec" ascii
$cnc8 = "&command=shell" ascii
$pdb = "\\Users\\CHUWI\\Documents\\CPROJ\\Downloader\\svchost" ascii
// Second sighting on 2020-01-24
// Includes ransomware artificats
// 58c852525bf3bea185db34a79c2c5640c02f8291cdbdbe8dd7c0a9d4682f4b2c
$rcnc1 = "inc/check_command.php" ascii
$rcnc2 = "inc/get_command.php" ascii
$rcnc3 = "php?btc" ascii
$rcnc4 = "php?hwid" ascii
$x1 = "> %USERPROFILE%\\Desktop\\HOW_DECRYPT_FILES.seth.txt" ascii
$x2 = "/C dir /b %USERPROFILE%\\Documents > %temp%\\doc.txt" ascii
$x3 = "/C dir /b %USERPROFILE%\\Desktop > %temp%\\desk.txt" ascii
$x4 = "/C dir /b %USERPROFILE%\\Downloads > %temp%\\downs.txt" ascii
$x5 = "/C dir /b %USERPROFILE%\\Pictures > %temp%\\pics.txt" ascii
$x6 = "for /F \"delims=\" %%a in ('mshta.exe \"%~F0\"') do set \"HTA=%%a\"" ascii
$x7 = "\\svchost.exe" fullword ascii
$x8 = ".seth" fullword ascii
$x9 = "MyAgent" fullword ascii
condition: uint16(0) == 0x5a4d and ($pdb or 5 of ($cmd*) or 4 of ($cnc*) or all of ($rcnc*) or 5 of ($x*) or 8 of them)
}
rule MALWARE_Win_Gulpix {
meta:
author = "ditekSHen"
description = "Detects Gulpix/HyperPlus backddor"
strings:
$x1 = "MainServer.dll" fullword ascii
$x2 = "NvSmartMax.dat" fullword wide
$x3 = "NvSmartMax.dll" fullword wide
$x4 = "http://+:80/FD873AC4-CF86-4FED-84EC-4BD59C6F17A7/" fullword wide
$s1 = "IP retriever" fullword wide
$s2 = "\\cmd.exe" fullword wide
$s3 = "\\msnetwork-cache.db" fullword wide
$s4 = "http://+:" wide
$s5 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" fullword wide
// UAC Bypass
$s6 = "\\Microsoft\\Windows\\DiskCleanup\\SilentCleanup" ascii
$s7 = "Got a unknown request for %ws" wide
$s8 = "HttpReceiveRequestEntityBody failed with %lu" wide
$s9 = "FD873AC4-CF86-4FED-84EC-4BD59C6F17A7" wide
condition: uint16(0) == 0x5a4d and (all of ($x*) or 6 of ($s*) or (2 of ($x*) and 4 of ($s*)) or
(
2 of them and
pe.exports("daemon") and
pe.exports("run") and
pe.exports("session") and
pe.exports("work")
)
)
}
rule MALWARE_Linux_RansomExx {
meta:
author = "ditekshen"
description = "Detects RansomEXX ransomware"
clamav_sig = "MALWARE.Linux.Ransomware.RansomEXX"
strings:
$c1 = "crtstuff.c" fullword ascii
$c2 = "cryptor.c" fullword ascii
$c3 = "ransomware.c" fullword ascii
$c4 = "logic.c" fullword ascii
$c5 = "enum_files.c" fullword ascii
$c6 = "readme.c" fullword ascii
$c7 = "ctr_drbg.c" fullword ascii
$s1 = "regenerate_pre_data" fullword ascii
$s2 = "g_RansomHeader" fullword ascii
$s3 = "CryptOneBlock" fullword ascii
$s4 = "RansomLogic" fullword ascii
$s5 = "CryptOneFile" fullword ascii
$s6 = "encrypt_worker" fullword ascii
$s7 = "list_dir" fullword ascii
$s8 = "ctr_drbg_update_internal" fullword ascii
condition: uint16(0) == 0x457f and (5 of ($c*) or 6 of ($s*) or (3 of ($c*) and 3 of ($s*)))
}
rule MALWARE_Win_TrickbotModule {
meta:
author = "ditekshen"
description = "Detects Trickbot modules"
strings:
$mc = "<moduleconfig>" ascii
$s1 = "<autostart>" ascii
$s2 = "<nohead>" ascii
$s3 = "<needinfo" ascii
$s4 = "<conf ctl" ascii
$s5 = "<limit>" ascii
$w1 = "<sys>yes</sys>" ascii
$w2 = "<sys>no</sys>" ascii
$w3 = "<autostart>yes</autostart>" ascii
$w4 = "<autostart>no</autostart>" ascii
$w5 = "<nohead>yes</nohead>" ascii
$w6 = "<nohead>no</nohead>" ascii
$w7 = /<limit>\d+<\/limit>/ ascii
$w8 = "<moduleconfig> </moduleconfig" ascii
condition: uint16(0) == 0x5a4d and $mc and (2 of ($s*) or (1 of ($s*) and 1 of ($w*)) or 1 of ($w*))
}
rule MALWARE_Win_Gaudox {
meta:
author = "ditekshen"
description = "Detects Gaudox RAT"
strings:
$s1 = "hdr=%s&tid;=%s&cid;=%s&trs;=%i" ascii wide
$s2 = "\\\\\\\\.\\\\PhysicalDrive%u" ascii wide
//$s3 = "Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0" ascii wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Phobos {
meta:
author = "ditekshen"
description = "Detects Phobos ransomware"
strings:
$x1 = "\\\\?\\UNC\\\\\\e-" fullword wide
$x2 = "\\\\?\\ :" fullword wide
$x3 = "POST" fullword wide
$s1 = "ELVL" fullword wide
$s2 = /SUP\d{3}/ fullword wide
$s3 = { 41 31 47 ?? 41 2b }
condition: uint16(0) == 0x5a4d and all of ($x*) and 1 of ($s*)
}
rule MALWARE_Win_Ratty {
meta:
author = "ditekshen"
description = "Detects Ratty Java RAT"
strings:
$s1 = "/rat/RattyClient.class" ascii
$s2 = "/rat/ActiveConnection.class" ascii
$s3 = "/rat/attack/" ascii
$s4 = "/rat/gui/swing/Ratty" ascii
$s5 = "/rat/packet/PasswordPacket" ascii
$s6 = "/rat/packet/" ascii
$e1 = "/engine/Keyboard.class" ascii
$e2 = "/engine/IMouseListener.class" ascii
$e3 = "/engine/Screen$ResizeBehavior.class" ascii
$e4 = "/engine/fx/ISoundListener.class" ascii
$e5 = "/engine/net/TCPServer.class" ascii
$e6 = "/engine/noise/PerlinNoise.class" ascii
condition: (uint16(0) == 0x5a4d or uint16(0) == 0xcfd0 or uint16(0) == 0x4b50) and (3 of ($s*) or all of ($e*))
}
rule MALWARE_Win_FatDuke {
meta:
author = "ditekSHen"
description = "Detects FatDuke"
strings:
$s1 = "\\\\?\\Volume" fullword ascii
$s2 = "WINHTTP_AUTOPROXY_OPTIONS@@PAUWINHTTP_PROXY_INFO@@" ascii
$s3 = "WINHTTP_CURRENT_USER_IE_PROXY_CONFIG@@" ascii
$s4 = "Cannot write a Cannot find the too long string mber of records Log malfunction! Cannot create ain an invalid ra Internal sync iright function iWaitForSingleObjffsets" ascii
$pattern = "()$^.*+?[]|\\-{},:=!" ascii
$b64 = "eyJjb25maWdfaWQiOi" wide
//$decoded = "{\"config_id\"" base64wide
condition: uint16(0) == 0x5a4d and (3 of ($s*) or ($b64 and 2 of them) or (#pattern > 3 and 2 of them))
}
rule MALWARE_Win_MiniDuke {
meta:
author = "ditekSHen"
description = "Detects MiniDuke"
strings:
$s1 = "DefPipe" fullword ascii
$s2 = "term %5d" fullword ascii
$s3 = "pid %5d" fullword ascii
$s4 = "uptime %5d.%02dh" fullword ascii
$s5 = "login: %s\\%s" fullword ascii
$s6 = "Software\\Microsoft\\ApplicationManager" ascii
$s7 = { 69 64 6c 65 ?? 00 73 74 6f 70 ?? 00 61 63 63 65 70 74 ?? 00 63 6f 6e 6e 65 63 74 ?? 00 6c 69 73 74 65 6e ?? 00 }
$net1 = "salesappliances.com" ascii
$net2 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" fullword ascii
$net3 = "http://10." ascii
$net4 = "JiM9t8g7j8KoJkLJlKqka8dbo7q5z4v5u3o4z" ascii
$net5 = "application/octet-stream" ascii
$net6 = "Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"" ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or 4 of ($net*) or 7 of them)
}
rule MALWARE_Win_PolyglotDuke {
meta:
author = "ditekSHen"
description = "Detects PolyGlotDuke"
strings:
$s1 = { 48 b9 ff ff ff ff ff ff ff ff 51 48 23 8c 24 ?? 00 00 00 48 89 8C 24 00 00 00 00 }
$s2 = { 56 be ff ff ff ff 56 81 e6 7f }
$s3 = { 48 8b 05 19 ?4 4b 00 48 05 48 83 00 00 4c 8b 44 24 50 8b 54 24 48 48 8b }
//$s4 = { 48 8B 84 24 ?? 00 00 00 48 ?? ?? 24 ?? 00 00 00 48 89 84 24 }
condition: uint16(0) == 0x5a4d and (all of ($s*)) or
(
2 of them and
pe.exports("InitSvc")
)
}
rule MALWARE_Win_Guidlma {
meta:
author = "ditekSHen"
description = "Detects Guildma"
strings:
$v1_1 = "marxvxinhhm98.dll" fullword wide
$v1_2 = "marxvxinhhmxa.gif" fullword wide
$v1_3 = "marxvxinhhmxb.gif" fullword wide
$v1_4 = "c:\\programdata" fullword wide
$v1_5 = "\\tempa\\" fullword wide
$v2_1 = "C:\\Windows\\System32\\dllhost.exe" fullword ascii
$v2_2 = "C:\\Windows\\SysWOW64\\dllhost.exe" fullword ascii
$v2_3 = "C:\\Users\\Public\\go" fullword ascii
$v2_4 = ":%:*:/:>:C:H:W:\\:a:p:u:z:" fullword ascii
$v2_5 = ": :%:*:9:>:C:R:W:\\:k:p:u:" fullword ascii
$v2_6 = ":*:/:4:C:H:M:\\:a:f:u:z:" fullword ascii
condition: uint16(0) == 0x5a4d and 3 of ($v1*) or 5 of ($v2*)
}
rule MALWARE_Win_CyberGate {
meta:
author = "ditekSHen"
description = "Detects CyberGate/Spyrat/Rebhip RTA"
strings:
$s1 = "UnitInjectLibrary" ascii
$s2 = "TLoader" fullword ascii
$s3 = "\\\\.\\SyserDbgMsg" fullword ascii
$s4 = "\\\\.\\SyserBoot" fullword ascii
$s5 = "\\signons" ascii
$s6 = "####@####" ascii
$s7 = "XX-XX-XX-XX" fullword ascii
$s8 = "EditSvr" ascii
$s9 = "_x_X_PASSWORDLIST_X_x_" fullword ascii
$s10 = "L$_RasDefaultCredentials#0" fullword ascii
$s11 = "password" nocase ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_WSHRATJS {
meta:
author = "ditekSHen"
description = "Detects WSHRAT JS variants"
strings:
$charset_full = "us-ascii" nocase ascii
$charset_begin = "\"us-\"" nocase ascii
$charset_end = "Array(97,115,99,105,105)" nocase ascii
$wsc_object1 = "WScript.CreateObject(\"System.Text.UTF8Encoding" nocase ascii
$wsc_object2 = "WScript.CreateObject(\"Adodb.Stream" nocase ascii
$wsc_object3 = "WScript.CreateObject(\"Microsoft.XmlDom" nocase ascii
$s1 = "function(){return" ascii
$s2 = "}catch(err){" ascii
$s3 = "{item: \"bin.base64\"}" nocase ascii
$s4 = "* 1].item =" ascii
condition: filesize < 400KB and ($charset_full or ($charset_begin and $charset_end)) and 2 of ($wsc_object*) and 3 of ($s*)
}
rule MALWARE_Win_AsyncRAT {
meta:
author = "ditekSHen"
description = "Detects AsyncRAT"
strings:
$x1 = "AsyncRAT" fullword ascii
$x2 = "AsyncRAT 0." wide
$x3 = /AsyncRAT\s[0-9]\.[0-9]\.[0-9][A-Z]/ fullword wide
$s1 = "/create /sc onlogon /rl highest /tn" fullword wide
$s2 = "/C choice /C Y /N /D Y /T 1 & Del \"" fullword wide
$s3 = "{{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }}" fullword wide
$s4 = "Stub.exe" fullword ascii wide
$s5 = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS\\UCKH" ascii wide
$s6 = "VirtualBox" fullword ascii wide
$s7 = "/target:winexe /platform:x86 /optimize+" fullword ascii wide
$s8 = "Win32_ComputerSystem" ascii wide
$s9 = "Win32_Process Where ParentProcessID=" ascii wide
$s10 = "etirWgeR.llehShsW" ascii wide
$s11 = "usbSpread" fullword ascii wide
$cnc1 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0" fullword ascii wide
$cnc2 = "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1" fullword ascii wide
$cnc3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" fullword ascii wide
$cnc4 = "POST / HTTP/1.1" fullword ascii wide
condition: ((uint16(0) == 0x5a4d and filesize < 4000KB) and (1 of ($x*) or 6 of ($s*) or all of ($cnc*) or (4 of ($s*) and 2 of ($cnc*)))) or (1 of ($x*) or 6 of ($s*) or all of ($cnc*) or (4 of ($s*) and 2 of ($cnc*)))
}
rule MALWARE_Win_QuilClipper {
meta:
author = "ditekSHen"
description = "Detects QuilClipper variants mostly in memory or extracted AutoIt script"
strings:
$cnc1 = "QUILCLIPPER by" ascii
$cnc2 = "/ UserName:" ascii
$cnc3 = "/ System:" ascii
$s1 = "DLLCALL ( \"kernel32.dll\" , \"handle\" , \"CreateMutexW\" , \"struct*\"" ascii
$s2 = "SHELLEXECUTE ( @SCRIPTFULLPATH , \"\" , \"\" , FUNC_" ascii
$s3 = "CASE BITROTATE" ascii
$s4 = "CASE BITXOR" ascii
$s5 = "CLIP( FUNC_" ascii
$s6 = "CLIPPUT (" ascii
$s7 = "FUNC _CLIPPUTFILE(" ascii
$s8 = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Schedule" ascii
condition: all of ($cnc*) or all of ($s*)
}
rule MALWARE_Win_SpyEye {
meta:
author = "ditekSHen"
description = "Detects SpyEye"
strings:
$x1 = "_CLEANSWEEP_" ascii wide
$x2 = "config.datUT" fullword ascii
$x3 = "webinjects.txtUT" fullword ascii
$s1 = "confirm:processCommand" fullword ascii
$s2 = "Smth wrong with navigate to REF-PAGE (err code: %d). 0_o" fullword ascii
$s3 = "(UTC%s%2.2f) %s" fullword wide
$s4 = "M\\F;u`r" fullword ascii
$s5 = "]YH0%Yn" fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and 1 of ($s*)))
}
// requires Yara v4.0.2+
rule MALWARE_Win_Renamer {
meta:
author = "ditekSHen"
description = "Detects Renamer/Tainp variants"
strings:
$s1 = "shell\\open\\command=" fullword wide
$s2 = "icon=%SystemRoot%\\system32\\SHELL32.dll,4" fullword wide
$s3 = "DropTarget" ascii
$s4 = "C:\\Windows\\Paint" fullword wide
$s5 = "hold.inf" fullword wide
$s6 = "Dropped" ascii
condition: uint16(0) == 0x5a4d and all of ($s*) or
(
4 of ($s*) and
for any directory in pe.data_directories :
(
directory.virtual_address != 0 and
directory.size == 0
)
)
}
rule MALWARE_Win_Epsilon {
meta:
author = "ditekSHen"
description = "Detects Epsilon ransomware"
strings:
$s1 = ".Speak \"" wide
$s2 = "chkUpdateRegistry" fullword wide
$s3 = "/C choice /C Y /N /D Y /T 1 & Del \"" fullword wide
$s4 = "CreateObject(\"sapi.spvoice\")" fullword wide
$s5 = "READ_ME.hta" wide
$s6 = "WScript.Sleep(" wide
$s7 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
$s8 = "<div class='bold'>Files are encrypted* but not deleted.</div>" ascii
$e1 = { 72 00 75 00 6e 00 64 00 6c 00 6c 00 2e 00 65 00
78 00 65 00 00 09 2e 00 74 00 78 00 74 00 00 09
2e 00 64 00 6f 00 63 00 00 0b 2e 00 64 00 6f 00
63 00 78 00 00 09 2e 00 78 00 6c 00 73 00 00 0d
2e 00 69 00 6e 00 64 00 65 00 78 00 00 09 2e 00
70 00 64 00 66 00 00 09 2e 00 7a 00 69 00 70 00
00 09 2e 00 72 00 61 00 72 00 00 09 2e 00 63 00
73 00 73 00 00 09 2e 00 6c 00 6e 00 6b 00 00 0b
2e 00 78 00 6c 00 73 00 78 00 00 09 2e 00 70 00
70 00 74 00 00 0b 2e 00 70 00 70 00 74 00 78 00
00 09 2e 00 6f 00 64 00 }
$e2 = { 68 00 74 00 6d 00 00 07 2e 00 6d 00 6c 00 00 07
43 00 3a 00 5c 00 00 07 44 00 3a 00 5c 00 00 07
45 00 3a 00 5c 00 00 07 46 00 3a 00 5c 00 00 07
47 00 3a 00 5c 00 00 07 5a 00 3a 00 5c 00 00 07
41 00 3a 00 5c 00 00 0f 63 00 6d 00 64 00 2e 00
65 00 78 00 65 }
condition: uint16(0) == 0x5a4d and (6 of ($s*) or (all of ($e*) and 4 of ($s*)))
}
rule MALWARE_Win_CoreBot {
meta:
author = "ditekSHen"
description = "Detects CoreBot"
snort_sid = "920211-920212"
strings:
$f1 = "core.cert_fp" fullword ascii
$f2 = "core.crash_handler" fullword ascii
$f3 = "core.delay" fullword ascii
$f4 = "core.guid" fullword ascii
$f5 = "core.inject" fullword ascii
$f6 = "core.installed_file" fullword ascii
$f7 = "core.plugins_dir" fullword ascii
$f8 = "core.plugins_key" fullword ascii
$f9 = "core.safe_mode" fullword ascii
$f10 = "core.server" fullword ascii
$f11 = "core.servers" fullword ascii
$f12 = "core.test_env" fullword ascii
$f13 = "core.vm_detect" fullword ascii
$f14 = "core.vm_detect_skip" fullword ascii
$s1 = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko" fullword wide
$s2 = "\\Microsoft\\Windows\\AppCache" wide
$s3 = "crash_flag" fullword wide
$s4 = "container.dat" fullword wide
$s5 = "INJECTED" fullword ascii
$s6 = "tmp.delete_file" fullword ascii
// variant
$x1 = "CoreBot v" wide
$x2 = "BotName" fullword ascii
$x3 = "RunBotKiller" fullword ascii
$x4 = "botv" fullword ascii
$x5 = "\\CoreBot\\CoreBot\\obj\\" ascii
$v1_1 = "newtask" fullword wide
$v1_2 = "drivers\\etc\\hosts" fullword wide
$v1_3 = "/C schtasks /create /tn \\" wide
$v1_4 = "/st 00:00 /du 9999:59 /sc once /ri 1 /f" wide
$v1_5 = "AntivirusInstalled" fullword ascii
$v1_6 = "payload" fullword ascii
$v1_7 = "DownloadFile" fullword ascii
$v1_8 = "RemoveFile" fullword ascii
$v1_9 = "AutoRunName" fullword ascii
$v1_10 = "EditHosts" fullword ascii
$v1_11 = /127\.0\.0\.1 (avast|mcafee|eset|avira|bitdefender|bullguard|safebrowse)\.com/ fullword wide
$cnc1 = "&os=" fullword wide
$cnc2 = "&pv=" fullword wide
$cnc3 = "&ip=" fullword wide
$cnc4 = "&cn=" fullword wide
$cnc5 = "&lr=" fullword wide
$cnc6 = "&ct=" fullword wide
$cnc7 = "&bv=" fullword wide
$cnc8 = "&op=" fullword wide
$cnc9 = "&td=" fullword wide
$cnc10 = "&uni=" fullword wide
condition: uint16(0) == 0x5a4d and (5 of ($f*) or all of ($s*) or (3 of ($s*) and 2 of ($f*)) or 3 of ($x*) or 8 of ($v1*) or (4 of ($cnc*) and 4 of ($v1*)) or 12 of them)
}
rule MALWARE_Win_DLLLoader {
meta:
author = "ditekSHen"
description = "Detects unknown DLL Loader"
strings:
$s1 = "LondLibruryA" fullword ascii
$s2 = "LdrLoadDll" fullword ascii
$s3 = "snxhk.dll" fullword ascii
$s4 = "DisableThreadLibraryCalls" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Farfli {
meta:
author = "ditekSHen"
description = "Detects Farfli backdoor"
strings:
$s1 = "%ProgramFiles%\\Google\\" fullword ascii
$s2 = "%s\\%d.bak" fullword ascii
$s3 = "%s Win7" fullword ascii
$s4 = "%s:%d:%s" fullword ascii
$s5 = "C:\\2.txt" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Warezov {
meta:
author = "ditekSHen"
description = "Detects Warezov worm/downloader"
strings:
$s1 = "ft\\Windows\\CurrentVersion\\Run" wide
$s2 = "DIR%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s3 = "%WINDIR%\\sqhos32.wmf" wide
$s4 = "Accept: */*" fullword ascii
$s5 = "Range: bytes=" fullword ascii
$s6 = "module.exe" fullword ascii
$s7 = { 25 73 25 73 2e 25 73 ?? ?? 22 22 26 6c 79 79 56 00 00 00 00 25 73 25 30 34 64 25 30 32 64 25 30 32 64 00 }
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_Arechclient2 {
meta:
author = "ditekSHen"
description = "Detects Arechclient2 RAT"
strings:
$s1 = "\\Google\\Chrome\\User Data\\copiedProf\"" wide
$s2 = "\",\"BotName\":\"" wide
$s3 = "\",\"BotOS\":\"" wide
$s4 = "\",\"URLData\":\"" wide
$s5 = "{\"Type\":\"ConnectionType\",\"ConnectionType\":\"Client\",\"SessionID\":\"" wide
$s6 = "{\"Type\":\"TestURLDump\",\"SessionID\":\"" wide
$s7 = "<ReceiveParticipantList>" ascii
$s8 = "<potocSkr>" ascii
$s9 = "fuck_sd" fullword ascii
$s10 = "HandleBotKiller" fullword ascii
$s11 = "RunBotKiller" fullword ascii
$s12 = "ConnectToServer" fullword ascii
$s13 = "KillBrowsers" fullword ascii
$s14 = "keybd_event" fullword ascii
$s15 = "FuckCodeImg" fullword ascii
$v1_1 = "grabber@" fullword ascii
$v1_2 = "<BrowserProfile>k__" ascii
$v1_3 = "<SystemHardwares>k__" ascii
$v1_4 = "<geoplugin_request>k__" ascii
$v1_5 = "<ScannedWallets>k__" ascii
$v1_6 = "<DicrFiles>k__" ascii
$v1_7 = "<MessageClientFiles>k__" ascii
$v1_8 = /<Scan(Browsers|Wallets|Screen|VPN)>k__BackingField/ fullword ascii
$v1_9 = "displayName[AString-ZaString-z\\d]{2String4}\\.[String\\w-]{String6}\\.[\\wString-]{2String7}Local Extension Settingshost" wide
$v1_10 = "\\sitemanager.xml MB or SELECT * FROM Cookiesconfig" wide
condition: uint16(0) == 0x5a4d and (6 of ($s*) or 7 of ($v1*) or (6 of ($v1*) and 1 of ($s*)))
}
rule MALWARE_Win_KillMBR {
meta:
author = "ditekSHen"
description = "Detects KillMBR"
strings:
$s1 = "\\\\.\\PhysicalDrive" ascii
$s2 = "/logger.php" ascii
$s3 = "Ooops! Your MBR was been rewritten" ascii
$s4 = "No, this ransomware dont encrypt your files, erases it" ascii
condition: uint16(0) == 0x5a4d and (2 of them and #s1 > 10)
}
rule MALWARE_Win_LCPDot {
meta:
author = "ditekSHen"
description = "Detects LCPDot"
strings:
$s1 = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword wide
$s2 = "Cookie: SESSID=%s" fullword ascii
$s3 = "Cookie=Enable" fullword ascii
$s4 = "Cookie=Enable&CookieV=%d&Cookie_Time=32" fullword ascii
$s5 = ".?AVTShellCodeRuner@@" fullword ascii
$s6 = ".?AVTHashEncDecoder@@" fullword ascii
$s7 = ".?AVTWebAddressList@@" fullword ascii
$s8 = "WinMain.dll" fullword ascii
$s9 = "HotPlugin" wide
$o0 = { 4c 89 6c 24 08 4c 89 34 24 44 8d 77 01 44 8d 6f }
$o1 = { 8b f0 e8 58 34 00 00 48 8b f8 48 85 c0 74 0c 48 }
$o2 = { c7 44 24 30 47 49 46 38 c7 44 24 34 39 61 27 00 }
condition: uint16(0) == 0x5a4d and 6 of ($s*) or (all of ($o*) and 3 of ($s*))
}
rule MALWARE_Win_Torisma {
meta:
author = "ditekSHen"
description = "Detects Torisma"
strings:
$s1 = "ACTION=PREVPAGE&CODE=C%s&RES=%d" fullword ascii
$s2 = "ACTION=VIEW&PAGE=%s&CODE=%s&CACHE=%s&REQUEST=%d" fullword ascii
$s3 = "ACTION=NEXTPAGE&CODE=S%s&CACHE=%s&RES=%d" fullword ascii
$s4 = "Your request has been accepted. ClientID: {" ascii
$s5 = "Proxy-Connection: Keep-Alive" fullword wide
$s6 = "Content-Length: %d" fullword wide
$o0 = { f7 f9 8b c2 89 44 24 34 48 63 44 24 34 48 8b 4c }
$o1 = { 48 c7 00 ff ff ff ff 48 8b 84 24 90 }
$o2 = { f3 aa 83 7c 24 30 01 75 34 c7 44 24 20 01 }
condition: uint16(0) == 0x5a4d and 4 of ($s*) or (all of ($o*) and 3 of ($s*))
}
rule MALWARE_Win_Thanos {
meta:
author = "ditekSHen"
description = "Detects Thanos / Prometheus / Spook ransomware"
strings:
$f1 = "<WorkerCrypter2>b__" ascii
$f2 = "<Encrypt2>b__" ascii
$f3 = "<Killproc>b__" ascii
$f4 = "<GetIPInfo>b__" ascii
$f5 = "<MacAddress>k__" ascii
$f6 = "<IPAddress>k__" ascii
$f7 = "<Crypt>b__" ascii
$s1 = "Aditional KeyId:" wide
$s2 = "process call create cmd.exe /c \\\\" wide
$s3 = "/c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin" wide
$s4 = "\\HOW_TO_DECYPHER_FILES." wide
$s5 = "Client Unique Identifier Key:" wide
$s6 = "/s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.win c:\\*.dsk" fullword wide
$s7 = "NtOpenProcess" fullword wide
$s8 = "Builder_Log" fullword wide
$s9 = "> Nul & fsutil file setZeroData offset=0 length=" wide
$s10 = "3747bdbf-0ef0-42d8-9234-70d68801f407" wide // mutex
$s11 = "4b195894-0f06-4fdd-afb4-b17fb9246a59" wide
$s12 = "cec564ff-2433-4771-b918-15f58ef6e26c" wide
$s13 = "56258a19-7489-468b-86ee-e7899203d67c" wide
$s14 = "WalkDirectoryTree" fullword ascii
$s15 = "hashtableLock" fullword ascii
$s16 = "get_ParentFrn" fullword ascii
$m1 = "SW5mb3JtYXRpb24uLi" wide
$m2 = "QWxsIHlvdXIgZmlsZXMgd2VyZSBlbmNyeXB0" wide
condition: uint16(0) == 0x5a4d and (5 of ($f*) or 5 of ($s*) or (4 of ($f*) and 2 of ($s*) or (all of ($m*) and 3 of them)) or 8 of them)
}
rule MALWARE_Win_TManager {
meta:
author = "ditekSHen"
description = "Detects TManager RAT. Associated with TA428"
strings:
$s1 = "WSAStartup Error!" fullword wide
$s2 = "KB3112342.LOG" fullword wide
$s3 = "\\cmd.exe -c" fullword wide
$s4 = "sock_hmutex" fullword wide
$s5 = "cmd_hmutex" fullword wide
$s6 = "powershell" fullword wide
$s7 = "%s_%d.bmp" fullword wide
$s8 = "!Error!" fullword wide
$s9 = "[Execute]" fullword ascii
$s10 = "[Snapshot]" fullword ascii
$s11 = "GetLanIP error!" fullword ascii
$s12 = "chcp & exit" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_Sn0wLogger {
meta:
author = "ditekSHen"
description = "Detects Sn0w Logger"
strings:
$s1 = "\\SnowP\\Example\\Secured\\" ascii
$s2 = "{0}{3}Content-Type: {4}{3}Content-Disposition: form-data; name=\"{1}\"{3}{3}{2}{3}" wide
$s3 = "\"encrypted_key\":\"(.*?)\"" fullword wide
$s4 = "<SendToDiscord>d__" ascii
$s5 = "_urlWebhook" ascii
$r1 = "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}" fullword wide
$r2 = "^\\w+([-+.']\\w+)*@\\w+([-.]\\w+)*\\.\\w+([-.]\\w+)*$" fullword wide
$r3 = "mfa\\.[\\w-]{84}" fullword wide
$r4 = "(\\w+)=(\\d+)-(\\d+)$" fullword wide
condition: uint16(0) == 0x5a4d and (4 of ($s*) or (all of ($r*) and 2 of ($s*)) or 7 of them)
}
rule MALWARE_Win_DanaBot {
meta:
author = "ditekSHen"
description = "Detects DanaBot variants"
strings:
$s1 = "ms ie ftp passwords" fullword wide
$s2 = "CookieEntryEx_" fullword wide
$s3 = "winmgmts:\\\\localhost\\root\\cimv2" fullword wide
$s4 = "S-Password.txt" fullword wide
$s5 = "del_ini://Main|Password|" fullword wide
$s6 = "cmd.exe /c start chrome.exe --no-sandbox" wide
$s7 = "cmd.exe /c start firefox.exe -no-remote" wide
$s8 = "\\rundll32.exe shell32.dll,#" wide
$s9 = "S_Error:TORConnect" wide
$s10 = "InjectionProcess" fullword ascii
$s11 = "proxylogin" fullword wide
$s12 = "\\FS_Morff\\FS_Temp\\" wide
$ds1 = "C:\\Windows\\System32\\rundll32.exe" fullword wide
$ds2 = "PExtended4" fullword ascii
$ds3 = "%s-%s" fullword wide
$ds4 = "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF0123456789ABCDEF" fullword wide
//$o1 = { 55 8b ec 33 c0 55 68 d7 60 4f 00 64 ff 30 64 89 }
//$o2 = { e8 45 ec f0 ff e8 3c e2 f0 ff 68 00 04 00 00 e8 }
//$o3 = { e8 98 3a f2 ff 84 c0 74 0a 8d 44 24 0c 50 e8 fe }
//$o4 = { ba 80 d7 4f 00 a1 54 90 4f 00 e8 7e 4a f1 ff e9 }
//$o5 = { 80 bc 24 4a 01 00 00 01 75 14 ba 80 d7 4f 00 a1 }
//$o6 = { ba 80 d7 4f 00 a1 80 8f 4f 00 e8 4c 4a f1 ff e9 }
condition: uint16(0) == 0x5a4d and (7 of ($s*) or all of ($ds*))
}
rule MALWARE_Win_Klackring {
meta:
author = "ditekSHen"
description = "Detects Klackring variants. Associated with ZINC / Lazarus"
strings:
$s1 = "%s\\%s.dll" fullword wide
$s2 = "cmd.exe /c move /Y %s %s" fullword wide
$s3 = "%s\\win32k.sys" fullword wide
$s4 = "NetSvcInst_Rundll32.dll" fullword ascii
$s5 = "Spectrum.dll" fullword ascii wide
$s6 = "%s\\cmd.exe" fullword wide
$s7 = ".?AVA5Stream@@" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_ComeBacker {
meta:
author = "ditekSHen"
description = "Detects ComeBacker variants. Associated with ZINC / Lazarus"
strings:
$s1 = "ENGINE_get_RAND" ascii
$s2 = "./{IES" fullword ascii
$s3 = "TODO: <Company name>" fullword wide
$s4 = "@Microsoft Corperation. All rights reserved." fullword wide
$s5 = "Microsoft@Windows@Operating System" fullword wide
$x1 = "C:\\Windows\\System32\\rundll32.exe %s,%s %s %s" fullword ascii wide
$x2 = "ASN2_TYPE_new" fullword ascii wide
$x3 = "SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\" fullword ascii wide
condition: uint16(0) == 0x5a4d and (all of ($s*) or all of ($x*))
}
rule MALWARE_Win_SunCrypt {
meta:
author = "ditekSHen"
description = "Detects SunCrypt ransomware"
strings:
$s1 = "-noshares" fullword wide
$s2 = "-nomutex" fullword wide
$s3 = "-noreport" fullword wide
$s4 = "-noservices" fullword wide
$s5 = "$Recycle.bin" fullword wide
$s6 = "YOUR_FILES_ARE_ENCRYPTED.HTML" fullword wide
$s7 = "\\\\?\\%c:" fullword wide
$s8 = "locker.exe" fullword ascii
$s9 = "DllRegisterServer" fullword ascii
$g1 = "main.EncFile" fullword ascii nocase
$g2 = "main.detectName" fullword ascii nocase
$g3 = "main.detectIP" fullword ascii nocase
$g4 = "main.detectDebugProc" fullword ascii nocase
$g5 = "main.Bypass" ascii nocase
$g6 = "main.allocateMemory" fullword ascii nocase
$g7 = "main.killAV" fullword ascii nocase
$g8 = "main.disableShadowCopy" fullword ascii nocase
$g9 = "main.(*windowsDrivesModel).LoadDrives" fullword ascii nocase
$g10 = "main.IsFriends" fullword ascii nocase
$g11 = "main.walkMsg" fullword ascii nocase
$g12 = "main.makeSecretMessage" fullword ascii nocase
$g13 = "main.stealFiles" fullword ascii nocase
$g14 = "main.newKey" fullword ascii nocase
$g15 = "main.openBrowser" fullword ascii nocase
$g16 = "main.killProc" fullword ascii nocase
$g17 = "main.selfRemove" fullword ascii nocase
$m1 = "<h2>\\x20Offline\\x20HowTo\\x20</h2>\\x0a\\x09\\x09\\x09\\x09<p>Copy\\x20&\\x20Paste\\x20this\\x20message\\x20to" ascii
$m2 = "\\x20restore\\x20your\\x20files." ascii
$m3 = "\\x20your\\x20documents\\x20and\\x20files\\x20encrypted" ascii
$m4 = "\\x20lose\\x20all\\x20of\\x20your\\x20data\\x20and\\x20files." ascii
$m5 = ",'/#/client/','<h2>\\x20Whats\\x20Happen" ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or 6 of ($g*) or 3 of ($m*))
}
rule MALWARE_Win_Zegost {
meta:
author = "ditekSHen"
description = "Detects Zegost"
strings:
$s1 = "rtvscan.exe" fullword ascii
$s2 = "ashDisp.exe" fullword ascii
$s3 = "KvMonXP.exe" fullword ascii
$s4 = "egui.exe" fullword ascii
$s5 = "avcenter.exe" fullword ascii
$s6 = "K7TSecurity.exe" fullword ascii
$s7 = "TMBMSRV.exe" fullword ascii
$s8 = "RavMonD.exe" fullword ascii
$s9 = "kxetray.exe" fullword ascii
$s10 = "mssecess.exe" fullword ascii
$s11 = "QUHLPSVC.EXE" fullword ascii
$s12 = "360tray.exe" fullword ascii
$s13 = "QQPCRTP.exe" fullword ascii
$s14 = "knsdtray.exe" fullword ascii
$s15 = "V3Svc.exe" fullword ascii
$s16 = "??1_Winit@std@@QAE@XZ" fullword ascii
$s17 = "ClearEventLogA" fullword ascii
$s18 = "SeShutdownPrivilege" fullword ascii
$s19 = "%s\\shell\\open\\command" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_GENERIC01 {
meta:
author = "ditekSHen"
description = "Detects known unamed malicious executables, mostly DLLs"
strings:
$s1 = "\\wmkawe_%d.data" ascii
$s2 = "\\resmon.resmoncfg" ascii
$s3 = "ByPassUAC" fullword ascii
$s4 = "rundll32.exe C:\\ProgramData\\Sandboxie\\SbieMsg.dll,installsvc" fullword ascii nocase
$s5 = "%s\\SbieMsg." ascii
$s6 = "Stupid Japanese" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_GENERIC02 {
meta:
author = "ditekSHen"
description = "Detects known unamed malicious executables"
strings:
$s1 = "{%s-%d-%d}" fullword wide
$s2 = "update" fullword wide
$s3 = "https://" fullword wide
$s4 = "http://" fullword wide
$s5 = "configure" fullword ascii
$s6 = { 8d 4f 02 e8 8c ff ff ff 8b d8 81 fb 00 dc 00 00 }
$s7 = { 83 c1 02 e8 3c ff ff ff 8b c8 ba ff 03 00 00 8d }
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_DLAgent06 {
meta:
author = "ditekSHen"
description = "Detects known downloader agent downloading encoded binaries in patches"
snort2_sid = "920122"
snort3_sid = "920119"
strings:
$s1 = "totallist" fullword ascii wide
$s2 = "LINKS_HERE" fullword wide
$s3 = "[SPLITTER]" fullword wide
$var2_1 = "DownloadWeb" fullword ascii
$var2_2 = "WriteByte" fullword ascii
$var2_3 = "MemoryStream" fullword ascii
$var2_4 = "DownloadString" fullword ascii
$var2_5 = "WebClient" fullword ascii
condition: uint16(0) == 0x5a4d and ((all of ($s*) and 2 of ($var2*)) or (4 of ($var2*) and 2 of ($s*)))
}
rule MALWARE_Win_PWSH_PoshKeylogger {
meta:
author = "ditekSHen"
description = "Detects PowerShell PoshKeylogger"
strings:
$s1 = "::GetKeyboardState" ascii
$s2 = "GetAsyncKeyState(" ascii
$s3 = "::MapVirtualKey(" ascii
$s4 = "::GetAsyncKeyState" ascii
$s5 = "Start-Sleep" ascii
$s6 = "send-mailmessage" ascii
$s7 = "[System.IO.File]::AppendAllText($" ascii
$s8 = "new-object Management.Automation.PSCredential $" ascii
condition: 6 of them
}
rule MALWARE_Win_FujinamaRAT {
meta:
author = "ditekSHen"
description = "Detects FujinamaRAT"
snort2_sid = "920124"
snort3_sid = "920121"
strings:
$s1 = "GetAsyncKeyState" fullword ascii
$s2 = "HTTP/1.0" fullword wide
$s3 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" fullword wide
$s4 = "frmMain" fullword ascii
$s5 = "G<=>?@ABGGGGGGGGGGGGGGGGGGGGGGGGGGCDEF" fullword ascii
$s6 = "VBA6.DLL" fullword ascii
$s7 = "t_save" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_Phorpiex {
meta:
author = "ditekSHen"
description = "Detects Phorpiex variants"
strings:
$s1 = "ShEllExECutE=__\\DriveMgr.exe" fullword wide nocase
$s2 = "/c start __ & __\\DriveMgr.exe & exit" fullword wide nocase
$s3 = "%s\\autorun.inf" fullword wide
$s4 = "svchost." wide
$s5 = "%ls\\%d%d" wide
$s6 = "bitcoincash:" ascii
$s7 = "%ls:*:Enabled:%ls" fullword wide
$s8 = "%s\\%s\\DriveMgr.exe" fullword wide
$s9 = "api.wipmania.com" ascii
$v1_1 = "%appdata%" fullword wide
$v1_2 = "(iPhone;" ascii
$v1_3 = "/tst.php" ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or all of ($v1*))
}
rule MALWARE_Win_EXEPWSH_DLAgent {
meta:
author = "ditekSHen"
description = "Detects SystemBC"
strings:
$pwsh = "powershell" fullword ascii
$bitstansfer = "Start-BitsTransfer" ascii wide
$s1 = "GET %s HTTP/1" ascii
$s2 = "User-Agent:" ascii
$s3 = "-WindowStyle Hidden -ep bypass -file \"" fullword ascii
$s4 = "LdrLoadDll" fullword ascii
$v1 = "BEGINDATA" fullword ascii
$v2 = /HOST\d:/ ascii
$v3 = /PORT\d:/ ascii
$v4 = "TOR:" fullword ascii
$v5 = "Fwow64" fullword ascii
$v6 = "start" fullword ascii
condition: uint16(0) == 0x5a4d and (($pwsh and ($bitstansfer or 2 of ($s*))) or (5 of ($v*)))
}
rule MALWARE_Win_HDLocker {
meta:
author = "ditekSHen"
description = "Detects HDLocker ransomware"
strings:
$s1 = "HDLocker_" fullword ascii
$s2 = ".log" fullword ascii
$s3 = "Scripting.FileSystemObject" fullword ascii
$s4 = "Boot" fullword ascii
$s5 = "hellwdo" fullword ascii
$s6 = "blackmoon" fullword ascii
$s7 = "BlackMoon RunTime Error:" ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_Vovalex {
meta:
author = "ditekSHen"
description = "Detects Vovalex ransomware"
strings:
$s1 = "README.VOVALEX.txt" fullword ascii
$s2 = "\\src\\phobos\\std\\" ascii
$s3 = "LoadLibraryA(\"Advapi32.dll\")" fullword ascii
$s4 = "Failed to spawn process \"" fullword ascii
$s5 = "=== Bypassed ===" fullword ascii
$s6 = "If you don't know where to buy" ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_Dharma {
meta:
author = "ditekSHen"
description = "Detects Dharma ransomware"
strings:
$s1 = "C:\\crysis\\Release\\PDB\\payload.pdb" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_CryptoLocker {
meta:
author = "ditekSHen"
description = "Detects Cryptolocker ransomware variants (Betarasite)"
strings:
$x1 = "CryptoLocker" fullword wide
$x2 = ".betarasite" fullword wide
$x3 = "CMSTPBypass" fullword ascii
$s1 = "CommandToExecute" fullword ascii
$s2 = "SetInfFile" fullword ascii
$s3 = "SchoolPrject1" ascii
$s4 = "$730d5f64-bd57-47c1-9af4-d20aec714d02" fullword ascii
$s5 = "Encrypt" fullword ascii
$s6 = "Invalide Key! Please Try Again." fullword wide
$s7 = "RegAsm" fullword wide
$s8 = "Your key will be destroyed" wide
$s9 = "encrypted using RC4 and RSA-2048" wide
$c1 = "https://coinbase.com" fullword wide
$c2 = "https://localbictoins.com" fullword wide
$c3 = "https://bitpanda.com" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($x*) or all of ($s*) or (2 of ($x*) and 5 of ($s*)) or (all of ($c*) and 1 of ($x*) and 2 of ($s*)))
}
rule MALWARE_Win_PWSH_PoshWiFiStealer {
meta:
author = "ditekSHen"
description = "Detects PowerShell PoshWiFiStealer"
strings:
$s1 = "netsh wlan export profile" ascii
$s2 = "Send-MailMessage" ascii
$u1 = "https://github.com/axel05869/Wifi-Grab" ascii
$u2 = "/exploitechx/wifi-password-extractor" ascii
condition: all of ($s*) or all of ($u*)
}
rule MALWARE_Win_SteamHook {
meta:
author = "ditekSHen"
description = "Detects potential Steam stealer"
strings:
$s1 = "Mozilla/4.0 (compatible; )" fullword ascii
$s2 = "/steam/upload.php" ascii
$s3 = ".*?(ssfn\\d+)" fullword ascii
$s4 = "add cookie failed..." fullword ascii
$s5 = "Content-Type: multipart/form-data; boundary=--MULTI-PARTS-FORM-DATA-BOUNDARY" fullword ascii
$pdb1 = "\\SteamHook\\Install\\" ascii
$pdb2 = "\\SteamHook\\dll\\" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or all of ($pdb*) or (1 of ($pdb*) and 3 of ($s*)))
}
rule MALWARE_Win_NetWire {
meta:
author = "ditekSHen"
description = "Detects NetWire RAT"
strings:
$x1 = "SOFTWARE\\NetWire" fullword ascii
$x2 = { 4e 65 74 57 69 72 65 00 53 4f 46 54 57 41 52 45 5c 00 }
$s1 = "User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii
$s2 = "filenames.txt" fullword ascii
$s3 = "GET %s HTTP/1.1" fullword ascii
$s4 = "[%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword ascii
$s5 = "Host.exe" fullword ascii
$s6 = "-m \"%s\"" fullword ascii
$g1 = "HostId" fullword ascii
$g2 = "History" fullword ascii
$g3 = "encrypted_key" fullword ascii
$g4 = "Install Date" fullword ascii
$g5 = "hostname" fullword ascii
$g6 = "encryptedUsername" fullword ascii
$g7 = "encryptedPassword" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or all of ($x*) or (1 of ($x*) and 2 of ($s*)) or (all of ($g*) and (2 of ($s*) or 1 of ($x*))))
}
rule MALWARE_Win_BreakStaf {
meta:
author = "ditekSHen"
description = "Detects BreakStaf ransomware"
strings:
$s1 = "C:\\Program files" wide
$s2 = "C:\\Program files (x86)" wide
$s3 = "C:\\System Volume Information" wide
$s4 = "C:\\$Recycle.Bin" wide
$s5 = "C:\\Windows" wide
$s6 = ".?AVRandomNumberGenerator@Crypto" ascii
$s7 = ".?AV?$SymmetricCipherFinal@" ascii
$s8 = ".breakstaf" fullword wide nocase
$s9 = "readme.txt" fullword wide nocase
$s10 = ".VHD" fullword wide nocase
$s11 = ".vhdx" fullword wide nocase
$s12 = ".BAK" fullword wide nocase
$s13 = ".BAC" fullword wide nocase
condition: uint16(0) == 0x5a4d and 12 of them
}
rule MALWARE_Win_Kitty {
meta:
author = "ditekSHen"
description = "Detects HelloKitty ransomware, triggers on FIVEHANDS"
strings:
$s1 = "Kitty" wide
$s2 = "-path" fullword wide
$s3 = "select * from Win32_ShadowCopy" fullword wide
$s4 = "Win32_ShadowCopy.ID='%s'" fullword wide
$s5 = "programdata" fullword wide
$s6 = "$recycle.bin" fullword wide
$s7 = ".crypt" fullword wide
$s8 = "%s/secret/%S" wide
$s9 = "decrypts3nln3tic.onion" wide
$n1 = "read_me_lkd.txt" wide
$n2 = "DECRYPT_NOTE.txt" wide
condition: uint16(0) == 0x5a4d and (5 of ($s*) or 1 of ($n*) and 4 of ($s*))
}
rule MALWARE_Win_DLAgent07 {
meta:
author = "ditekSHen"
description = "Detects delf downloader agent"
strings:
$s1 = "C:\\Users\\Public\\Libraries\\temp" fullword ascii
$s2 = "SOFTWARE\\Borland\\Delphi" ascii
$s3 = "Mozilla/5.0(compatible; WinInet)" fullword ascii
$o1 = { f3 a5 e9 6b ff ff ff 5a 5d 5f 5e 5b c3 a3 00 40 }
$o2 = { e8 83 d5 ff ff 8b 15 34 40 41 00 89 10 89 58 04 }
$o3 = { c3 8b c0 53 51 e8 f1 ff ff ff 8b d8 85 db 74 3e }
$o4 = { e8 5c e2 ff ff 8b c3 e8 b9 ff ff ff 89 04 24 83 }
$o5 = { 85 c0 74 1f e8 62 ff ff ff a3 98 40 41 00 e8 98 }
$o6 = { 85 c0 74 19 e8 be ff ff ff 83 3d 98 40 41 00 ff }
$x1 = "22:40:08 \"> <rdf:RDF xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"> <rdf:Description rdf:about=\"\"" ascii
$x2 = "uuid:A9BD8E384B2FDE118D26E6EE744C235C\" stRef:documentID=\"uuid:A8BD8E384B2FDE118D26E6EE744C235C\"/>" ascii
condition: uint16(0) == 0x5a4d and ((2 of ($s*) and 5 of ($o*)) or (all of ($s*) and 2 of ($o*)) or (all of ($x*) and 2 of them))
}
rule MALWARE_Win_Clop {
meta:
author = "ditekSHen"
description = "Detects Clop ransomware variants"
strings:
$x1 = "Cllp^_-" ascii
$s2 = "temp.dat" fullword wide
$s3 = "README_README.txt" wide
$s4 = "BEGIN PUBLIC KEY" ascii
$s5 = "runrun" wide
$s6 = "wevtutil.exe" ascii
$s7 = "%s%s.Cllp" fullword wide
$s8 = "WinCheckDRVs" fullword wide
$o1 = { 6a ff 56 89 9d 28 dd ff ff ff d0 a1 64 32 41 00 }
$o2 = { 56 89 9d 28 dd ff ff ff 15 78 32 41 00 eb 07 43 }
$o3 = { 68 ?? 34 41 00 8d 85 58 dd ff ff 50 ff d7 85 c0 }
$o4 = { 68 d0 34 41 00 50 ff d6 8b bd 28 d5 ff ff 83 c4 }
$o5 = { a1 64 32 41 00 43 56 89 9d 08 d5 ff ff ff d0 8b }
condition: uint16(0) == 0x5a4d and (all of ($s*) or (1 of ($x*) and (3 of ($s*) or 4 of ($o*))) or (all of ($o*) and 2 of ($s*)) or (4 of ($s*) and 4 of ($o*)))
}
rule MALWARE_Win_Maktub {
meta:
author = "ditekSHen"
description = "Detects Maktub ransomware"
strings:
$s1 = "Content-Disposition: attachment; filename=" ascii
$s2 = "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" fullword ascii
$s3 = "/tor/status-vote/current/consensus" ascii
$s4 = "/tor/server/fp/" ascii
$s5 = "/tor/rendezvous2/" ascii
$s6 = "404 Not found" fullword ascii
$s7 = /_request@\d+/ fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_PWSHLoader_RunPE01 {
meta:
author = "ditekSHen"
description = "Detects PowerShell PE loader / executer. Observed Gorgon TTPs"
strings:
$rp1 = "GetType('RunPe.RunPe'" ascii
$rp2 = "GetType(\"RunPe.RunPe\"" ascii
$rm1 = "GetMethod('Run'" ascii
$rm2 = "GetMethod(\"Run\"" ascii
$s1 = ".Invoke(" ascii
$s2 = "[Reflection.Assembly]::Load(" ascii
condition: all of ($s*) and 1 of ($rp*) and 1 of ($rm*)
}
rule MALWARE_Win_PWSHLoader_RunPE02 {
meta:
author = "ditekSHen"
description = "Detects PowerShell PE loader / executer. Observed Gorgon TTPs"
strings:
$s1 = "'.Replace('" ascii nocase
$s2 = "'aspnet_compiler.exe'" ascii
$s3 = "[Byte[]]$" ascii
$pe1 = "(77,90," ascii
$pe2 = "='4D5A" ascii
condition: all of ($s*) and (#pe1 > 1 or #pe2 > 1) and #s1 > 4
}
rule MALWARE_Win_PELoader_RunPE {
meta:
author = "ditekSHen"
description = "Detects PE loader / injector. Observed Gorgon TTPs"
strings:
$s1 = "commandLine'" fullword ascii
$s2 = "RunPe.dll" fullword ascii
$s3 = "HandleRun" fullword ascii
$s4 = "inheritHandles" fullword ascii
$s5 = "BlockCopy" fullword ascii
$s6 = "WriteProcessMemory" fullword ascii
$s7 = "startupInfo" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_PELoader_INF {
meta:
author = "ditekSHen"
description = "Detects PE loader / injector. Potentical HCrypt. Observed Gorgon TTPs"
strings:
$x1 = "Managament.inf" fullword ascii
$x2 = "rOnAlDo" fullword ascii
$x3 = "untimeResourceSet" fullword ascii
$x4 = "3System.Resources.Tools.StronglyTypedResourceBuilder" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_DLAgent08 {
meta:
author = "ditekSHen"
description = "Detects known downloader agent downloading encoded binaries in patches"
snort2_sid = "920122"
snort3_sid = "920119"
strings:
$pat = /\/base\/[A-F0-9]{32}\.html/ ascii wide
condition: uint16(0) == 0x5a4d and $pat and #pat > 1
}
rule MALWARE_Win_DoejoCrypt {
meta:
author = "ditekSHen"
description = "Detects DoejoCrypt / DearCry ransomware"
strings:
$s1 = "DEARCRY!" fullword ascii
$s2 = ".CRYPT" fullword ascii
$s3 = "\\EncryptFile -svcV2\\" ascii
$s4 = "please send me the following hash!" ascii
$s5 = "dear!!!" fullword ascii
$s6 = "/readme.txt" fullword ascii
$o1 = { c3 8b 65 e8 c7 45 fc fe ff ff ff 8b b5 f4 e9 ff }
$o2 = { 0f 8c 27 ff ff ff 33 db 57 e8 7b 36 00 00 eb 0a }
$o3 = { 0f 8c 2a ff ff ff 53 57 e8 b7 42 00 00 8b 4c 24 }
condition: uint16(0) == 0x5a4d and 4 of ($s*) or (all of ($o*) and (2 of ($s*)))
}
rule MALWARE_Win_SunShuttle {
meta:
author = "ditekSHen"
description = "Detects SunShuttle / GoldMax"
strings:
$s1 = "main.beaconing" fullword ascii
$s2 = "main.clean_file" fullword ascii
$s3 = "main.decrypt" fullword ascii
$s4 = "main.define_internal_settings" fullword ascii
$s5 = "main.delete_empty" fullword ascii
$s6 = "main.encrypt" fullword ascii
$s7 = "main.false_requesting" fullword ascii
$s8 = "main.removeBase64Padding" fullword ascii
$s9 = "main.resolve_command" fullword ascii
$s10 = "main.retrieve_session_key" fullword ascii
$s11 = "main.save_internal_settings" fullword ascii
$s12 = "main.send_command_result" fullword ascii
$s13 = "main.send_file_part" fullword ascii
$s14 = "main.wget_file" fullword ascii
$s15 = "main.write_file" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_RanzyLocker {
meta:
author = "ditekSHen"
description = "Detects RanzyLocker / REntS ransomware"
strings:
$hr1 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii // wbadmin DELETE SYSTEMSTATEBACKUP
$hr2 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii // wmic.exe SHADOWCOPY /nointeractive
$hr3 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii // bcdedit.exe /set {default} recoveryenabled No
$hr4 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii // wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
$hr5 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" ascii // bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
$hr6 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii // vssadmin.exe Delete Shadows /All /Quiet
$hx1 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii // Global\35355FA5-07E9-428B-B5A5-1C88CAB2B488 (mutex)
$hx2 = "534F4654574152455C4D6963726F736F66745C45524944" ascii // SOFTWARE\Microsoft\ERID
$hx3 = "227375626964223A22" ascii // subid
$hx4 = "226E6574776F726B223A22" ascii // network
$hx5 = "726561646D652E747874" ascii // readme.txt
$hx6 = "-nolan" fullword wide
$o1 = { 8d 45 e9 89 9d 54 ff ff ff 88 9d 44 ff ff ff 3b }
$o2 = { 8b 44 24 2? 8b ?c 24 34 40 8b 54 24 38 89 44 24 }
$o3 = { 8b 44 24 2? 8b ?c 24 1c 89 44 24 34 8b 44 24 28 }
$o4 = { 8b 44 24 2? 8b ?c 24 34 05 00 00 a0 00 89 44 24 }
condition: uint16(0) == 0x5a4d and (all of ($hx*) or (2 of ($hr*) and 2 of ($hx*)) or (all of ($o*) and 2 of ($h*)))
}
rule MALWARE_Win_WobbyChipMBR {
meta:
author = "ditekSHen"
description = "Detects WobbyChipMBR / Covid-21 ransomware"
strings:
$x1 = "You became a Victim of the Covid-21 Ransomware" ascii wide
$x2 = "Reinstalling Windows has been blocked" ascii wide
$x3 = "Enter Decryption Key:" ascii wide
$x4 = "encrypted with military grade encryption" ascii wide
$s1 = "schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR" ascii
$s2 = "\\EFI\\Boot\\bootx64.efi" ascii wide
$s3 = "DumpHex" fullword ascii
$s4 = "TFTP Error" fullword wide
$s5 = "HD(Part%d,MBRType=%02x,SigType=%02x)" fullword wide
condition: uint16(0) == 0x5a4d and (3 of ($x*) or all of ($s*) or (1 of ($x*) and 2 of ($s*)))
}
rule MALWARE_Win_Snatch {
meta:
author = "ditekSHen"
description = "Detects Snatch / GoRansome / MauriGo ransomware"
strings:
$s1 = "main.encryptFile" ascii
$s2 = "main.encryptFileExt" ascii
$s3 = "main.deleteShadowCopy" ascii
$s4 = "main.Shadow" fullword ascii
$s5 = "main.RecoverMe" fullword ascii
$s6 = "main.EncryptWithPublicKey" ascii
$s7 = "main.EncoderLookupDir" fullword ascii
$s8 = "main.ALIGNUP" fullword ascii
$s9 = "main.encrypt" fullword ascii
$s10 = "github.com/mauri870/ransomware" ascii
$m1 = "Dear You, ALl Your files On YOUR network computers are encrypted" ascii
$m2 = "You have to pay the ransom of %s USD in bitcoins to the address" ascii
$m3 = "REMEMBER YOU FILES ARE IN SAVE HANDS AND WILL BE RESTORED OR RECOVERED ONCE PAYMENT IS DONE" ascii
$m4 = ":HELP FEEED A CHILD:" ascii
$m5 = ">SYSTEM NETWORK ENCRYPTED<" ascii
$m6 = "YOUR IDENTIFICATION : %s" ascii
$m7 = "convince you of our honesty" ascii
$m8 = "use TOR browser to talk with support" ascii
$m9 = "encrypted and attackers are taking" ascii
$p1 = "/Go/src/kitty/kidrives/" ascii
$p2 = "/LGoGo/encoder.go" ascii nocase
$p3 = "/Go/src/kitty/kidata/" ascii
condition: uint16(0) == 0x5a4d and (3 of ($s*) or 2 of ($m*) or (1 of ($m*) and 1 of ($s*)) or (all of ($p*) and (1 of ($s*) or 1 of ($m*))))
}
rule MALWARE_Win_Meteorite {
meta:
author = "ditekSHen"
description = "Detects Meteorite downloader"
strings:
$x1 = "MeteoriteDownloader" fullword ascii wide
$x2 = "Meteorite Downloader" fullword ascii wide
$x3 = "Meteorite Downloader v" wide
$s1 = "regwrite" fullword wide
$s2 = "urlmon" fullword ascii
$s3 = "wscript.shell" fullword wide
$s4 = "modMain" fullword ascii
$s5 = "VBA6.DLL" fullword ascii
$s6 = "^_http" ascii
condition: uint16(0) == 0x5a4d and (1 of ($x*) or (5 of ($s*)))
}
rule MALWARE_Win_LegionLocker {
meta:
author = "ditekSHen"
description = "Detects LegionLocker ransomware"
strings:
$m1 = "+Do not run task manager, powershell, cmd etc." ascii wide
$m2 = "3 hours your files will be deleted." ascii wide
$m3 = "files have been encrypted by Legion Locker" ascii wide
$s1 = "passwordBytes" fullword ascii
$s2 = "_start_enc_" ascii
$s3 = "_del_desktop_" ascii
$s4 = "Processhacker" wide
$s5 = "/k color 47 && del /f /s /q %userprofile%\\" wide
$s6 = "Submit code" fullword wide
$pdb1 = "\\obj\\Debug\\LegionLocker.pdb" ascii
$pdb2 = "\\obj\\Release\\LegionLocker.pdb" ascii
condition: uint16(0) == 0x5a4d and (1 of ($m*) or 1 of ($pdb*) or 4 of ($s*))
}
rule MALWARE_Win_DLAgentGo {
meta:
author = "ditekSHen"
description = "Detects Go-based downloader"
strings:
$s1 = "main.downloadFile" fullword ascii
$s2 = "main.fetchFiles" fullword ascii
$s3 = "main.createDefenderAllowanceException" fullword ascii
$s4 = "main.unzip" fullword ascii
$s5 = "HideWindow" fullword ascii
$s6 = "/go/src/installwrap/main.go" ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_BlackMoon {
meta:
author = "ditekSHen"
description = "Detects executables using BlackMoon RunTime"
strings:
$s1 = "blackmoon" fullword ascii
$s2 = "BlackMoon RunTime Error:" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_IceID {
meta:
author = "ditekSHen"
description = "Detects IceID / Bokbot variants"
strings:
$n1 = "POST" fullword wide
$n2 = "; _gat=" fullword wide
$n3 = "; _ga=" fullword wide
$n4 = "; _u=" fullword wide
$n5 = "; __io=" fullword wide
$n6 = "; _gid=" fullword wide
$n7 = "Cookie: __gads=" fullword wide
$s1 = "c:\\ProgramData" ascii
$s2 = "loader_dll_64.dll" fullword ascii
$s3 = "loader_dll_32.dll" fullword ascii
$s4 = "/?id=%0.2X%0.8X%0.8X%s" ascii
$s5 = "%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.8X" ascii
condition: uint16(0) == 0x5a4d and ((all of ($n*) and 1 of ($s*)) or (3 of ($s*) and 1 of ($n*)))
}
rule MALWARE_Win_Purge {
meta:
author = "ditekSHen"
description = "Detects Purge ransomware"
strings:
$n1 = "imagesave/imagesize.php" ascii
$n2 = "imageinfo.html" ascii
$n3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" ascii
$n4 = "Content-Type: application/x-www-form-urlencoded" ascii
$m1 = "YOUR_ID: %x%x" wide
$m2 = "Specially for your PC was generated personal" wide
$m3 = "which is on our Secret Server" wide
$m4 = "wait for a miracle and get your price" wide
$s1 = "%s\\SpyHunter Remove Ransomware" wide
$s2 = "$recycle.bin" fullword wide
$s3 = "TheEnd" fullword wide
$s4 = "%s\\HELP_DECRYPT_YOUR_FILES.TXT" fullword wide
$s5 = "%s.id_%x%x_email_" wide
$s6 = "scmd" fullword wide
$s7 = "process call create \"%s\"" wide
$s8 = "FinishEnds" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or all of ($n*) or 2 of ($m*) or (3 of ($s*) and (1 of ($n*) or 1 of ($m*))))
}
rule MALWARE_Win_NjRAT {
meta:
author = "ditekSHen"
description = "Detects NjRAT / Bladabindi / NjRAT Golden"
strings:
$x1 = /Njrat\s\d+\.\d+\sGolden\s/ wide
$s1 = /\sfirewall\s(add|delete)\sallowedprogram/ wide
$s2 = { 63 00 6d 00 64 00 2e 00 65 00 78 00 65 00 20 00 2f 00 (63|6b) 00 20 00 70 00 69 00 6e 00 67 }
$s3 = "Execute ERROR" wide
$s4 = "Download ERROR" wide
$s5 = "[kl]" fullword wide
$s6 = "UploadValues" fullword wide
$s7 = "winmgmts:\\\\.\\root\\SecurityCenter2" fullword wide
$s8 = "HideM" fullword wide
$s9 = "No Antivirus" fullword wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_DarkTrackRAT {
meta:
author = "ditekSHen"
description = "Detects OzoneRAT / DarkTrack / DarkSky"
strings:
$x1 = "Klog.dat" ascii
$x2 = "I_AM_DT" ascii
$x3 = " Alien" ascii
$x4 = "Local Victim" ascii
$x5 = "Dtback\\AlienEdition\\Server\\SuperObject.pas" ascii
$x6 = "].encryptedUsername" ascii
$x7 = "].encryptedPassword" ascii
$x8 = { 49 41 4d [6] 44 41 52 [0-2] 4b [6] 44 54 41 43 4b }
$s1 = "AntiVirusProduct" ascii
$s2 = "AntiSpywareProduct" ascii
$s3 = "ConnectServer" ascii
$s4 = "ExecQuery" ascii
$s5 = "\\Drivers\\Etc\\Hosts" fullword ascii
$s6 = "BTMemoryLoadLibary: Get DLLEntyPoint" ascii
$s7 = "\\\\.\\SyserDbgMsg" fullword ascii
$s8 = "\\\\.\\SyserBoot" fullword ascii
condition: uint16(0) == 0x5a4d and (4 of ($x*) or 6 of ($s*))
}
rule MALWARE_Win_Godzilla {
meta:
author = "ditekSHen"
description = "Detects Godzilla loader"
strings:
$x1 = "MSVBVM60.DLL" fullword ascii
$x2 = "Loginserver8" fullword ascii
$x3 = "Proflogger7" fullword ascii
$s1 = "Badgeless5" fullword ascii
$s2 = "Montebrasite3" fullword ascii
$s3 = "Atelomyelia4" fullword ascii
$s4 = "Xxencoded5" fullword ascii
$s5 = "Garneau2" fullword ascii
$s6 = "Hypostasis0" fullword ascii
$s7 = "Piarhemia4" fullword ascii
$s8 = "Foredestine8" fullword ascii
condition: uint16(0) == 0x5a4d and all of ($x*) and 2 of ($s*)
}
rule MALWARE_Win_UNK03 {
meta:
author = "ditekSHen"
description = "Detects unknown malware"
strings:
$s1 = "Software\\Microsoft\\Windows\\CurrentVersion" ascii
$s2 = "rundll32.exe C:\\Windows\\System32\\shimgvw.dll,ImageView_Fullscreen %s" ascii
$s3 = "%s.jpg" ascii
$s4 = "%s\\sz.txt" ascii
$s5 = "ChromeSecsv9867%d7.exe" ascii
$s6 = "%s\\appl%c.jpg" ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_UNK04 {
meta:
author = "ditekSHen"
description = "Detects unknown malware (proxy tool)"
strings:
$x1 = "127.0.0.1/%d" fullword ascii
$x2 = "SYSTEM\\CurrentControlSet\\SERVICES\\PORTPROXY\\V4TOV4\\TCP" fullword ascii
$x3 = "%s rundll32.exe" fullword ascii
$s1 = "kxetray.exe" fullword ascii
$s2 = "ksafe.exe" fullword ascii
$s3 = "Mcshield.exe" fullword ascii
$s4 = "Miner.exe" fullword ascii
condition: uint16(0) == 0x5a4d and all of ($x*) and 2 of ($s*)
}
rule MALWARE_Win_Karkoff {
meta:
author = "ditekSHen"
description = "Detects Karkoff"
strings:
$x1 = "C:\\Windows\\Temp\\MSEx_log.txt" fullword wide
$x2 = "CMD.exe" fullword wide
$x3 = "Karkoff.ProjectInstaller.resources" fullword ascii
$s1 = /try\shttp(s)?\s(ip|domain)/ fullword wide
$s2 = "Reg cleaned!" fullword wide nocase
$s3 = "Content-Disposition: form-data; name=\"{1}\"" fullword wide
$s4 = "^[A-Fa-f0-9]{8}-([A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}$" fullword wide
$s5 = "new backdoor" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($x*) or 4 of ($s*) or (2 of ($x*) and 2 of ($s*)))
}
rule MALWARE_Win_DLAgent09 {
meta:
author = "ditekSHen"
description = "Detects known downloader agent"
strings:
$h1 = "//:ptth" ascii wide nocase
$h2 = "//:sptth" ascii wide nocase
$s1 = "DownloadString" fullword ascii wide
$s2 = "StrReverse" fullword ascii wide
$s3 = "FromBase64String" fullword ascii wide
$s4 = "WebClient" fullword ascii wide
condition: uint16(0) == 0x5a4d and (1 of ($h*) and all of ($s*))
}
rule MALWARE_Win_CoinMiningBot {
meta:
author = "ditekSHen"
description = "Detects coinmining bot"
strings:
$s1 = "FullScreenDetect" fullword ascii
$s2 = "GetChildProcesses" fullword ascii
$s3 = "HideBotPath" fullword ascii
$s4 = "Inject" fullword ascii
$s5 = "DownloadFile" fullword ascii
$s6 = "/Data/GetUpdateInfo" wide
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_FYAnti {
meta:
author = "ditekSHen"
description = "Hunt for FYAnti third-stage loader DLLs"
condition: uint16(0) == 0x5a4d and pe.is_dll() and pe.exports("FuckYouAnti")
}
rule MALWARE_Win_DLAgent10 {
meta:
author = "ditekSHen"
description = "Detects known downloader agent"
strings:
$s1 = "powershell.exe" ascii wide nocase
$s2 = ".DownloadFile(" ascii wide nocase
$s3 = "_UseShellExecute" ascii wide nocase
$s4 = "_CreateNoWindow" ascii wide nocase
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_PureLoader {
meta:
author = "ditekSHen"
description = "Detects Pure loader / injector"
strings:
$s1 = "InvokeMember" fullword wide
$s2 = "ConcatProducer" fullword wide
$s3 = ".Classes.Resolver" wide
$s4 = "get_DLL" fullword ascii
$s5 = "BufferedStream" fullword ascii
$s6 = "GZipStream" fullword ascii
$s7 = "MemoryStream" fullword ascii
$s8 = "Decompress" fullword ascii
$s9 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_VBS_DLAgent01 {
meta:
author = "ditekSHen"
description = "Detects VBS MSHTA downloader"
strings:
$s1 = "llehS.tpircsW" ascii
$s2 = ".Run" ascii
$s3 = "mshta http" ascii nocase
$s4 = "StrReverse" ascii
condition: all of them
}
rule MALWARE_Win_RanumBot {
meta:
author = "ditekSHen"
description = "Detects RanumBot / Windigo / GoStealer"
strings:
// variant 1
$f1 = "main.addSchedulerTaskSSH" fullword ascii
$f2 = "main.attackRouter" fullword ascii
$f3 = "main.decryptPassword" fullword ascii
$f4 = "main.handleScanRequest" fullword ascii
$f5 = "main.scanNetwork" fullword ascii
$f6 = "main.extractCredentials" fullword ascii
$s1 = "H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s/16%s:%d%s:22+0330+0430+0530+0545+0630+0845+10" ascii
$s2 = "<== as at fp= is lr: of on pc= sp: sp=) = ) m=+Inf, n -Inf00%x112212343125: p=ABRTACDTACSTAEDTAESTAKDTAKSTALRMAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneKILLLEAFLisuMiaoModiNZDTNZSTNewaPIPEQUITSASTSEGVTERMThai" ascii
$s3 = "W*struct { P *big.Int; Q *big.Int; G *big.Int; Y *big.Int; Rest []uint8 \"ssh:\\\"rest\\\"\" }" ascii
$s4 = "policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write" ascii
$s5 = "/Users/alexander/go/src/mikrotik/winbox.go" ascii
// variant 2
$xf1 = "main.readConfig" fullword ascii
$xf2 = "main.ensureRunningAsUser" fullword ascii
$xf3 = "main.configRegPath" fullword ascii
$xf4 = "main.oldConfigRegPath" fullword ascii
$uf1 = "main.locateChrome" fullword ascii
$uf2 = "main.decryptAndUploadProfile" fullword ascii
$uf3 = "main.decryptCookies" fullword ascii
$uf4 = "main.extractPasswords" fullword ascii
$uf5 = "main.getFirefoxProfile" fullword ascii
$uf6 = "main.postBrowsersData" fullword ascii
$uf7 = "main.uploadFirefoxProfile" fullword ascii
$uf8 = "main.zipFirefoxProfile" fullword ascii
$uf9 = /main\.detect(Browsers|Chrome|Coccoc|Edge|Firefox|InternetExplorer|Opera|Yandex)/ fullword ascii
condition: uint16(0) == 0x5a4d and (5 of ($f*) or 4 of ($s*) or (2 of ($f*) and 2 of ($s*)) or (all of ($xf*) and 1 of ($uf*)) or 6 of ($uf*))
}
rule MALWARE_Win_DllHijacker01 {
meta:
author = "ditekSHen"
description = "Hunt for VSNTAR21 / DllHijacker01 IronTiger / LuckyMouse / APT27 malware"
strings:
$s1 = "libvlc_add_intf" fullword ascii
$s2 = "libvlc_dllonexit" fullword ascii
$s3 = "libvlc_getmainargs" fullword ascii
$s4 = "libvlc_initenv" fullword ascii
$s5 = "libvlc_set_app_id" fullword ascii
$s6 = "libvlc_set_app_type" fullword ascii
$s7 = "libvlc_set_user_agent" fullword ascii
$s8 = "libvlc_wait" fullword ascii
$s9 = "dll.dll" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_HyperBro02 {
meta:
author = "ditekSHen"
description = "Detects HyperBro IronTiger / LuckyMouse / APT27 malware"
strings:
$s1 = "\\cmd.exe /A" fullword wide
$s2 = "C:\\windows\\explorer.exe" fullword wide
$s3 = "\\\\.\\pipe\\testpipe" fullword wide
$s4 = "Elevation:Administrator!new:{" wide
$s5 = "log.log" fullword wide
$s6 = "%s\\%d.exe" fullword wide
$s7 = ".?AVTPipeProtocol@@" fullword ascii
$s8 = ".?AVTCaptureMgr@@" fullword ascii
$s9 = "system-%d" fullword wide
$s10 = "[test] %02d:%02d:%02d:%03d %s" fullword wide
$s11 = "\\..\\data.dat" fullword wide
$s12 = "\\..\\config.ini" fullword wide
$s13 = { 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00 00 00 20 00 2d 00 77 00 6f 00 72 00 6b 00 65 00 72 00 }
$s14 = { 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00 00 00 20 00 2d 00 64 00 61 00 65 00 6d 00 6f 00 6e 00 }
$cnc1 = "https://%s:%d/ajax" fullword wide
$cnc2 = "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" fullword wide
$cnc3 = "139.180.208.225" fullword wide
condition: uint16(0) == 0x5a4d and (7 of ($s*) or (2 of ($cnc*) and 2 of ($s*)))
}
/*
Too many FPs
rule MALWARE_Win_HyperBro03 {
meta:
author = "ditekSHen"
description = "Hunt HyperBro IronTiger / LuckyMouse / APT27 malware"
strings:
//$h1 = "HControl" ascii wide
//$h2 = "HSleep" ascii wide
//$h3 = "HTrans" ascii wide
$i1 = "IAgent" ascii wide
$i2 = "ITcpAgent" ascii wide
$i3 = "IAgentListener" ascii wide
$t1 = "TCommon" ascii
$t2 = "TFileInfo" ascii
$t3 = "TFileRename" ascii
$t4 = "TFileUpload" ascii
$t5 = "TServicesInfo" ascii
$t6 = "TListUser" ascii
$t7 = "TTransmit" ascii
$vc1 = "CSSLAgent" ascii wide
$vc2 = "CSocks5" ascii wide
$vc3 = "CTcpAgent" ascii wide
$cm1 = "CMCapture" ascii wide
$cm2 = "CMFile" ascii wide
$cm3 = "CMPipeClient" ascii wide
$cm4 = "CMPipeServer" ascii wide
$cm5 = "CMProcess" ascii wide
$cm6 = "CMServices" ascii wide
$cm7 = "CMShell" ascii wide
condition: uint16(0) == 0x5a4d and (all of ($i*) or 6 of ($t*) or 6 of ($cm*) or all of ($vc*))
//uint16(0) == 0x5a4d and (all of ($h*) or all of ($i*) or 6 of ($t*) or 6 of ($cm*) or all of ($vc*))
}
*/
rule MALWARE_Win_DllHijacker02 {
meta:
author = "ditekSHen"
description = "Detects ServiceCrt / DllHijacker03 IronTiger / LuckyMouse / APT27 malware"
strings:
$s1 = "ServiceCrtMain" fullword ascii
$s2 = "mpsvc.dll" fullword ascii
$o1 = { 84 db 0f 85 4c ff ff ff e8 14 06 00 00 8b f0 83 }
$o2 = { f7 c1 00 ff ff ff 75 c5 eb 13 0f ba 25 10 20 01 }
$o3 = { 8d 04 b1 8b d9 89 45 fc 8d 34 b9 a1 18 20 01 10 }
$o4 = { b0 01 c3 68 b8 2c 01 10 e8 83 ff ff ff c7 04 24 }
$o5 = { eb 34 66 0f 12 0d 00 fe 00 10 f2 0f 59 c1 ba cc }
$o6 = { 73 c7 dc 0d 4c ff 00 10 eb bf dd 05 34 ff 00 10 }
condition: uint16(0) == 0x5a4d and all of ($s*) and 5 of ($o*)
}
rule MALWARE_Win_Zeoticus {
meta:
author = "ditekSHen"
description = "Detects Zeoticus ransomware"
strings:
$s1 = "Dear %s" fullword wide
$s2 = "\\??\\UNC\\%s\\%s\\" wide
$s3 = "\\\\%ws\\admin$\\%ws" wide
$s4 = "%s /node:\"%ws\" /user:\"%ws\" /password:" wide
$s5 = "process call create" wide
$s6 = ">----===Zeoticus" ascii
$s7 = "ZEOTICUSV2" ascii
$s8 = "GetExtendedTcpTable" fullword ascii
$s9 = "SHAMROckSWTF" ascii
$s10 = "NTDLL.RtlAllocateHeap" fullword ascii
$s11 = ".pandora" fullword wide
$s12 = { 70 00 20 00 72 00 20 00 69 00 20 00 76 00 20 00 65 00 20 00 74 }
$pdb = "_cryptor\\shell_gen\\Release\\" ascii
condition: uint16(0) == 0x5a4d and (6 of ($s*) or ($pdb))
}
rule MALWARE_Win_DLAgent11 {
meta:
author = "ditekSHen"
description = "Detects downloader agent"
strings:
$pdb = "\\loader2\\obj\\Debug\\loader2.pdb" ascii
$s1 = "DownloadFile" fullword ascii
$s2 = "ZipFile" fullword ascii
$s3 = "WebClient" fullword ascii
$s4 = "ExtractToDirectory" fullword ascii
$s5 = "System Clear" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or (($pdb) and 4 of ($s*)))
}
rule MALWARE_Win_SoftCNApp {
meta:
author = "ditekSHen"
description = "Detects SoftCNApp"
strings:
$s1 = "\\\\.\\PIPE\\SOC%d" fullword ascii
$s2 = "Mozilla/5.0 (Windows NT 6.1)" fullword ascii
$s3 = "Param: sl=%d; sl=%d; sl=%d; sl=%d; sl=%d;" fullword ascii
$s4 = ".?AVCHPPlugin@@" fullword ascii
$s5 = ".?AVCHPCmd@@" fullword ascii
$s6 = ".?AVCHPExplorer@@" fullword ascii
$s7 = "%s\\svchost.exe -O" fullword wide
$s8 = "\"%s\\%s\" -P" fullword ascii
$n1 = "45.63.58.34" fullword ascii
$n2 = "127.0.0.1" fullword ascii
condition: uint16(0) == 0x5a4d and (4 of ($s*) or (all of ($n*) and 2 of ($s*)))
}
rule MALWARE_Win_CovenantGruntStager {
meta:
author = "ditekSHen"
description = "Detects Covenant Grunt Stager"
strings:
$x1 = "VXNlci1BZ2VudA" ascii wide
$x2 = "cGFnZT17R1VJRH0mdj0x" ascii wide
$x3 = "0eXBlPXtHVUlEfSZ2PTE" ascii wide
$x4 = "tZXNzYWdlPXtHVUlEfSZ2PTE" ascii wide
$x5 = "L2VuLXVzL" ascii wide
$x6 = "L2VuLXVzL2luZGV4Lmh0bWw" ascii wide
$x7 = "L2VuLXVzL2RvY3MuaHRtbD" ascii wide
$s1 = "ExecuteStager" ascii
$s2 = "UseCertPinning" fullword ascii
$s3 = "FromBase64String" fullword ascii
$s4 = "ToBase64String" fullword ascii
$s5 = "DownloadString" fullword ascii
$s6 = "UploadString" fullword ascii
$s7 = "GetWebRequest" fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($x*) or all of ($s*) or (1 of ($x*) and 5 of ($s*)))
}
rule MALWARE_Win_Fabookie {
meta:
author = "ditekSHen"
description = "Detects Fabookie / ElysiumStealer"
strings:
$s1 = "rwinssyslog" fullword wide
$s2 = "_kasssperskdy" fullword wide
$s3 = "[Title:%s]" fullword wide
$s4 = "[Execute]" fullword wide
$s5 = "[Snapshot]" fullword wide
$s6 = "Mozilla/4.0 (compatible)" fullword wide
$s7 = "d-k netsvcs" fullword wide
$s8 = "facebook.websmails.com" fullword wide
$s9 = "CUdpClient::Start" fullword ascii
condition: (uint16(0) == 0x5a4d or uint16(0) == 0x0805) and 6 of them
}
rule MALWARE_Win_CobianRAT {
meta:
author = "ditekSHen"
description = "Detects CobianRAT, a fork of Njrat"
strings:
$s1 = "1.0.40.7" fullword wide
$s2 = "DownloadData" fullword wide
$s3 = "Executed As" fullword wide
$s4 = "\\Plugins" fullword wide
$s5 = "LOGIN" fullword wide
$s6 = "software\\microsoft\\windows\\currentversion\\run" wide
$s7 = "Hidden" fullword wide
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_Cuba {
meta:
author = "ditekSHen"
description = "Detects Cuba ransomware"
strings:
$s1 = ".cuba" fullword wide
$s2 = "\\\\%d.%d.%d.%d" fullword wide
$s3 = "!!FAQ for Decryption!!.txt" fullword wide
$s4 = "vmcompute" fullword wide
$s5 = "MSExchange" wide
$s6 = "glocal" fullword wide
$s7 = "network" fullword wide
$s8 = "\\$Recycle.Bin\\" fullword wide
$s9 = "NetShareEnum" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_Leivion {
meta:
author = "ditekSHen"
description = "Detects Leivion"
strings:
$s1 = "/var/lib/veil/go/src/runtime/mem_windows.go" fullword ascii
$s2 = "/var/lib/veil/go/src/internal/singleflight/singleflight.go" fullword ascii
$s3 = "/var/lib/veil/go/src/net/http/sniff.go" fullword ascii
$s4 = "/var/lib/veil/go/src/net/sendfile_windows.go" fullword ascii
$s5 = "/var/lib/veil/go/src/os/exec_" ascii
$s6 = "/var/lib/veil/go/src/runtime/mgcsweep.go" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_Banload {
meta:
author = "ditekSHen"
description = "Detects Banload"
strings:
$s1 = "main.die" fullword ascii
$s2 = "main.postResults" fullword ascii
$s3 = "main.checkin" fullword ascii
$s4 = "RegQueryValueExWRemoveDirectoryWSETTINGS_TIMEOUTTerminateProcessUpgrade RequiredUser-Agent: %s" ascii
$s5 = "pcuser-agentws2_32.dll (targetpc= DigestType ErrCode=%v" ascii
$s6 = "invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrie" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_TYRAT {
meta:
author = "ditekSHen"
description = "Detects TYRAT"
strings:
$s1 = "C:\\$MSIRecycle.Bin\\" fullword ascii
$s2 = "Range: bytes=%d-" fullword ascii
$s3 = "GET%sHTTP/1.1" fullword ascii
$s4 = "DllServer.dll" fullword ascii
$s5 = ".Bin\\bnch" ascii
$s6 = "User-Agent: wget" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_InfinityLock {
meta:
author = "ditekSHen"
description = "Detects InfinityLock ransomware"
strings:
$s1 = "_Encrypted$" fullword ascii
$s2 = "PublicKeyToken=" fullword ascii nocase
$s3 = "GenerateHWID" fullword ascii
$s4 = "CreateKey" fullword ascii
$d1 = "ProgrammFiles" fullword ascii
$d2 = "OneDrive" fullword ascii
$d3 = "ProgrammsX86" fullword ascii
$d4 = "UserDirs" fullword ascii
$d5 = "B_Drive" fullword ascii
$pdb1 = "F:\\DESKTOP!\\ChkDsk\\ChkDsk\\obj\\" ascii
$pdb2 = "\\ChkDsk\\obj\\Debug\\PremiereCrack.pdb" ascii
condition: uint16(0) == 0x5a4d and ((all of ($s*) and 1 of ($d*)) or (4 of ($d*) and 2 of ($s*)) or (any of ($pdb*) and 1 of ($s*) and 1 of ($d*)))
}
rule MALWARE_Win_MountLocker {
meta:
author = "ditekSHen"
description = "Detects MountLocker ransomware"
strings:
$s1 = "] locker.dir.check > " ascii wide
$s2 = "] locekr.kill." ascii wide
$s3 = "] locker.worm" ascii wide
$s4 = "%CLIENT_ID%" fullword ascii
$s5 = "RecoveryManual.html" ascii wide
$s6 = "RECOVERY MANUAL" ascii
$s7 = ".ReadManual.%0.8X" ascii wide
$s8 = "/?cid=%CLIENT_ID%" ascii
condition: uint16(0) == 0x5a4d and 3 of them
}
rule MALWARE_Win_PingBack {
meta:
author = "ditekSHen"
description = "Detects PingBack ICMP backdoor"
strings:
$s1 = "Sniffer ok!" fullword ascii
$s2 = "recv icmp packet!" fullword ascii
$s3 = "WSASocket() failed: %d" fullword ascii
$s4 = "file on remote computers success" ascii
$s5 = "listen port error!" fullword ascii
$s6 = "\\PingBackService" ascii
$c1 = "exec" fullword ascii
$c2 = "rexec" fullword ascii
$c3 = "exep" fullword ascii
$c4 = "download" fullword ascii
$c5 = "upload" fullword ascii
$c6 = "shell" fullword ascii
condition: uint16(0) == 0x5a4d and (3 of ($s*) or all of ($c*) or (4 of ($c*) and 2 of ($s*)))
}
rule MALWARE_Win_BazarLoader {
meta:
author = "ditekSHen"
description = "Detects BazarLoader variants"
strings:
$s1 = "Startdelay for %d ms to avoid some dynamic AV detects!" ascii
$s2 = "Use Debug for moving faster!" ascii
$s3 = "Logging Mutex %s to %s" ascii
$s4 = "FIRST AND ONLY COPY RUNNING! Mutex %s" ascii
$s5 = "the most secret 3d GetWinApiPointers line in the world!" ascii
$s6 = "[+] makeMD5hash. " ascii
condition: uint16(0) == 0x5a4d and 3 of ($s*)
}
rule MALWARE_Win_CoinMiner01 {
meta:
author = "ditekSHen"
description = "Detects coinmining malware"
strings:
$s1 = "-o pool." ascii wide
$s2 = "--cpu-max-threads-hint" ascii wide
$s3 = "-P stratum" ascii wide
$s4 = "--farm-retries" ascii wide
$dl = "github.com/ethereum-mining/ethminer/releases/download" ascii wide
condition: uint16(0) == 0x5a4d and (3 of ($s*) or ($dl))
}
rule PUA_Win_UltraSurf {
meta:
author = "ditekSHen"
description = "Detects UltraSurf / Ultrareach PUA"
strings:
$s1 = "Ultrareach Internet Corp." ascii
$s2 = "UltrasurfUnionRectUrlFixupWUse Proxy" ascii
$s3 = "Ultrasurf UnlockFileUrlEscapeWUser-Agent" ascii wide
$s4 = "Ultrasurf0#" ascii
$m1 = "main.bindata_read" fullword ascii
$m2 = "main.icon64_png" fullword ascii
$m3 = "main.setProxy" fullword ascii
$m4 = "main.openbrowser" fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($s*) or (all of ($m*) and 1 of ($s*)))
}
rule MALWARE_Win_Hello {
meta:
author = "ditekSHen"
description = "Hunt for Hello / WickrMe ransomware"
strings:
$s1 = "DeleteBackupFiles" ascii wide
$s2 = "GetEncryptFiles" ascii wide
$s3 = "DeleteVirtualDisks" ascii wide
$s4 = "DismountVirtualDisks" ascii wide
condition: uint16(0) == 0x5a4d and 3 of them
}
rule MALWARE_Win_ButeRAT {
meta:
author = "ditekSHen"
description = "Detects ButeRAT"
strings:
$x1 = "TVqQAAMAA" ascii
$s1 = "ipinfo.io/geo" wide
$s2 = "/index.php" wide
$s3 = "Copy-Item -Path" wide
$s4 = ";Start-Process" wide
$s5 = "Microsoft\\Windows\\Start Menu\\Programs\\Startup" wide
$s6 = "LOCALAPPDATA" fullword wide
$s7 = "passwords.json" wide
$s8 = "Scripting.FileSystemObject" fullword wide
$z1 = /(edge|chrome|opera|exodus|jaxx|atomic|coinomi)\.zip/ ascii wide nocase
condition: uint16(0) == 0x5a4d and ((1 of ($x*) or 1 of ($z*)) and (4 of ($s*)) or (6 of ($s*)) or (#z1 > 4 and 2 of them))
}
rule MALWARE_Win_CookieStealer {
meta:
author = "ditekSHen"
description = "Detects generic cookie stealer"
strings:
$s1 = "([\\S]+?)=([^;|^\\r|^\\n]+)" fullword ascii
$s2 = "(.+?): ([^;|^\\r|^\\n]+)" fullword ascii
$s3 = "Set-Cookie: ([^\\r|^\\n]+)" fullword ascii
$s4 = "cmd.exe /c taskkill /f /im chrome.exe" fullword ascii
$s5 = "FIREFOX.EXE|Google Chrome|IEXPLORE.EXE" ascii
$pdb1 = "F:\\facebook_svn\\trunk\\database\\Release\\DiskScan.pdb" fullword ascii
$pdb2 = "D:\\Projects\\crxinstall\\trunk\\Release\\spoofpref.pdb" fullword ascii
$ua1 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" fullword ascii
$ua2 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" fullword ascii
condition: uint16(0) == 0x5a4d and ((all of ($s*) and 1 of ($pdb*) and 1 of ($ua*)) or (all of ($ua*) and 1 of ($pdb*) and 2 of ($s*)))
}
rule MALWARE_Win_BitCoinGrabber {
meta:
author = "ditekSHen"
description = "Detects generic bitcoin stealer"
strings:
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s2 = "Bitcoin-Grabber" ascii
$s3 = "Bitcoin_Grabber" ascii
$s4 = "encrypt resources [compress]T" fullword ascii
$s5 = "code control flow obfuscationT" fullword ascii
$s6 = "\\Users\\lakol\\Desktop\\a\\Crypto Currency Wallet Changer\\" ascii
$pat1 = "\\b(bc1|[13])[a-zA-HJ-NP-Z0-9]{26,35}\\b" fullword wide
$pat2 = "\\b0x[a-fA-F0-9]{40}\\b" fullword wide
$pat3 = "\\b4([0-9]|[A-B])(.){93}\\b" fullword wide
condition: uint16(0) == 0x5a4d and 4 of ($s*) or (all of ($pat*) and 2 of ($s*))
}
rule MALWARE_Win_FOXGRABBER {
meta:
author = "ditekSHen"
description = "Detects FOXGRABBER utility"
strings:
$s1 = "start grabbing" wide
$s2 = "end grabbing in" wide
$s3 = "error of copying files from comp:" wide
$s4 = "\\Firefox\\" wide nocase
$pdb1 = "\\obj\\Debug\\grabff.pdb" ascii
$pdb2 = "\\obj\\Release\\grabff.pdb" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or (1 of ($pdb*) and 1 of ($s*)))
}
rule MALWARE_Win_BrowserGrabber {
meta:
author = "ditekSHen"
description = "Hunt for FOXGRABBER-like samples but for various browsers"
strings:
$s1 = "start grabbing" wide
$s2 = "end grabbing in" wide
$s3 = "error of copying files from comp:" wide
$s4 = /(Chrome|Edge)/ wide
$ff = "\\Firefox\\" wide nocase
$pdb1 = "\\obj\\Debug\\grab" ascii
$pdb2 = "\\obj\\Release\\grab" ascii
condition: uint16(0) == 0x5a4d and not ($ff) and (all of ($s*) or (1 of ($pdb*) and 1 of ($s*)))
}
rule MALWARE_Win_DeathRansom {
meta:
author = "ditekSHen"
description = "Detects known DeathRansom ransomware"
strings:
$s1 = "%s %f %c" fullword ascii
$pdb1 = ":\\wud.pdb" ascii
$spdb2 = "\\crypt_server\\runtime\\crypt" ascii
$spdb3 = "\\bin\\nuvin.pdb" ascii
$h1 = "#Dunubeyokunov" wide
$h2 = "^Neyot dehipijakeyelih" wide
$h3 = "talin%Sanovurenofibiw" wide
$h4 = "WriteFile" fullword ascii
$h5 = "ClearEventLogA" fullword ascii
$h6 = "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0" ascii wide
condition: uint16(0) == 0x5a4d and (all of ($pdb*) or (all of ($s*) and 1 of ($pdb*)) or 5 of ($h*))
}
rule MALWARE_Win_UnlockYourFiles {
meta:
author = "ditekSHen"
description = "Detects UnlockYourFiles ransomware"
strings:
$s1 = "filesx0" wide
$s2 = "_auto_file" wide
$s3 = "<EncyptedKey>" fullword wide
$s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\" wide
$s5 = "DecryptAllFile" fullword ascii
$s6 = "AES_Only_Decrypt_File" fullword ascii
$m1 = "Free files decrypted" wide
$m2 = "Restore my files" wide
$m3 = "Type tour password..." wide
$m4 = "files encrypted by strong password" ascii
$m5 = "buy bitcoin" ascii
$m6 = "Unlock File" fullword wide
condition: uint16(0) == 0x5a4d and (4 of ($s*) or 5 of ($m*) or (2 of ($s*) and 2 of ($m*)))
}
rule MALWARE_Win_DecryptMyFiles {
meta:
author = "ditekSHen"
description = "Detects DecryptMyFiles ransomware"
strings:
$s1 = "FILES ENCRYPTED" wide
$s2 = "pexplorer.exe" fullword wide
$s3 = "uniquesession" fullword ascii
$s4 = ".[decryptmyfiles.top]." fullword ascii
$s5 = "decrypt 1 file" ascii
$s6 = "(databases,backups, large excel" ascii
$c1 = "api/connect.php" ascii
$c2 = "decryptmyfiles.top" ascii
$c3 = "/contact/" ascii
condition: uint16(0) == 0x5a4d and (4 of ($s*) or all of ($c*) or (2 of ($c*) and 2 of ($s*)))
}
rule MALWARE_Win_Motocos {
meta:
author = "ditekSHen"
description = "Detects Motocos ransomware"
strings:
$s1 = "Block Investigation Tools" wide
$s2 = "powershell.exe,taskmgr.exe,procexp.exe,procmon.exe" wide
$s3 = "google.com,youtube.com,baidu.com,facebook.com,amazon.com,360.cn,yahoo.com,wikipedia.org,zoom.us,live.com,reddit.com,netflix.com,microsoft.com,instagram.com,vk.com," wide
$s4 = "START ----" wide
$s5 = "TEngine.Clear_EventLog_Result" wide
$s6 = "TEngine.EncryptLockFiles" wide
$s7 = "TEngine.CleanShadowFiles" wide
$s8 = "TDNSUtils.SendCommand" wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_DLAgent12 {
meta:
author = "ditekSHen"
description = "Detects downloader agent"
strings:
$s1 = "WebClient" fullword ascii
$s2 = "DownloadData" fullword ascii
$s3 = "packet_server" fullword wide
condition: uint16(0) == 0x5a4d and all of them and filesize < 50KB
}
rule MALWARE_Win_DLInjector01 {
meta:
author = "ditekSHen"
description = "Detects specific downloader injector shellcode"
strings:
$s1 = "process call create \"%s\"" ascii wide
$s2 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\" ascii wide
$s3 = "%systemroot%\\system32\\ntdll.dll" ascii wide
$s4 = "qemu-ga.exe" ascii wide
$s5 = "prl_tools.exe" ascii wide
$s6 = "vboxservice.exe" ascii wide
$o1 = { 75 04 74 02 38 6e 8b 34 24 83 c4 04 eb 0a 08 81 }
$o2 = { 16 f8 f7 ba f0 3d 87 c7 95 13 b7 64 22 be e1 59 }
$o3 = { 8b 0c 24 83 c4 04 eb 05 ea f2 eb ef 05 e8 ad fe }
$o4 = { eb 05 1d 51 eb f5 ce e8 80 fd ff ff 77 a1 f4 cd }
$o5 = { eb 05 6e 33 eb f5 73 e8 64 f6 ff ff 77 a1 f4 77 }
$o6 = { 59 eb 05 fd 98 eb f4 50 e8 d5 f5 ff ff 3b b9 00 }
$o7 = "bYkoDA7G" fullword ascii
condition: (uint16(0) == 0x5a4d and all of ($o*)) or (all of ($s*))
}
rule MALWARE_Win_DLInjector02 {
meta:
author = "ditekSHen"
description = "Detects downloader injector"
strings:
$x1 = "In$J$ct0r" fullword wide
$x2 = "%InJ%ector%" fullword wide
$a1 = "WriteProcessMemory" fullword wide
$a2 = "URLDownloadToFileA" fullword ascii
$a3 = "Wow64SetThreadContext" fullword wide
$a4 = "VirtualAllocEx" fullword wide
$s1 = "RunPE" fullword wide
$s2 = "SETTINGS" fullword wide
$s3 = "net.pipe" fullword wide
$s4 = "vsmacros" fullword wide
condition: uint16(0) == 0x5a4d and (1 of ($x*) or (all of ($a*) and 3 of ($s*)))
}
rule MALWARE_Win_Nermer {
meta:
author = "ditekSHen"
description = "Detects Nermer ransomware"
strings:
$x1 = "gPROTECT_INFO.TXT" fullword wide
$x2 = ".nermer" fullword wide
$s1 = "db_journal" fullword wide
$s2 = "quicken2015backup" fullword wide
$s3 = "mysql" fullword wide
$s4 = "sas7bdat" fullword wide
$s5 = "httpd.exe" fullword wide
$s6 = "Intuit.QuickBooks.FCS" fullword wide
$s7 = "convimage" fullword wide
$s8 = ".?AV?$_Binder@U_Unforced@std@@P8shares_t@" ascii
$s9 = "BgIAAACkAABSU0ExAAgAAAEAAQCt" ascii
$m1 = "YOUR FILES WERE ENCRYPTED" ascii
$m2 = "MARKED BY EXTENSION .nermer" ascii
$m3 = "send us your id: >> {id} <<" ascii
$m4 = "email us: >> {email} <<" ascii
$c1 = "/repeater.php" ascii
$c2 = "HTTPClient/0.1" fullword ascii
$c3 = "94.156.35.227" ascii
$c4 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($m*) or all of ($c*) or all of ($s*) or (4 of ($s*) and (1 of ($x*) or 1 of ($m*) or 2 of ($c*))) or 14 of them)
}
rule MALWARE_Win_Beastdoor {
meta:
author = "ditekSHen"
description = "Detects Beastdoor backdoor"
strings:
$s1 = "shellx.pif" fullword ascii nocase
$s2 = "Beasty" fullword ascii
$s3 = "* Boot:[" ascii
$s4 = "^ Shut Down:[" ascii
$s5 = "set cdaudio door" ascii
$s6 = "This \"Portable Network Graphics\" image is not valid" wide
$n1 = ".aol.com" ascii
$n2 = "web.icq.com" ascii
$n3 = "&fromemail=" fullword ascii
$n4 = "&subject=" fullword ascii
$n5 = "&Send=" fullword ascii
$n6 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword ascii
$n7 = "mirabilis.com" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or 5 of ($n*) or (3 of ($s*) and 3 of ($n*)))
}
rule MALWARE_Win_GravityRAT {
meta:
author = "ditekSHen"
description = "Detects GravityRAT"
strings:
$s1 = "/GX/GX-Server.php?VALUE=2&Type=" wide
$s2 = "&SIGNATUREHASH=" wide
$s3 = "Error => CommonFunctionClass => Upload()" wide
$s4 = "/GetActiveDomains.php" wide
$s5 = "DetectVM" ascii wide
$s6 = "/c {0} > {1}" wide
$s7 = "DRIVEUPLOADCOMPLETED => TOTALFILES={0}, FILESUPLOADED={1}" wide
$s8 = "Program => RunAFile()" wide
$s9 = "DoViaCmd" ascii
$s10 = ".msoftupdates.com:" wide
$f1 = "<RootJob>b__" ascii
$f2 = "<GetFiles>b__" ascii
$f3 = "<UpdateServer>b__" ascii
$f4 = "<EthernetId>b__" ascii
$f5 = "<MatchMacAdd>b__" ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or (all of ($f*) and 1 of ($s*)))
}
rule MALWARE_Win_FatalRAT {
meta:
author = "ditekSHen"
description = "Detects FatalRAT"
strings:
$x1 = "XXAcQbcXXfRSScR" fullword ascii
$s1 = "CHROME_NO_DATA" fullword ascii
$s2 = "CHROME_UNKNOW" fullword ascii
$s3 = "-Thread running..." ascii
$s4 = "InetCpl.cpl,ClearMyTracksByProcess" ascii nocase
$s5 = "MSAcpi_ThermalZoneTemperature" ascii nocase
$s6 = "taskkill /f /im rundll32.exe" fullword ascii nocase
$s7 = "del /s /f %appdata%\\Mozilla\\Firefox" ascii nocase
$s8 = "\\\\%s\\C$\\" ascii
$s9 = "fnGetChromeUserInfo" fullword ascii
$s10 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 3 of ($s*)) or 5 of ($s*))
}
rule MALWARE_Win_WinGo {
meta:
author = "ditekSHen"
description = "Detects malicious Golang executables"
strings:
$s1 = "Go build ID:" ascii
$s2 = /main\.[a-z]{9}Delete/ fullword ascii
$s3 = /main\.[a-z]{9}Update/ fullword ascii
$s4 = /main\.[a-z]{9}rundll/ fullword ascii
condition: uint16(0) == 0x5a4d and (all of them and #s2 > 2 and #s3 > 2 and #s4 > 2)
}
rule MALWARE_Win_GENERIC03 {
meta:
author = "ditekSHen"
description = "Detects unknown malicious executables"
strings:
$s1 = "lbroscfg.dll" wide
$s2 = "cmd /c ping 127.0.0.1 & del /f /q \"" fullword wide
$s3 = "E:\\Data\\Sysceo\\AD\\" fullword ascii
$s4 = "C++\\Browser_noime\\" ascii
condition: uint16(0) == 0x5a4d and 3 of them
}
rule MALWARE_Win_PandaStealer {
meta:
author = "ditekSHen"
description = "Detects Panda Stealer"
strings:
$s1 = "\\tokens.txt" fullword ascii
$s2 = "user.config" fullword ascii
$s3 = "Discord\\" ascii
$s4 = "%s\\etilqs_" fullword ascii
$s5 = "buildSettingGrabber" ascii
$s6 = "buildSettingSteam" ascii
$s7 = ".?AV?$_Ref_count_obj2@U_Recursive_dir_enum_impl@filesystem@std@@@" ascii
$s8 = "UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr" ascii
$s9 = "|| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (" ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_Gelsemine {
meta:
author = "ditekSHen"
description = "Detects Gelsemine"
strings:
$s1 = "If any of these steps fails.only pick one of the targets for configuration\"If you want to just get on with it*which also use [ " wide
$s2 = "A make implementation+with core modules (please read NOTES.PER_L)2The per_l Text::Template (please read NOTES.PER_L)" wide
$s3 = "NOTES.VMS (OpenVMS)!NOTES.WIN (any supported Windows)%NOTES.DJGPP (DOS platform with DJGPP)'NOTES.ANDROID (obviously Android [ND" wide
$s4 = "A simple example would be this)which is to be understood as one of these" fullword wide
$s5 = "bala bala bala" fullword wide
$s6 = "echo FOO" fullword wide
$s7 = "?_Tidy@?$basic_string@DU?$char_traits@D@std@@V" ascii
$o1 = { eb 08 c7 44 24 34 fd ff ff ff 8b 44 24 54 8b 4c }
$o2 = { eb 08 c7 44 24 34 fd ff ff ff 8b 44 24 54 8b 4c }
$o3 = { 8b 76 08 2b f0 a1 34 ff 40 00 03 f0 89 35 38 ff }
$o4 = { 83 c4 34 c3 8b 4e 20 6a 05 e8 73 10 00 00 8b 76 }
$o5 = { 8b 44 24 44 2b d1 03 d0 8b f2 e9 14 ff ff ff 8d }
$o6 = { 68 00 06 00 00 6a 00 e8 d3 ff ff ff a2 48 00 41 }
condition: uint16(0) == 0x5a4d and (6 of ($s*) or (all of ($o*) and 2 of ($s*)))
}
rule MALWARE_Win_Gelsenicine {
meta:
author = "ditekSHen"
description = "Detects Gelsenicine"
strings:
$s1 = "System/" fullword wide
$s2 = "Windows/" fullword wide
$s3 = "CommonAppData/" fullword wide
$s5 = ".?AUEmbeddedResource@@" fullword ascii
$ms1 = "pulse" fullword wide
$ms2 = "mainpath" fullword wide
$ms3 = "mainpath64" fullword wide
$ms4 = "pluginkey" fullword wide
$o1 = { 48 8d 54 24 68 48 8b 4c 39 10 e8 4d ff ff ff 44 }
$o2 = { 48 8d 54 24 30 48 8b cb e8 34 f2 ff ff 84 c0 74 }
$o3 = { 48 c7 44 24 ?? fe ff ff ff 49 8b f0 48 8b d9 ?? }
$o4 = { 89 44 24 30 89 44 24 34 48 8b 53 08 48 85 d2 48 }
$o5 = { ff ff ff ff 49 f7 d1 4c 23 f8 8b 43 10 48 8b e9 }
$o6 = { 83 c4 24 85 c0 74 3c 8b 0b 8b 41 34 8b 4d 34 2b }
$o7 = { 8b 45 34 8b 53 fc 50 8b cf 6a 04 68 00 10 00 00 }
$o8 = { 80 74 1f 8b 4e 34 8b 54 24 18 25 ff ff 00 00 51 }
$o9 = { eb 47 8b 4c 24 14 8b 56 34 52 8d 3c 08 8b 44 24 }
$o10 = { 8b 44 24 0c 5d 5e 5b 83 c4 10 c3 8b 4e 34 51 57 }
$o11 = { 6a 03 53 53 56 68 34 00 e4 74 ff 15 80 d0 e3 74 }
condition: uint16(0) == 0x5a4d and ((all of ($s*) and (3 of ($ms*) or 4 of ($o*))) or (all of ($ms*) and 2 of ($s*) and 3 of ($o*)))
}
rule MALWARE_Win_Gelsevirine {
meta:
author = "ditekSHen"
description = "Detects Gelsevirine"
strings:
$s1 = /64loadpath(xp|sv|7)/ fullword wide
$s2 = "{\"Actions\":[]}" fullword wide
$s3 = "PlatformsChunk" fullword wide
$s4 = "CurrentPluginCategory" fullword wide
$s5 = "CurrentOperationPlatform" fullword wide
$s6 = "PersistencePlugins" fullword wide
$s7 = "memory_library_file" fullword wide
$s8 = "LoadPluginBP" fullword ascii
$s9 = "GetOperationBasicInformation" fullword ascii
$s10 = "commonappdata/Intel/Runtime" wide
$s11 = "cfsst x64" fullword wide
$s12 = "ForkOperation" fullword ascii
$c1 = "domain.dns04.com:8080;domain.dns04.com:443;acro.ns1.name:80;acro.ns1.name:1863;" wide
$c2 = "<base64 content=\"" fullword ascii
$c3 = "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" fullword ascii
$m1 = "6BDA7FEF-232F-4EA6-8FC8-24F58CD7B366" ascii wide
$m2 = "46EBBDC3-EEDC-42D4-BA1D-D454DFCE8E42" ascii wide
$m3 = "135054C6-8036-42C7-A97C-31F37D7728BD" ascii wide
$m4 = "DC7FDDF7-B2F1-4B99-BE6A-AA683FF11CE6" ascii wide
$m5 = "131C8113-E083-4C7F-BEAF-82D73B01F2C5" ascii wide
$m6 = "4CCF506D-2F61-4C3A-B9C6-9FA47D43A3FC" ascii wide
$m7 = "B2DC745A-66AE-4A19-B11C-AD74D46B7EE0" ascii wide
$m8 = "6BDA7FEF-232F-4EA6-8FC8-24F58CD7B366" ascii wide
condition: uint16(0) == 0x5a4d and (6 of ($s*) or (2 of ($c*) and 4 of ($s*)) or (5 of ($m*) and (1 of ($c*) or 3 of ($s*))))
}
rule MALWARE_Win_IPsecHelper {
meta:
author = "ditekSHen"
description = "Detects IPsecHelper backdoor"
strings:
$s1 = "rundll32.exe advapi32.dll,ProcessIdleTasks" wide
$s2 = "CommandExecute" fullword ascii
$s3 = "DownloadExecuteUrl" fullword ascii
$s4 = "DownloadExecuteFile" fullword ascii
$s5 = "CmdExecute" fullword ascii
$s6 = "ExecuteProcessWithResult" fullword ascii
$s7 = "IsFirstInstance ==> checked" fullword wide
$s8 = "del \"%PROG%%SERVICENAME%\".*" fullword wide
$s9 = ".CreateConfig" wide
$s10 = ".SelfDelete" wide
$c1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; EmbeddedWB 14.52 from: http://www.google.com/ EmbeddedWB 14.52;" wide
$c2 = "boot.php" wide
$c3 = "lastupdate.php" wide
$c4 = "main.php" wide
$c5 = "InternetNeeded" wide
$c6 = "DeviceIdSalt" wide
condition: uint16(0) == 0x5a4d and (6 of ($s*) or 4 of ($c*) or 8 of them)
}
rule MALWARE_Win_Apostle {
meta:
author = "ditekSHen"
description = "Detects Apsotle"
strings:
$s1 = "bytesToBeEncrypted" fullword ascii
$s2 = "SelfDelete" fullword ascii
$s3 = "ReadMeFileName" ascii
$s4 = "DesktopFileName" ascii
$s5 = "SetWallpaper" fullword ascii
$s6 = "get_EncryptionKey" fullword ascii
$s7 = "disall" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_DEADWOOD {
meta:
author = "ditekSHen"
description = "Detects DEADWOOD"
strings:
$s1 = "Service Start Work !!!!" fullword ascii
$s2 = "Error GetTokenInformation : " fullword ascii
$s3 = "\\Windows\\System32\\net.exe" fullword wide
$s4 = "App Start Work !!!!" fullword ascii
$s5 = "vmmouse" fullword wide
$s6 = "CDPUserSvc_" wide
$s7 = "WpnUserService_" wide
$s8 = "User is :" wide
$s9 = "\\params" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_Turian {
meta:
author = "ditekSHen"
description = "Hunt for Turian / Qurian"
hash1 = "d1218ab9d608ee0212e880204e4d7d75f29f03b77248bca7648d111d67405759"
cnc_domain = "windowsupdate[.]dyndns[.]info"
cnc_ip = "58[.]158[.]177[.]102"
strings:
$s1 = "%s a -m5 -hp1qaz@WSX3edc -r %s %s\\*.*" ascii wide
$s2 = "%s a -m5 -hpMyHost-1 -r %s %s\\*.*" ascii wide
$s3 = "%s a -m5 -hp1qaz@WSX3edc -ta%04d%02d%02d000000 -r %s c:" ascii wide
$s4 = "%s a -m5 -hpMyHost-1 -ta%04d%02d%02d000000 -r %s c:"
$s5 = "cmd /c dir /s /O:D %s>>\"%s\"" ascii wide
$s6 = "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v %s /t REG_SZ /d \"%s\" /f" fullword ascii
$s7 = "Not Connect!" fullword ascii
$p1 = "RECYCLER\\S-1-3-33-854245398-2067806209-0000980848-2003\\" ascii wide
$p2 = "%sRECYCLER.{S-1-3-33-854245398-2067806209-0000980848-2003}\\" ascii wide
$p3 = "\\RECYCLER.{S-1-3-33-854245398-2067806209-0000980848-2003}\\" ascii wide
$p4 = "\\RECYCLER.{645ff040-5081-101b-9f08-00aa002f954e}\\" ascii wide
$p5 = "%sRECYCLER.{645ff040-5081-101b-9f08-00aa002f954e}\\" ascii wide
$c1 = "CONNECT %s:%u HTTP/1." ascii wide
$c2 = "User-Agent: Mozilla/4.0" ascii wide
$m1 = "winsupdatetw" fullword ascii wide
$m2 = "clientsix" fullword ascii wide
$m3 = "updatethres" fullword ascii wide
$m4 = "uwatchdaemon" fullword ascii wide
condition: uint16(0) == 0x5a4d and (3 of ($s*) or (all of ($c*) and (2 of ($s*) or 1 of ($m*) or 1 of ($p*))) or (1 of ($m*) and 1 of ($s*) and (1 of ($c*) or 1 of ($p*))))
}
/*
Too many FPs
rule MALWARE_Win_DLAgent13 {
meta:
author = "ditekSHen"
description = "Detects downloader agent. Observed to drop AceRAT"
strings:
$x1 = "Dropper" fullword ascii
$x2 = "/C chcp 65001 && ping 127.0.0.1 && DEL" wide
$x3 = "&& ping 127.0.0.1 && DEL /F /S /Q /A \"" wide
$s1 = "WebClient" fullword ascii
$s2 = "DownloadFile" fullword ascii
$s3 = "ProcessStartInfo" fullword ascii
$s4 = "set_FileName" fullword ascii
$s5 = "GetTempPath" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or all of($x*) or (2 of ($x*) and 3 of ($s*)))
}
*/
rule MALWARE_Win_DLAgent14 {
meta:
author = "ditekSHen"
description = "Detects downloader injector"
strings:
$s1 = "%ProgramData%\\AVG" fullword wide
$s2 = "%ProgramData%\\AVAST Software" fullword wide
$s3 = "%wS\\%wS.vbs" fullword wide
$s4 = "%wS\\%wS.exe" fullword wide
$s5 = "CL,FR,US,CY,FI,HR,HU,RO,PL,IT,PT,ES,CA,DK,AT,NL,AU,AR,NP,SE,BE,NZ,SK,GR,BG,NO,GE" ascii
$s6 = "= CreateObject(\"Microsoft.XMLHTTP\")" ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_MarkiRAT {
meta:
author = "ditekSHen"
description = "Detects MarkiRAT"
strings:
$pdb = "\\mfcmklg.pdb" ascii
$s1 = "runinhome Completed" wide
$s2 = "ERROR find next file<br>" wide
$s3 = "<br><mark>Hello: %s</mark>" wide
$s4 = "<br><mark>CLIPBOARD[" wide
$s5 = "@userhome@" wide
$s6 = "Global\\{2194ABA1-BFFA-4e6b-8C26-D1BB20190312}" wide
$s7 = "taskkill /im svehost.exe /t /f" fullword ascii
$s8 = "taskkill /im keepass.exe /t /f" fullword ascii
$ba = /bitsadmin \/(addfile|cancel|SetPriority|resume)/ ascii wide
$c1 = "/ech/client.php?u=" wide
$c2 = "/up/uploadx.php?u=" wide
$c3 = "/ech/echo.php?req=rr&u=" wide
$c4 = "/ech/rite.php" wide
$c5 = "http://microsoft.com-view.space/i.php?u=" wide
$c6 = "Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"" ascii
condition: uint16(0) == 0x5a4d and (($pdb and any of them) or (5 of ($s*)) or (3 of ($c*)) or ((#ba > 3 and 4 of them)))
}
rule MALWARE_Win_KlingonRAT {
meta:
author = "ditekSHen"
description = "Detects KlingonRAT"
strings:
$go = "Go build ID:" ascii
$s1 = "/UCRelease/src/client/uac/once/"
$s2 = "%T\\AppData\\Local\\Windows Update\\"
$s3 = "%TSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"
$s4 = "wmic /namespace:'\\\\root\\subscription' PATH"
$s5 = "C:\\Windows\\System32\\fodhelper.exeCaption,ParentProcessId,ProcessId"
$s6 = "ldpro.exelsass.exeluall.exeluspt.exe"
$s7 = "scangui.exedeps/lsass.exeetrustcipe.exefile"
$s8 = "alogserv.exeaplica32.exeapvxdwin.exeatro55en.exeautodown.exeavconsol.exeavgserv9.exeavkwctl9.exeavltmain.exeavpdos32.exeavsynmgr.exeavwupd32.exeavwupsrv.exe"
$c1 = "%s/keyLogger?machineId=%s" ascii
$c2 = "%s/stealer?machineId=%s" ascii
$c3 = "%s/lsass?machineId=%s" ascii
$c4 = "%s/logger?machineId=%s" ascii
$c5 = "%s/machineInfo?machineId=%s" ascii
$c6 = "failurehttps://%s:%d/botif-modified-sinceillegal" ascii
condition: uint16(0) == 0x5a4d and ($go) and (3 of ($c*) or 5 of ($s*) or (3 of ($s*) and 1 of ($c*)))
}
rule MALWARE_Win_XFiles {
meta:
author = "ditekSHen"
description = "Detects X-Files infostealer (formerly BotSh1zoid)"
strings:
$x1 = "\\BotSh1zoid\\" ascii
$x2 = "\\BuildPacker.pdb" ascii
$x3 = "\\Svc_host.pdb" ascii nocase
$s1 = "WDefender" fullword ascii
$s2 = "CheckDefender" fullword ascii
$s3 = "RunPS" fullword ascii
$s4 = "DownloadFile" fullword ascii
$v1_1 = "<Pass encoding=\"base64\">(.*)</Pass>" wide
$v1_2 = "Grabber\\" wide
$v1_3 = "/log.php" wide
$v1_4 = /Browsers\\(Logins|Cards|Cookies)/ wide
$v1_5 = "<StealSteam>b__" ascii
$v1_6 = "record_header_field" fullword ascii
$v1_7 = "JavaScreenshotiptReader" fullword ascii
$v1_8 = "HTTPDebuggerPro" wide
$v1_9 = "IEInspector" wide
$v1_10 = "Fiddler" wide
$v2_1 = /get_(Cookie|Logins|Cards)Path/ fullword ascii
$v2_2 = "get_AllScreens" fullword ascii
$v2_3 = "{0}_{1}_{2}.zip" fullword wide
$v2_4 = "\\Stealer" fullword wide
$g1 = "$983a3552-4ec3-4936-bd4a-8e6fd67b4c67" fullword ascii
$g2 = "$a5d9ca4d-400f-4e07-8c09-a916b548f2e3" fullword ascii
$g3 = "$ebc25cf6-9120-4283-b972-0e5520d0000C" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and (3 of ($s*) or 3 of ($v1*) or 3 of ($v2*))) or 7 of ($v1*) or 3 of ($v2*) or (2 of ($g*) and 3 of them))
}
rule MALWARE_Win_AllaKore {
meta:
author = "ditekSHen"
description = "Detects AllaKore"
strings:
$x1 = "AllaKore Remote - Chat" fullword wide
$x2 = "AllaKore Remote - Share Files" fullword wide
$x3 = "CYRUS - Chat" fullword wide
$x4 = "CYRUS - Share Files" fullword wide
$x5 = "<|REDIRECT|><|GETFOLDERS|>" fullword wide
$x6 = "<|REDIRECT|><|DOWNLOADFILE|>" fullword wide
$x7 = "<|REDIRECT|><|WHEELMOUSE|>" fullword wide
$x8 = "<|REDIRECT|><|SETMOUSE" wide
$x9 = "<|CHECKIDPASSWORD|>" fullword wide
$x10 = "<|KEYBOARDSOCKET|>" fullword wide
$x11 = "<|REDIRECT|><|CLIPBOARD|>" fullword wide
$x12 = "<|IDEXISTS!REQUESTPASSWORD|>" fullword wide
$x13 = "<|GETFULLSCREENSHOT|>" fullword wide
$x14 = "<|MAINSOCKET|>" fullword ascii
$s1 = "You can not connect with yourself!" wide
$s2 = "Waiting for authentication..." wide
$s3 = "Connected support!" wide
$s4 = "ID does nor exists." wide
$s5 = "Finding the ID..." wide
$s6 = "PC is Busy!" wide
$s7 = "Upload & Execute" fullword ascii
$s8 = "Download file selected" fullword ascii
$s9 = "CaptureKeys_TimerTimer" fullword ascii
$s10 = "Remote File Manager" fullword ascii
condition: uint16(0) == 0x5a4d and (4 of ($x*) or 4 of ($s*) or (3 of ($s*) and 2 of ($x*)))
}
rule MALWARE_Win_ReverseRAT {
meta:
author = "ditekSHen"
description = "Detects ReverseRAT"
strings:
$pdb1 = "\\ReverseRat.pdb" ascii nocase
$pdb2 = "\\ReverseRat\\obj\\" ascii nocase
$s1 = "processCmd" fullword ascii
$s2 = "CmdOutputDataHandler" fullword ascii
$s3 = "sendingProcess" fullword ascii
$s4 = "SetStartup" fullword ascii
$s5 = "RunServer" fullword ascii
$s6 = "_OutputDataReceived" ascii
$s7 = { 63 00 6d 00 64 00 2e 00 65 00 78 00 65 00
00 03 0a 00 00 13 74 00 65 00 72 00 6d 00
69 00 6e 00 61 00 74 00 65 00 00 09 65 00
78 00 69 00 74 00 }
condition: uint16(0) == 0x5a4d and ((1 of ($pdb*) and 2 of ($s*)) or 5 of ($s*))
}
rule MALWARE_Win_SmokeLoader {
meta:
author = "ditekSHen"
description = "Detects SmokeLoader variants"
strings:
$x1 = "G2A/CLP/05/RYS" fullword wide // mutex
$x2 = "0N1Y/53R10U5/BU51N355" fullword wide // mutex
$x3 = "CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG" fullword wide // mutex
$s1 = "Azure-Update-Task" fullword wide
$s2 = "C:\\Windows\\System32\\schtasks.exe" fullword wide
$s3 = "/C /create /F /sc minute /mo 1 /tn \"" fullword wide
$s4 = "\\Microsoft\\Network" fullword wide
$s5 = "\\Microsoft\\TelemetryServices" fullword wide
$s6 = "\" /tr \"" fullword wide
$e1 = "\\sqlcmd.exe" fullword wide
$e2 = "\\sihost.exe" fullword wide
$e3 = "\\fodhelper.exe" fullword wide
//$o1 = { 6a 34 59 66 39 0e 75 7c 0f b7 46 02 6a 30 5a 83 }
//$o2 = { 5e c9 c3 56 8d 85 f8 fd ff ff 50 8d 85 f0 fb ff }
//$o3 = { 8b d9 eb 03 8b 5d ec 0f b7 c2 89 45 ec 0f b7 c2 }
//$o4 = { 8b 5d fc 66 89 04 77 46 eb 2a 8b 5d fc 85 db 74 }
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 4 of ($s*)) or (5 of ($s*) and 1 of ($e*)))
}
rule MALWARE_Win_DLInjector03 {
meta:
author = "ditekSHen"
description = "Detects unknown loader / injector"
strings:
$x1 = "LOADER ERROR" fullword ascii
$s1 = "_ZN6curlpp10OptionBaseC2E10CURLoption" fullword ascii
$s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_CoinMiner02 {
meta:
author = "ditekSHen"
description = "Detects coinmining malware"
strings:
$s1 = "%s/%s (Windows NT %lu.%lu" fullword ascii
$s2 = "\\Microsoft\\Libs\\WR64.sys" wide
$s3 = "\\\\.\\WinRing0_" wide
$s4 = "pool_wallet" ascii
$s5 = "cryptonight" ascii
$s6 = "mining.submit" ascii
$c1 = "stratum+ssl://" ascii
$c2 = "daemon+http://" ascii
$c3 = "stratum+tcp://" ascii
$c4 = "socks5://" ascii
$c5 = "losedaemon+https://" ascii
condition: uint16(0) == 0x5a4d and (3 of ($s*) and 1 of ($c*))
}
rule MALWARE_Win_Mercurial {
meta:
author = "ditekSHen"
description = "Detects Mercurial infostealer"
strings:
$x1 = "mercurial grabber" wide nocase
$x2 = "\"text\":\"Mercurial Grabber |" wide
$x3 = "/nightfallgt/mercurial-grabber" wide
$s1 = "/LimerBoy/Adamantium-Thief/" ascii
$s2 = "Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0" fullword wide
$s3 = "StealCookies" fullword ascii
$s4 = "StealPasswords" fullword ascii
$s5 = "DetectDebug" fullword ascii
$s6 = "CaptureScreen" fullword ascii
$s7 = "WebhookContent" fullword ascii
$s8 = /Grab(Token|Product|IP|Hardware)/ fullword ascii
$p1 = "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}" fullword ascii wide
$p2 = "mfa\\.[\\w-]{84}" fullword ascii wide
condition: uint16(0) == 0x5a4d and (1 of ($x*) or 5 of ($s*) or (all of ($p*) and 3 of ($s*)))
}
rule MALWARE_Win_Phonzy {
meta:
author = "ditekSHen"
description = "Detects specific downloader agent"
strings:
$ua1 = "User-Agent: Mozilla/5.0 (X11; Linux" wide
$s1 = "<meta name=\"keywords\" content=\"([\\w\\d ]*)\">" fullword wide
$s2 = "WebClient" fullword ascii
$s3 = "WriteAllText" fullword ascii
$s4 = "DownloadString" fullword ascii
$s5 = "WriteByte" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or (1 of ($ua*) and ($s1) and 2 of ($s*)))
}
rule MALWARE_Win_Hive {
meta:
author = "ditekSHen"
description = "Detects Hive ransomware"
strings:
$url1 = "http://hivecust" ascii
$url2 = "http://hiveleakdb" ascii
$s1 = "encrypt_files.go" ascii
$s2 = "erase_key.go" ascii
$s3 = "kill_processes.go" ascii
$s4 = "remove_shadow_copies.go" ascii
$s5 = "stop_services_windows.go" ascii
$s6 = "remove_itself_windows.go" ascii
$x1 = "/encryptor/" ascii
$x2 = "HOW_TO_DECRYPT.txt" ascii
$x3 = "FilesEncrypted" fullword ascii
$x4 = "EncryptionStarted" fullword ascii
$x5 = "encryptFilesGroup" fullword ascii
$x6 = "Your data will be undecryptable" ascii
$x7 = "- Do not fool yourself. Encryption has perfect secrecy" ascii
$v1_1 = ".EncryptFiles." ascii
$v1_2 = ".EncryptFilename." ascii
$v1_3 = ")*struct { F uintptr; .autotmp_14 string }" ascii
$v1_4 = "D*struct { F uintptr; data *[]uint8; seed *uint8; fnc *main.decFunc }" ascii
$v1_5 = "golang.org/x/sys/windows.getSystemWindowsDirectory" ascii
$v1_6 = "path/filepath.WalkDir" ascii
$v2_1 = "taskkill /f /im" ascii
$v2_2 = "schtasks /delete /tn" ascii
$v2_3 = "encfile.txt" ascii
$v2_4 = "README.html" ascii
$v2_5 = "total encrypt %v/%v" ascii
$v2_6 = "<b>ITSSHOWKEY</b>" ascii
$v2_7 = "Recovery your files." ascii
$v2_8 = "yaml:\"send_host\"" ascii // send_host: "45.76.99.222:80"
$v2_9 = "yaml:\"ignore_dir\"" ascii
condition: uint16(0) == 0x5a4d and (all of ($url*) or all of ($s*) or 4 of ($x*) or 5 of ($v1*) or 5 of ($v2*) or (4 of ($v2*) and #v2_1 > 10))
}
rule MALWARE_Win_Spyro {
meta:
author = "ditekSHen"
description = "Detects Spyro / VoidCrypt / Limbozar ransomware"
strings:
$s1 = "Decrypt-info.txt" ascii wide
$s2 = "AbolHidden" ascii wide
$s3 = "C:\\ProgramData\\prvkey" ascii wide
$s4 = ".?AV?$TF_CryptoSystemBase@VPK_Encryptor@CryptoPP" ascii
$s5 = "C:\\Users\\LEGION\\" ascii
$s6 = "C:\\ProgramData\\pkey.txt" fullword ascii
$s7 = ".Spyro" fullword ascii
$m1 = "Go to C:\\ProgramData\\ or in Your other Drives" wide
$m2 = "saving prvkey.txt.key file will cause" wide
$m3 = "in Case of no Answer:" wide
$m4 = "send us prvkey*.txt.key" wide
$m5 = "Somerhing went wrong while writing payload on disk" ascii
$m6 = "this country is forbidden.\"}" ascii
$c1 = "Voidcrypt/1.0" ascii
$c2 = "h1dd3n.cc" ascii
$c3 = "/voidcrypt/index.php" ascii
$c4 = "&user=" ascii
$c5 = "&disk-size=" ascii
$c6 = "unique-id=" ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or 4 of ($c*) or 3 of ($m*) or 8 of them)
}
rule MALWARE_Win_DarkVNC {
meta:
author = "ditekSHen"
description = "Detects DarkVNC"
strings:
$s1 = "USR-%s(%s)_%S-%S%u%u" fullword wide
$s2 = "BOT-%s(%s)_%S-%S%u%u" fullword wide
$s3 = "USR-UnicodeErr(Err)_%s-%s%u%u" fullword ascii
$s4 = "BOT-UnicodeErr(Err)_%s-%s%u%u" fullword ascii
$s5 = "PRM_STRG" fullword wide
$s6 = "bot_shell >" ascii
$s7 = "monitor_off / monitor_on" ascii
$s8 = "kbd_off / kbd_on" ascii
$s9 = "ActiveDll: Dll inject thread for process 0x%x terminated with status: %u" ascii
$s10 = "PsSup: File %s successfully started with parameter \"%s\"" ascii
$s11 = "PsSup: ShellExecute failed. File: %s, error %u" ascii
$s12 = "#hvnc" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_RSJON {
meta:
author = "ditekSHen"
description = "Detects RSJON / Ryzerlo / HiddenTear ransomware"
strings:
$pdb1 = "C:\\Users\\brknc\\source\\repos\\" ascii
$pdb2 = "\\rs-jon\\obj\\Debug\\rs-jon.pdb" ascii
$pdb3 = "\\rs-jon\\obj\\Release\\rs-jon.pdb" ascii
$x1 = "READ_ME_PLZ.txt" wide
$x2 = "Files has been encrypted with rs-jon" wide
$x3 = ".rsjon" wide
$x4 = "bitcoins or kebab" wide
$x5 = /rs[-_]jon/ fullword ascii wide
$s1 = "SPIF_UPDATEINIFILE" fullword ascii
$s2 = "SPI_SETDESKWALLPAPER" fullword ascii
$s3 = "bytesToBeEncrypted" fullword ascii // Same as Apsotle
$s4 = "SendPassword" fullword ascii
$s5 = "EncryptFile" ascii
$s6 = "fWinIni" fullword ascii
$s7 = "BTCAdress" fullword ascii
$s8 = "self_destruck" fullword ascii // Simialr to Apsotle (SelfDelete)
$c1 = "?computer_name=" wide
$c2 = "&serialnumber=" wide
$c3 = "&password=" wide
$c4 = "&allow=ransom" wide
$c5 = "://darkjon.tk/" wide
$c6 = "/rnsm/write.php" wide
condition: uint16(0) == 0x5a4d and (3 of ($x*) or 6 of ($s*) or 4 of ($c*) or (2 of ($c*) and 4 of ($s*)) or (1 of ($pdb*) and 1 of them))
}
rule MALWARE_Win_BoxCaon {
meta:
author = "ditekSHen"
description = "Detects IndigoZebra BoxCaon"
strings:
$s1 = "<RetCMD null>" fullword wide
$s2 = "<txt null>" fullword wide
$s3 = "C:\\Users\\Public\\%d\\" fullword wide
$s4 = "api.dropboxapi.com" fullword wide
$s5 = "/2/files/upload" fullword wide
$ts1 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" ascii wide
$ts2 = "%s /A /C \"%s\" > %s" ascii wide
$ts3 = "ersInfo" ascii wide
$ts4 = "%svmpid%d.log" ascii wide
$ts5 = "%scscode%d.log" ascii wide
condition: (uint16(0) == 0x5a4d and all of ($s*)) or all of ($ts*)
}
rule MALWARE_Win_AvosLocker {
meta:
author = "ditekSHen"
description = "Hunt for AvosLocker ransomware"
strings:
$s1 = "GET_YOUR_FILES_BACK.txt" ascii wide
$s2 = ".avos" fullword ascii wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Diavol {
meta:
author = "ditekSHen"
description = "Detects Diavol ransomware"
strings:
$s1 = "README_FOR_DECRYPT.txt" ascii wide nocase
$s2 = ".lock64" fullword ascii wide
$s3 = "LockMainDIB" ascii wide
$s4 = "locker.divided" ascii wide
$s5 = "%tob_dic%/" wide
$s6 = "%cid_bot%" wide
$m1 = "GENBOTID" ascii wide
$m2 = "SHAPELISTS" ascii wide
$m3 = "REGISTER" ascii wide
$m4 = "FROMNET" ascii wide
$m5 = "SERVPROC" ascii wide
$m6 = "SMBFAST" ascii wide
$c1 = "/Bnyar8RsK04ug/" fullword ascii
$c2 = "/landing" fullword ascii
$c3 = "/wipe" fullword ascii
$c4 = "&ip_local1=111.111.111.111&ip_local2=222.222.222.222&ip_external=2.16.7.12" fullword ascii
$c5 = "&group=" fullword ascii
$c6 = "/BnpOnspQwtjCA/register" fullword ascii
condition: uint16(0) == 0x5a4d and (4 of ($s*) or 5 of ($m*) or 4 of ($c*) or 7 of them)
}
rule MALWARE_Win_MargulasRAT {
meta:
author = "ditekSHen"
description = "Detects MargulasRAT"
strings:
$pdb1 = "G:\\VP-S-Fin\\memory\\" ascii
$pdb2 = "G:\\VP-S-Fin\\Margulas\\" ascii
$pdb3 = "G:\\VP-S-Fin\\remote" ascii
$pdb4 = "G:\\VP-S-Fin\\" ascii
$s1 = "/C choice /C Y /N /D Y /T 1 & Del " fullword wide
$s2 = "strToHash" fullword ascii
$s3 = "\\socking" fullword wide
$s4 = "\\wininets" fullword wide
$s5 = "ClientSocket" fullword ascii
$s6 = "new Stream()" fullword wide
$s7 = "CipherText" fullword ascii
$s8 = "WriteAllBytes" fullword ascii
$s9 = { 00 50 72 6f 63 65 73 73 00 45 78 69 73 74 73 00}
$s10 = "pxR/THCwdLuruMmw8wB8xAUvbno1yPGBTOV9IoOkAp/n7+paQm74pkzlfSKDpAKfTOV9IoOkAp9M5X0ig6QCn0zlfSKDpAKfTOV9IoOkAp" wide
$c1 = "149.248.52.61" wide
$c2 = "://vpn.nic.in" wide
$c3 = "://www.mod.gov.in/dod/sites/default/files/" wide
condition: uint16(0) == 0x5a4d and ((1 of ($pdb*) and (1 of ($c*) or 3 of ($s*))) or (1 of ($c*) and 3 of ($s*)) or (6 of ($s*)))
}
rule MALWARE_Win_LilithRAT {
meta:
author = "ditekSHen"
description = "Detects LilithRAT"
hash1 = "132870a1ae6a0bdecaa52c03cfe97a47df8786f148fa8ca113ac2a8d59e3624a"
hash2 = "ab7b6e0b28995bdeea44f20c0aba47f95e1d6ba281af3541cd2c04dc6c2a3ad9" // actor testing?
hash3 = "b2eeb487046ba1d341fb964069b7e83027b60003334e04e41b467e35c3d2460f"
hash4 = "cebcda044c60b709ba4ee0fa9e1e7011a6ffc17285bcc0948d27f866ec8d8f20"
strings:
$pdb1 = "c:\\Users\\Groovi\\Documents\\Visual Studio 2008\\Projects\\TestDll\\" ascii
$pdb2 = "C:\\Users\\iceberg\\Downloads\\RAT-Server-master\\RAT-Server-master\\RAT\\Debug\\RAT.pdb" ascii
$pdb3 = "C:\\Users\\Samy\\Downloads\\Compressed\\Lilith-master\\Debug\\Lilith.pdb" ascii
$s1 = "log.txt" fullword ascii
$s2 = "keylog.txt" fullword ascii
$s3 = "File Listing Completed Successfully." fullword ascii
$s4 = "Download Execute" fullword ascii
$s5 = "File Downloaded and Executed Successfully." fullword ascii
$s6 = "C:\\WINDOWS\\system32\\cmd.exe" fullword ascii
$s7 = "CMD session closed" ascii
$s8 = "Restart requested: Restarting self" fullword ascii
$s9 = "Termination requested: Killing self" fullword ascii
$s10 = "Couldn't write to CMD: CMD not open" fullword ascii
$s11 = "keydump" fullword ascii
$s12 = "remoteControl" fullword ascii
$s13 = "packettype" fullword ascii
condition: uint16(0) == 0x5a4d and (1 of ($pdb*) or 6 of ($s*) or (1 of ($pdb*) and 4 of ($s*)))
}
rule MALWARE_Win_EpicenterRAT {
meta:
author = "ditekSHen"
description = "Detects EpicenterRAT"
strings:
$pdb1 = "c:\\Users\\Zombie\\Desktop\\MutantNinja\\" ascii
$pdb2 = "\\Epicenter Client\\" ascii
$s1 = "PROCESS_LIST<%SEP%>" fullword wide
$s2 = "GETREADY_RECV_FILE<%SEP%>" fullword wide
$s3 = "DISPLAY<%SEP%>" wide
$s4 = "GETSCREEN<%SEP%>" fullword wide
$s5 = "dumpImageName" fullword ascii
$s6 = "dumpLoc" fullword ascii
$s7 = "EXPECT<%SEP%>filelist<%SEP%>" fullword wide
$s8 = "<%FSEP%>FOLDER<%FSEP%>-<%SEP%>" fullword wide
$s9 = "KILLPROC<%SEP%>" fullword wide
$s10 = "LAUNCHPROC<%SEP%>" fullword wide
$s11 = "cmd.exe /c start /b " fullword wide
$s12 = "savservice" fullword wide
$s13 = "getvrs" fullword ascii
condition: uint16(0) == 0x5a4d and (1 of ($pdb*) or 5 of ($s*))
}
rule MALWARE_Win_LastConn {
meta:
author = "ditekSHen"
description = "Detects LastConn"
strings:
$s1 = "System.Net.Http.SysSR" fullword wide
$s2 = "System.Net.Http.WrSR" fullword wide
$s3 = "yyyy'-'MM'-'dd'T'HH':'mm':'ss.FFFFFFFK" fullword wide
$s4 = { 63 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 0c 6e
00 6f 00 74 00 69 00 66 00 79 00 04 06 12 80 e8
05 00 00 12 80 e8 08 75 00 73 00 65 00 72 00 08
74 00 65 00 61 00 6d 00 06 61 00 70 00 70 00 0c
6e 00 6f 00 61 00 75 00 74 00 68 00 }
$s5 = { 68 00 69 00 64 00 64 00 65 00 6e 00 10 64 00 69
00 73 00 61 00 6c 00 6c 00 6f 00 77 00 0e 65 00
78 00 74 00 65 00 6e 00 64 00 73 00 04 69 00 64
00 16 75 00 6e 00 69 00 71 00 75 00 65 00 49 00
74 00 65 00 6d 00 73 }
$s6 = "<RunFileOnes>d__" ascii
$s7 = "<UploadFile>d__" ascii
$s8 = "<ChunkUpload>d__" ascii
$s9 = "<StartFolder>d__" ascii
$s10 = "<ReadFileAlw>d__" ascii
$s12 = "<WriteFileToD>d__" ascii
$s13 = "<ReadFile>d__" ascii
$s14 = "<GetUpload>d__" ascii
$s15 = "CDropbox.Api.DropboxRequestHandler+<RequestJsonStringWithRetry>d__" ascii
condition: uint16(0) == 0x5a4d and 12 of them
}
rule MALWARE_Win_CrimsonRAT {
meta:
author = "ditekSHen"
description = "Detects CrimsonRAT"
strings:
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|" fullword wide
$s2 = "system volume information|" fullword wide
$s3 = "program files (x86)|" fullword wide
$s4 = "program files|" fullword wide
$s5 = "<SAVE_AUTO<|" fullword wide
$s6 = "add_up_files" fullword ascii
$s7 = "see_folders" ascii
$s8 = "see_files" ascii
$s9 = "see_scren" ascii
$s10 = "see_recording" ascii
$s11 = "see_responce" ascii
$s12 = "pull_data" ascii
$s13 = "do_process" ascii
$s14 = "do_updated" ascii
$s15 = "IPSConfig" fullword ascii
$s16 = "#Runing|ver#" wide
$s17 = "|fileslog=" wide
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_ActionRAT {
meta:
author = "ditekSHen"
description = "Detects ActionRAT, CSharp and Delfi variants"
strings:
$x1 = /<action>(connect|command|drives|getfiles|upload|execute|download)<action>/ fullword wide
$x2 = "aHR0cDovLzE0NC45MS42NS4xMDAv" wide
$x3 = "aHR0cDovL21mYWhvc3QuZGRucy5uZXQv" wide
$f1 = "<updateCommand>b__" ascii
$f2 = "<getDrives>b__" ascii
$f3 = "<getStatus>b__" ascii
$f4 = "<getDirectories>b__" ascii
$f5 = "<updateUpload>b__" ascii
$f6 = "<infinity>b__" ascii
$f7 = "<uploadFile>b__" ascii
$s1 = "beaconURL" ascii
$s2 = "PingReply" ascii
$s3 = "updateUpload" ascii
$s4 = "updateCommand" ascii
$s5 = "runCommand" ascii
$s6 = "uploadFile" ascii
$s7 = "SELECT * FROM MSFT_NetAdapter WHERE ConnectorPresent = True AND DeviceID = '{0}'" fullword wide
$s8 = "SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s9 = "Mozilla/3.0" fullword wide
$s10 = "|directory|N/A|" fullword wide
$s11 = "cmd.exe /c" fullword wide
$c1 = /Content-Disposition: form-data; name=(hostname|hid|id|action|secondary)/ fullword wide
$c2 = /(classification|updatecs|update|beacon)\.php/ wide
$c3 = "Content-Disposition: form-data;name=\"{0}\";filename=\"{1}\"filepath=\"{2}\"" fullword wide
$pdb1 = "D:\\Projects\\C#\\HTTP-Simple\\WindowsMediaPlayer - HTTP - " ascii
$pdb2 = "\\WindowsMediaPlayer10\\obj\\x86\\Release\\winow4.pdb" ascii
condition: uint16(0) == 0x5a4d and (#x1 > 5 or (all of ($f*) and (1 of ($s*) or 2 of ($c*))) or 7 of ($s*) or all of ($c*) or (all of ($pdb*) and 4 of them) or ( 2 of ($x*) and 5 of them))
}
rule MALWARE_Win_Nodachi {
meta:
author = "ditekSHen"
description = "Detects Nodachi infostealer"
strings:
$x1 = "//AppData//Roaming//kavachdb//kavach.db" ascii
$s1 = "/upload/drive/v3/files/{fileId}" ascii
$s2 = "main.getTokenFromWeb" ascii
$s3 = "main.tokenFromFile" ascii
$s4 = "/goLazagne/" ascii
$s5 = "/extractor/withoutdrive/main.go" ascii
$s6 = "struct { Hostname string \"json:\\\"hostname\\\"\"; EncryptedUsername string \"json:\\\"encryptedUsername\\\"\"; EncryptedPassword string \"json:\\\"encryptedPassword\\\"\" }" ascii
$s7 = "C://Users//public//cred.json" ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 3 of ($s*)) or (4 of ($s*)))
}
rule MALWARE_Win_IAmTheKingQueenOfHearts {
meta:
author = "ditekSHen"
description = "IAmTheKing Queen Of Hearts payload"
strings:
$s1 = "{'session':[{'name':'" ascii
$s2 = "begin mainthread ok" wide
$s3 = "getcommand error" wide
$s4 = "querycode error" wide
$s5 = "Code = %d" wide
$s6 = "cookie size :%d" wide
$s7 = "send request error:%d" wide
$s8 = "PmMytex%d" wide
$s9 = "%s_%c%c%c%c_%d" wide
$s10 = "?what@exception@std@@UBEPBDXZ" ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_IAmTheKingQueenOfClubs {
meta:
author = "ditekSHen"
description = "IAmTheKing Queen Of Clubs payload"
strings:
$s1 = "Not Support!" fullword wide
$s2 = "%s|%s|%s|%s" fullword wide
$s3 = "cmd.exe" fullword wide
$s4 = "for(;;){$S=Get-Content \"%s\";IF($S){\"\" > \"%s\";$t=iex $S 2>\"%s\";$t=$t+' ';echo $t >>\"%s\";}sleep -m " wide
$s5 = "PowerShell.exe -nop -c %s" fullword wide
$s6 = "%s \"%s\" Df" fullword wide
$s7 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_IAmTheKing {
meta:
author = "ditekSHen"
description = "IAmTheKing payload"
strings:
$s1 = "DeleteFile \"%s\" Failed,Err=%d" wide
$s2 = "DeleteFile \"%s\" Success" wide
$s3 = "ExcuteFile \"%s\" Failed,Err=%d" wide
$s4 = "ExcuteFile \"%s\" Success" wide
$s5 = "CreateDownLoadFile \"%s\" Failed,Error=%d" wide
$s6 = "uploadFile \"%s\" Failed,errorcode=%d" wide
$s7 = "CreateUpLoadFile \"%s\" Success" wide
$s8 = "im the king" ascii
$s9 = "dont disturb me" fullword ascii
$s10 = "kill me or love me" fullword ascii
$s11 = "please leave me alone" fullword ascii
$s12 = "calculate the NO." fullword ascii
$s13 = "\\1-driver-vmsrvc" fullword ascii
condition: uint16(0) == 0x5a4d and 7 of them
}
rule MALWARE_Win_GoBrut {
meta:
author = "ditekSHen"
description = "Detects unknown Go multi-bruteforcer bot (StealthWorker / GoBrut) against multiple systems: QNAP, MagOcart, WordPress, Opencart, Bitrix, Postgers, MySQL, Drupal, Joomla, SSH, FTP, Magneto, CPanel"
strings:
$x1 = "/src/StealthWorker/Worker" ascii
$x2 = "/go/src/Cloud_Checker/" ascii
$x3 = "brutXmlRpc" ascii
$s1 = "main.WPBrut" ascii
$s2 = "main.WPChecker" ascii
$s3 = "main.WooChecker" ascii
$s4 = "main.StandartBrut" ascii
$s5 = "main.StandartBackup" ascii
$s6 = "main.WpMagOcartType" ascii
$s7 = "main.StandartAdminFinder" ascii
$w1 = "/WorkerQnap_brut/main.go" ascii
$w2 = "/WorkerHtpasswd_brut/main.go" ascii
$w3 = "/WorkerOpencart_brut/main.go" ascii
$w4 = "/WorkerBitrix_brut/main.go" ascii
$w5 = "/WorkerPostgres_brut/main.go" ascii
$w6 = "/WorkerMysql_brut/main.go" ascii
$w7 = "/WorkerFTP_brut/main.go" ascii
$w8 = "/WorkerSSH_brut/main.go" ascii
$w9 = "/WorkerDrupal_brut/main.go" ascii
$w10 = "/WorkerJoomla_brut/main.go" ascii
$w11 = "/WorkerMagento_brut/main.go" ascii
$w12 = "/WorkerWHM_brut/main.go" ascii
$w13 = "/WorkerCpanel_brut/main.go" ascii
$w14 = "/WorkerPMA_brut/main.go" ascii
$w15 = "/WorkerWP_brut/main.go" ascii
$p1 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=cpanel" ascii
$p2 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=ftpBrut" ascii
$p3 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=mysql_b" ascii
$p4 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=qnapBrt" ascii
$p5 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=OCartBrt" ascii
$p6 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=phpadmin" ascii
$p7 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=bitrixBrt" ascii
$p8 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=drupalBrt" ascii
$p9 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=joomlaBrt" ascii
$p10 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=htpasswdBrt" ascii
$p11 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=magentoBrt" ascii
$p12 = "%s/project/saveGood?host=%s&login=%s&password=%s&service=postgres_b" ascii
$p13 = "AUTH_FORM=Y&TYPE=AUTH&USER_LOGIN=%s&USER_PASSWORD=%s&Login=&captcha_sid=&captcha_word=" ascii
$p14 = "%qlog=%s&pwd=%s&wp-submit=Log In&redirect_to=%s/wp-admin/&testcookie=1" ascii
$p15 = "name=%s&pass=%s&form_build_id=%s&form_id=user_login_form&op=Log" ascii
$p16 = "username=%s&passwd=%s&option=com_login&task=login&return=%s&%s=1" ascii
$v1_1 = "brutC" fullword ascii
$v1_2 = "XmlRpc" fullword ascii
$v1_3 = "shouldRetry$" ascii
$v1_4 = "HttpC|%" ascii
$v1_5 = "ftpH%_" ascii
$v1_6 = "ssh%po" ascii
$v1_7 = "?sevlyar/4-da" ascii
condition: (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and ((2 of ($x*) and 3 of ($s*)) or all of ($s*) or 6 of ($w*) or 6 of ($p*) or 6 of ($v1*) or 12 of them)
}
rule MALWARE_Win_BioPass_Dropper {
meta:
author = "ditekSHen"
description = "Detects Go BioPass dropper"
strings:
$go = "Go build ID:" ascii
$s1 = "main.NetWorkStatus" ascii
$s2 = "main.NoErrorRunFunction" ascii
$s3 = "main.FileExist" ascii
$s4 = "main.execute" ascii
$s5 = "main.PsGenerator" ascii
$s6 = "main.downFile" ascii
$s7 = "main.Unzip" ascii
$url1 = "https://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/" ascii
$x1 = "SCHTASKS /Run /TN SYSTEM_CDAEMON" ascii
$x2 = "SCHTASKS /Run /TN SYSTEM_SETTINGS" ascii
$x3 = "SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST" ascii
$x4 = ".exe /install /quiet /norestart" ascii
$x5 = "exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\\''http" ascii
$x6 = "powershell.exe -Command $" ascii
$x7 = ".Path ='-----BEGIN RSA TESTING KEY-----" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or 5 of ($x*) or (1 of ($url*) and ($go)) or 9 of them)
}
rule MALWARE_Win_A310Logger {
meta:
author = "ditekSHen"
description = "Detects A310Logger"
snort_sid = "920204-920207"
strings:
$s1 = "Temporary Directory * for" fullword wide
$s2 = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*RD_" wide
$s3 = "@ENTIFIER=" wide
$s4 = "ExecQuery" fullword wide
$s5 = "MSXML2.ServerXMLHTTP.6.0" fullword wide
$s6 = "Content-Disposition: form-data; name=\"document\"; filename=\"" wide
$s7 = "CopyHere" fullword wide
$s8 = "] Error in" fullword wide
$s9 = "shell.application" fullword wide nocase
$s10 = "SetRequestHeader" fullword wide
$s11 = "\\Ethereum\\keystore" fullword wide
$s12 = "@TITLE Removing" fullword wide
$s13 = "@RD /S /Q \"" fullword wide
$en1 = "Unsupported encryption" fullword wide
$en2 = "BCryptOpenAlgorithmProvider(SHA1)" fullword wide
$en3 = "BCryptGetProperty(ObjectLength)" fullword wide
$en4 = "BCryptGetProperty(HashDigestLength)" fullword wide
// varaint 1
$v1_1 = "PW\\FILES\\SC::" wide
$v1_2 = "AddAttachment" fullword wide
$v1_3 = "Started:" fullword wide
$v1_4 = "Ended:" fullword wide
$v1_5 = "sharedSecret" fullword wide
$v1_6 = "\":\"([^\"]+)\"" fullword wide
$v1_7 = "\\credentials.txt" fullword wide
$v1_8 = "WritePasswords" fullword ascii
$v1_9 = "sGeckoBrowserPaths" fullword ascii
$v1_10 = "get_sPassword" fullword ascii
condition: uint16(0) == 0x5a4d and (7 of ($s*) or (3 of ($en*) and 4 of ($s*)) or (5 of ($s*) and 1 of ($en*)) or 5 of ($v1*) or (4 of ($v1*) and 2 of ($s*) and 2 of ($en*)))
}
rule MALWARE_Win_CryLock {
meta:
author = "ditekSHen"
description = "Detects CryLock ransomware"
strings:
$s1 = "Encrypted by BlackRabbit. (BR-" ascii
$s2 = "{ENCRYPTENDED}" ascii
$s3 = "{ENCRYPTSTART}" ascii
$s4 = "<%UNDECRYPT_DATETIME%>" ascii
$s5 = "<%RESERVE_CONTACT%>" ascii
$s6 = "how_to_decrypt.hta" ascii wide
$s7 = "END ENCRYPT ONLY EXTENATIONS" ascii
$s8 = "END UNENCRYPT EXTENATIONS" ascii
$s9 = "END COMMANDS LIST" ascii
$s10 = "END PROCESSES KILL LIST" ascii
$s11 = "END SERVICES STOP LIST" ascii
$s12 = "END PROCESSES WHITE LIST" ascii
$s13 = "END UNENCRYPT FILES LIST" ascii
$s14 = "END UNENCRYPT FOLDERS LIST" ascii
$s15 = "Encrypted files:" ascii
$s16 = { 65 78 74 65 6e 61 74 69 6f 6e 73 00 ff ff ff ff
06 00 00 00 63 6f 6e 66 69 67 00 00 ff ff ff ff
(0a|0d 0a) 00 00 00 63 6f 6e 66 69 67 2e 74 78
74 00 00 ff ff ff ff 03 00 00 00 68 74 61 }
$p1 = "-exclude" fullword
$p2 = "-makeff" fullword
$p3 = "-full" fullword
$p4 = "-nolocal" fullword
$p5 = "-nolan" fullword
$p6 = "\" -id \"" fullword
$p7 = "\" -wid \"" fullword
$p8 = "\"runas\"" fullword
$p9 = " -f -s -t 00" fullword ascii
condition: uint16(0) == 0x5a4d and (3 of ($s*) or 6 of ($p*))
}
rule MALWARE_Win_DeepRats {
meta:
author = "ditekSHen"
description = "Detects DeepRats ("
hash1 = "1f8b7e1b14869d119c5de1f05330094899bd997fca4c322d852db85cbd9271e6"
strings:
$s1 = "https://freegeoip.live/json/https://myexternalip.com/rawin" ascii
$s2 = "github.com/cretz/bine" ascii
$s3 = "github.com/kbinani/screenshot" ascii
$s4 = "socks5://%s:%d" ascii
$s5 = "socks5://%s:%s@%s:%d" ascii
$s6 = "http://%s:%d" ascii
$s7 = "http://%s@%s:%d" ascii
$s8 = "%SystemRoot%\\system32\\--CookieAuthentication" ascii
$s9 = "tor_addr_" ascii
$f1 = ".GetVnc" ascii
$f2 = ".GetCommand" ascii
$f3 = ".GetPayload" ascii
$f4 = ".ListenCommands" ascii
$f5 = ".ReceiveFile" ascii
$f6 = ".RegisterImplant" ascii
$f7 = ".Screenshot" ascii
$f8 = ".SendFile" ascii
$f9 = ".StartShell" ascii
$f10 = ".UnregisterImplant" ascii
$f11 = ".VncInstalled" ascii
$f12 = ".PingPong" ascii
$f13 = ".ListenCMD" ascii
condition: uint16(0) == 0x5a4d and (7 of ($s*) or 8 of ($f*))
}
rule MALWARE_Win_Gasket {
meta:
author = "ditekSHen"
description = "Detects Gasket"
strings:
$s1 = "main.checkGasket" ascii
$s2 = "main.connectGasket" ascii
$s3 = "/cert/trust/dev/stderr/dev/stdout/index.html" ascii
$f1 = ".SetPingHandler." ascii
$f2 = ".SetPongHandler." ascii
$f3 = ".computeMergeInfo." ascii
$f4 = ".computeDiscardInfo." ascii
$f5 = ".readPlatformMachineID." ascii
$f6 = ".(*Session).establishStream." ascii
$f7 = ".(*Session).handleGoAway." ascii
$f8 = ".(*Stream).processFlags." ascii
$f9 = ".(*Session).handlePing." ascii
$f10 = ".(*windowsService).Install." ascii
$f11 = ".(*windowsService).Uninstall." ascii
$f12 = ".(*windowsService).Status." ascii
$f13 = ".getStopTimeout." ascii
$f14 = ".DialContext." ascii
$f15 = ".WriteControl." ascii
$f16 = ".(*Server).authenticate." ascii
$f17 = ".(*Server).ServeConn." ascii
$f18 = ".(*TCPProxy).listen." ascii
$f19 = ".UserPassAuthenticator.Authenticate." ascii
$f20 = ".(*InfoPacket).XXX_" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or 16 of ($f*))
}
rule MALWARE_Win_SilentMoon {
meta:
author = "ditekSHen"
description = "Detects SilentMoon"
strings:
$s1 = "\\\\.\\Global\\PIPE\\" fullword wide
$s2 = "REMOTE_NS:ERROR:%d" fullword ascii
$s3 = "REMOTE:ERROR:%d" fullword ascii
$s4 = "COMNAP,COMNODE,SQLQUERY,SPOOLSS,LLSRPC,browser" fullword wide
$s5 = "Mem alloc err" fullword ascii
$s6 = "block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d" ascii
$x1 = "ACTION:UNSUPPORTED" fullword ascii
$x2 = "?ServiceMain@@YAXKPAPA_W@Z" fullword ascii
$x3 = "?ServiceCtrlHandler@@YGKKKPAX0@Z" fullword ascii
$x4 = "%d socks, %d sorted, %d scanned" ascii
$x5 = "GoldenSky" fullword wide
$x6 = "SilentMoon" fullword wide
$x7 = "internalstoragerpc" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($s*) or 3 of ($x*))
}
rule MALWARE_Win_Lu0Bot {
meta:
author = "ditekSHen"
description = "Detects Lu0Bot"
strings:
$s1 = "WinExec" fullword ascii
$s2 = "AlignRects" fullword ascii
$o1 = { be 00 20 40 00 89 f7 89 f0 81 c7 a? 01 00 00 81 }
$o2 = { 53 50 e8 b0 01 00 00 e9 99 01 00 00 e8 ae 01 00 }
condition: uint16(0) == 0x5a4d and filesize < 4KB and 1 of ($s*) and all of ($o*)
}
rule MALWARE_Win_ShellcodeDLEI {
meta:
author = "ditekSHen"
description = "Detects shellcode downloader, executer, injector"
strings:
$s1 = "PPidSpoof" fullword ascii
$s2 = "ProcHollowing" fullword ascii
$s3 = "CreateProcess" fullword ascii
$s4 = "DynamicCodeInject" fullword ascii
$s5 = "PPIDDynCodeInject" fullword ascii
$s6 = "MapAndStart" fullword ascii
$s7 = "PPIDAPCInject" fullword ascii
$s8 = "PPIDDLLInject" fullword ascii
$s9 = "CopyShellcode" fullword ascii
$s10 = "GetEntryFromBuffer" fullword ascii
condition: uint16(0) == 0x5a4d and filesize < 100KB and 5 of ($s*)
}
rule MALWARE_Win_BlueBot {
meta:
author = "ditekSHen"
description = "Detects BlueBot"
strings:
$x1 = "Blue_Botnet" wide
$x2 = "5-START-http" ascii
$x3 = "*300-END-" ascii
$x4 = "botlogger.php" wide
$s1 = "//TARGET//" wide
$s2 = "//BLOG//" wide
$s3 = "MCBOTALPHA" wide
$s4 = "//IPLIST//" wide
$s5 = "Host: //BLOG//" wide
$s6 = "User-Agent: //USERAGENT//" wide
$s7 = "<string>//TARGET//</string>" wide
$s8 = "POST //URL// HTTP/1.1/r/n" wide
$v1 = "<attack>b__" ascii
$v2 = "PressData" fullword ascii
$v3 = "POSTPiece" fullword ascii
$v4 = /(load|tcp|udp)Stuff/ fullword ascii
$v5 = "isAttacking" fullword ascii
$v6 = "DoSAttack" fullword ascii
$v7 = "prv_attack" fullword ascii
$v8 = "blogList"fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($x*) or 5 of ($s*) or 5 of ($v*) or 9 of them)
}
rule MALWARE_Win_UNKCobaltStrike {
meta:
author = "ditekSHen"
description = "Detects unknown malware, potentially CobaltStrike related"
strings:
$s1 = "https://%hu.%hu.%hu.%hu:%u" ascii wide
$s2 = "https://microsoft.com/telemetry/update.exe" ascii wide
$s3 = "\\System32\\rundll32.exe" ascii wide
$s4 = "api.opennicproject.org" ascii wide
$s5 = "%s %s,%s %u" ascii wide
$s6 = "User32.d?" ascii wide
$s7 = "StrDupA" fullword ascii wide
$s8 = "{6d4feed8-18fd-43eb-b5c4-696ad06fac1e}" ascii wide
$s9 = "{ac41592a-3d21-46b7-8f21-24de30531656}" ascii wide
$s10 = "bd526:3b.4e32.57c8.9g32.35ef41642767~" ascii wide
$s11 = { 4b d3 91 49 a1 80 91 42 83 b6 33 28 36 6b 90 97 } // BITS
$s12 = { 0d 4c e3 5c c9 0d 1f 4c 89 7c da a1 b7 8c ee 7c } // BITS
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_EXEPWSHDL {
meta:
author = "ditekSHen"
description = "Detects executable downloaders using PowerShell"
strings:
$x1 = "[Ref].Assembly.GetType(" ascii wide
$x2 = ".SetValue($null,$true)" ascii wide
$s1 = "replace" ascii wide
$s2 = "=@(" ascii wide
$s3 = "[System.Text.Encoding]::" ascii wide
$s4 = ".substring" ascii wide
$s5 = "FromBase64String" ascii wide
$d1 = "New-Object" ascii wide
$d2 = "Microsoft.XMLHTTP" ascii wide
$d3 = ".open(" ascii wide
$d4 = ".send(" ascii wide
condition: uint16(0) == 0x5a4d and filesize < 100KB and all of ($x*) and (3 of ($s*) or all of ($d*))
}
rule MALWARE_Win_MB150 {
meta:
author = "ditekSHen"
description = "Detects MB150? Go ransomware"
strings:
$x1 = /main\.evade_(clicks_count|cpu_count|disk_size|foreground_window|hostname|mac|printer|screen_size|system_memory|time_acceleration|tmp|utc)/ fullword ascii
$x2 = /main\.sandbox_(hostname|mac_addresses)/ fullword ascii
$x3 = "main.drop_ransom_note" fullword ascii
$x4 = "main.ransom_amount" fullword ascii
$x5 = "main.create_encryption_key" fullword ascii
$x6 = "main.encrypt" fullword ascii
$x7 = "main.encrypt_encryption_key" fullword ascii
$x8 = "main.encrypt_file" fullword ascii
$x9 = "main.ext_blacklist" fullword ascii
$mac1 = "00:03:FF00:05:6900:0C:2900:16:3E00:1C:1400:1C:4200:50:56" ascii nocase
$mac2 = "00-03-FF00-05-6900-0C-2900-16-3E00-1C-1400-1C-4200-50-56" ascii nocase
$mac3 = "0003FF000569000C2900163E001C14001C42005056" ascii nocase
$go = "Go build ID:" ascii
$s1 = "main.MB150" ascii
$s2 = "http://1.1.1.1" ascii
$s3 = "your personnal ID" ascii
$s4 = "ransom amount" ascii
$s5 = "binance.com" ascii
$s6 = "getmonero.org" ascii
condition: uint16(0) == 0x5a4d and (4 of ($x*) or ($go and 4 of ($s*)) or (1 of ($mac*) and (2 of ($x*) or 3 of ($s*))))
}
rule MALWARE_Win_Chaos {
meta:
author = "ditekSHen"
description = "Detects Chaos ransomware"
strings:
$s1 = "<EncyptedKey>" fullword wide
$s2 = "<EncryptedKey>" fullword wide
$s3 = "C:\\Users\\" fullword wide
$s4 = "read_it.txt" fullword wide
$s5 = "#base64Image" fullword wide
$s6 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" fullword wide
$s7 = /check(Spread|Sleep|AdminPrivilage|deleteShadowCopies|disableRecoveryMode|deleteBackupCatalog)/ fullword ascii nocase
$s8 = /(delete|disable)(ShadowCopies|RecoveryMode|BackupCatalog)/ fullword ascii nocase
$s9 = "spreadName" fullword ascii
$s10 = "processName" fullword ascii
$s11 = "sleepOutOfTempFolder" fullword ascii
$s12 = "AlreadyRunning" fullword ascii
$s13 = "random_bytes" fullword ascii
$s14 = "encryptDirectory" fullword ascii nocase
$s15 = "EncryptFile" fullword ascii nocase
$s16 = "intpreclp" fullword ascii
$s17 = "bytesToBeEncrypted" fullword ascii
$s18 = "textToEncrypt" fullword ascii
$m1 = "Chaos is" wide
$m2 = "Payment informationAmount:" wide
$m3 = "Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com" wide
$m4 = "where do I get Bitcoin" wide
condition: uint16(0) == 0x5a4d and 6 of ($s*) or all of ($m*) or (2 of ($m*) and 4 of ($s*))
}
rule MALWARE_Win_HorusEyesRAT {
meta:
author = "ditekSHen"
description = "Detects HorusEyesRAT"
strings:
$x1 = "\\HorusEyesRat-" ascii
$x2 = "\\HorusEyesRat.pdb" ascii
$x3 = "get_horus_eye" ascii
$s1 = "get_Type_Packet" fullword ascii
$s2 = "PacketLib" fullword ascii nocase
$s3 = "System.Net.Sockets" fullword ascii
$s4 = "PROCESS_MODE_BACKGROUND_BEGIN" fullword ascii
$s5 = "EXECUTION_STATE" fullword ascii
$s6 = /Plugins\\[A-Z]{2}.dll/ fullword wide
condition: uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and 3 of ($s*)) or (4 of ($s*) and #s6 > 4))
}
rule MALWARE_Win_BreakWin {
meta:
author = "ditekSHen"
description = "Detects BreakWin Wiper"
strings:
$s1 = "Started wiping file %s with %s." fullword wide
$s2 = "C:\\Program Files\\Lock My PC" wide
$s3 = "Stardust is still alive." fullword wide
$s4 = "Failed to terminate the locker process." fullword wide
$s5 = "C:\\Windows\\System32\\cmd.exe" fullword wide
$s6 = "Process created successfully. Executed command: %s." fullword wide
$s7 = "locker_background_image_path" fullword ascii
$s8 = "takeown.exe /F \"C:\\Windows\\Web\\Screen\" /R /A /D Y" fullword ascii
$s9 = "icacls.exe \"C:\\Windows\\Web\\Screen\" /reset /T" fullword ascii
$s10 = "takeown.exe /F \"C:\\ProgramData\\Microsoft\\Windows\\SystemData\" /R /A /D Y" fullword ascii
$s11 = ".?AVProcessSnapshotCreationFailedException@@" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
/*
rule MALWARE_Win_zgRAT {
meta:
author = "ditekSHen"
description = "Detects zgRAT"
strings:
$s1 = "file:///" fullword wide
$s2 = "{11111-22222-10009-11112}" fullword wide
$s3 = "{11111-22222-50001-00000}" fullword wide
$s4 = "get_Module" fullword ascii
$s5 = "Reverse" fullword ascii
$s6 = "BlockCopy" fullword ascii
$s7 = "ReadByte" fullword ascii
$s8 = { 4c 00 6f 00 63 00 61 00 74 00 69 00 6f 00 6e 00
00 0b 46 00 69 00 6e 00 64 00 20 00 00 13 52 00
65 00 73 00 6f 00 75 00 72 00 63 00 65 00 41 00
00 11 56 00 69 00 72 00 74 00 75 00 61 00 6c 00
20 00 00 0b 41 00 6c 00 6c 00 6f 00 63 00 00 0d
57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00
72 00 6f 00 63 00 65 00 73 00 73 00 20 00 00 0d
4d 00 65 00 6d 00 6f 00 72 00 79 00 00 0f 50 00
72 00 6f 00 74 00 65 00 63 00 74 00 00 0b 4f 00
70 00 65 00 6e 00 20 00 00 0f 50 00 72 00 6f 00
63 00 65 00 73 00 73 00 00 0d 43 00 6c 00 6f 00
73 00 65 00 20 00 00 0d 48 00 61 00 6e 00 64 00
6c 00 65 00 00 0f 6b 00 65 00 72 00 6e 00 65 00
6c 00 20 00 00 0d 33 00 32 00 2e 00 64 00 6c 00
6c }
condition: uint16(0) == 0x5a4d and all of them
}
*/
rule MALWARE_Win_CoinMiner03 {
meta:
author = "ditekSHen"
description = "Detects coinmining malware"
strings:
$s1 = "UnVzc2lhbiBTdGFuZGFyZCBUaW1l" wide
$s2 = "/xmrig" wide
$s3 = "/gminer" wide
$s4 = "-o {0} -u {1} -p {2} -k --cpu-priority 0 --threads={3}" wide
$s5 = "--algo ethash --server" wide
$s6 = "--algo kawpow --server" wide
$cnc1 = "/delonl.php?hwid=" fullword wide
$cnc2 = "/gateonl.php?hwid=" fullword wide
$cnc3 = "&cpuname=" fullword wide
$cnc4 = "&gpuname=" fullword wide
$cnc5 = "{0}/gate.php?hwid={1}&os={2}&cpu={3}&gpu={4}&dateinstall={5}&gpumem={6}" fullword wide
$cnc6 = "/del.php?hwid=" fullword wide
$f1 = "<StartGpuethGminer>b__" ascii
$f2 = "<StartGpuetcGminer>b__" ascii
$f3 = "<StartGpurvnGminer>b__" ascii
condition: uint16(0) == 0x5a4d and (3 of ($cnc*) or (2 of ($f*) and (1 of ($s*) or 1 of ($f*))) or all of ($f*) or 5 of ($s*))
}
rule MALWARE_Win_Zeppelin {
meta:
author = "ditekSHen"
description = "Detects Zeppelin (Delphi) ransomware"
strings:
$s1 = "TUnlockAndEncrypt" ascii
$s2 = "TExcludeFiles" ascii
$s3 = "TExcludeFolders" ascii
$s4 = "TDrivesAndShares" ascii
$s5 = "TTaskKiller" ascii
$x1 = "!!! D !!!" ascii
$x2 = "!!! LOCALPUBKEY !!!" ascii
$x3 = "!!! ENCLOCALPRIVKEY !!!" ascii
condition: uint16(0) == 0x5a4d and (all of ($s*) or all of ($x*) or (2 of ($x*) and 2 of ($s*)))
}
rule MALWARE_Win_SlackBot {
meta:
author = "ditekSHen"
description = "Detects SlackBot"
strings:
$x1 = "lp0o4bot v" ascii
$x2 = "slackbot " ascii
$s1 = "cpu: %lumhz %s, uptime: %u+%.2u:%.2u, os: %s" fullword ascii
$s2 = "%s, running for %u+%.2u:%.2u" fullword ascii
$s3 = "PONG :%s" fullword ascii
$s4 = "PRIVMSG %s :%s" fullword ascii
$s5 = "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" fullword ascii
$m1 = "saving %s to %s" ascii
$m2 = "visit number %u failed" ascii
$m3 = "sending %s packets of %s bytes to %s with a delay of %s" ascii
$m4 = "file executed" ascii
$m5 = "packets sent" ascii
$m6 = "upgrading to %s" ascii
$m7 = "rebooting..." ascii
$c1 = "!@remove" fullword ascii
$c2 = "!@restart" fullword ascii
$c3 = "!@reboot" fullword ascii
$c4 = "!@rndnick" fullword ascii
$c5 = "!@exit" fullword ascii
$c6 = "!@sysinfo" fullword ascii
$c7 = "!@upgrade" fullword ascii
$c8 = "!@login" fullword ascii
$c9 = "!@run" fullword ascii
$c10 = "!@webdl" fullword ascii
$c11 = "!@cycle" fullword ascii
$c12 = "!@clone" fullword ascii
$c13 = "!@visit" fullword ascii
$c14 = "!@udp" fullword ascii
$c15 = "!@nick" fullword ascii
$c16 = "!@say" fullword ascii
$c17 = "!@quit" fullword ascii
$c18 = "!@part" fullword ascii
$c19 = "!@join" fullword ascii
$c20 = "!@raw" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or all of ($s*) or all of ($m*) or (10 of ($c*) and (1 of ($x*) or 3 of ($s*) or 2 of ($m*))))
}
rule MALWARE_Win_SweetyStealer {
meta:
author = "ditekSHen"
description = "Detects SweetyStealer"
strings:
$s1 = "SWEETY STEALER" wide
$s2 = "\\SWEETYLOG.zip" fullword wide
$s3 = "\\SWEETY STEALER\\SWEETY\\" ascii
$s4 = "\\Sweety" fullword wide
$s5 = "SWEETYSTEALER." ascii
$s6 = "in Virtual Environment, so we prevented stealing" wide
$s7 = ":purple_square:" wide
$f1 = "<GetDomainDetect>b__" ascii
$f2 = "<GetAllProfiles>b__" ascii
$f3 = "<ProcessExtraFieldZip64>b__" ascii
$f4 = "<PostExtractCommandLine>k__" ascii
condition: uint16(0) == 0x5a4d and 3 of ($s*) or (3 of ($f*) and 1 of ($s*))
}
rule MALWARE_Win_GENIRCBot {
meta:
author = "ditekSHen"
description = "Detects generic IRCBots"
strings:
$s1 = "@login" ascii nocase
$s2 = "PRIVMSG" fullword ascii
$s3 = "JOIN" fullword ascii
$s4 = "PING :" fullword ascii
$s5 = "NICK" fullword ascii
$s6 = "USER" fullword ascii
$x1 = "irc.danger.net" fullword ascii nocase
$x2 = "evilBot" fullword ascii nocase
$x3 = "#evilChannel" fullword ascii nocase
condition: uint16(0) == 0x5a4d and (all of ($s*) or 2 of ($x*))
}
rule MALWARE_Win_Nitro {
meta:
author = "ditekSHen"
description = "Detects Nitro Ransomware"
strings:
$x1 = ".givemenitro" wide
$x2 = "Nitro Ransomware" ascii wide
$x3 = "\\NitroRansomware.pdb" ascii
$x4 = "NitroRansomware" ascii wide nocase
$s1 = "Valid nitro code was received" wide
$s2 = "discord nitro" ascii wide nocase
$s3 = "Starting file encryption" wide
$s4 = "NR_decrypt.txt" wide
$s5 = "open it unless you have the decryption key." ascii
$s6 = "<EncryptAll>b__" ascii
$s7 = "<DecryptAll>b__" ascii
$s8 = "DECRYPT_PASSWORD" fullword ascii
$s9 = "IsEncrypted" fullword ascii
$s10 = "CmdProcess_OutputDataReceived" fullword ascii
$s11 = "encryptedFileLog" fullword ascii
$s12 = "Encrypting:" fullword wide
$s13 = "decryption key. If you do so, your files may get corrupted" ascii
condition: uint16(0) == 0x5a4d and (3 of ($x*) or (3 of ($s*) and 1 of ($x*)) or (7 of ($s*)))
}
rule MALWARE_Win_NanoCore {
meta:
author = "ditekSHen"
description = "Detects NanoCore"
strings:
$x1 = "NanoCore Client" fullword ascii
$x2 = "NanoCore.ClientPlugin" fullword ascii
$x3 = "NanoCore.ClientPluginHost" fullword ascii
$i1 = "IClientApp" fullword ascii
$i2 = "IClientData" fullword ascii
$i3 = "IClientNetwork" fullword ascii
$i4 = "IClientAppHost" fullword ascii
$i5 = "IClientDataHost" fullword ascii
$i6 = "IClientLoggingHost" fullword ascii
$i7 = "IClientNetworkHost" fullword ascii
$i8 = "IClientUIHost" fullword ascii
$i9 = "IClientNameObjectCollection" fullword ascii
$i10 = "IClientReadOnlyNameObjectCollection" fullword ascii
$s1 = "ClientPlugin" fullword ascii
$s2 = "EndPoint" fullword ascii
$s3 = "IPAddress" fullword ascii
$s4 = "IPEndPoint" fullword ascii
$s5 = "IPHostEntr" fullword ascii
$s6 = "get_ClientSettings" fullword ascii
$s7 = "get_Connected" fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($x*) or 8 of ($i*) or all of ($s*) or (1 of ($x*) and (3 of ($i*) or 2 of ($s*))))
}
rule MALWARE_Win_Satan {
meta:
author = "ditekSHen"
description = "Detects Satan ransomware"
strings:
$s1 = "S:(ML;;NRNWNX;;;LW)" fullword wide
$s2 = "recycle.bin" fullword wide
$s3 = "tmp_" fullword wide
$s4 = "%s%08x.%s" fullword wide
$s5 = "\"%s\" %s" fullword wide
$s6 = "/c \"%s\"" fullword wide
$s7 = "Global\\" fullword wide
$s8 = "rd /S /Q \"%s\"" fullword ascii
$s9 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)" fullword ascii
$e1 = "*pdf*" fullword wide
$e2 = "*rtf*" fullword wide
$e3 = "*doc*" fullword wide
$e4 = "*docx*" fullword wide
$e5 = "*xlsx*" fullword wide
$e6 = "*pptx*" fullword wide
$e7 = "*moneywell*" fullword wide
$o1 = { 56 8d 54 24 34 b9 9e f0 ea be e8 c1 f9 ff ff 8d }
$o2 = { b9 34 f6 40 00 e8 ea 0b 00 00 85 c0 0f 84 91 }
$o3 = { 53 8d 84 24 34 01 00 00 b9 01 00 00 80 50 a1 64 }
condition: uint16(0) == 0x5a4d and ((8 of ($s*) and 4 of ($e*)) or all of ($s*) or (all of ($e*) and 5 of ($s*)) or (all of ($o*) and 8 of them))
}
rule MALWARE_Win_Neshta {
meta:
author = "ditekSHen"
description = "Detects Neshta"
strings:
$s1 = "Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus." fullword ascii
$s2 = "! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]" fullword ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Linux_HelloKitty {
meta:
author = "ditekSHen"
description = "Detects Linux version of HelloKitty ransomware"
strings:
$s1 = "exec_pipe:%s" ascii
$s2 = "Error InitAPI !!!" fullword ascii
$s3 = "No Files Found !!!" fullword ascii
$s4 = "Error open log File:%s" fullword ascii
$s5 = "%ld - Files Found " fullword ascii
$s6 = "Total VM run on host:" fullword ascii
$s7 = "error:%d open:%s" fullword ascii
$s8 = "work.log" fullword ascii
$s9 = "esxcli vm process kill" ascii
$s10 = "readdir64" fullword ascii
$s11 = "%s_%d.block" fullword ascii
$s12 = "EVP_EncryptFinal_ex" fullword ascii
$s13 = ".README_TO_RESTORE" fullword ascii
$m1 = "COMPROMISED AND YOUR SENSITIVE PRIVATE INFORMATION WAS STOLEN" ascii nocase
$m2 = "damage them without special software" ascii nocase
$m3 = "leaking or being sold" ascii nocase
$m4 = "Data will be Published and/or Sold" ascii nocase
condition: uint16(0) == 0x457f and (6 of ($s*) or (2 of ($m*) and 2 of ($s*)) or 8 of them)
}
rule MALWARE_Win_BlackMatter {
meta:
author = "ditekSHen"
description = "Detects BlackMatter ransomware"
strings:
$s1 = "C:\\Windows\\System32\\*.drv" fullword wide
$s2 = "NYbr-Vk@" fullword ascii
$s3 = ":7:=:H:Q:W:\\:b:&;O;^;v;" fullword ascii
$o1 = { b0 34 aa fe c0 e2 fb b9 03 }
$o2 = { fe 00 ff 75 08 ff 75 0c ff b5 d8 fe ff ff ff b5 }
$o3 = { 6a 00 ff 75 0c ff b5 d8 fe ff ff ff b5 dc fe ff }
$o4 = { ff 75 08 ff 75 0c ff b5 d8 fe ff ff ff b5 dc fe }
$o5 = { 53 56 57 8d 85 70 ff ff ff 83 c0 0f 83 e0 f0 89 }
$o6 = { c7 85 68 ff ff ff 00 04 00 00 8b 85 6c ff ff ff }
//SOFTWARE\Microsoft\Crypt
//Volume{
//*recycle*
condition: uint16(0) == 0x5a4d and (all of ($s*) and all of ($o*))
}
rule MALWARE_Win_DLInjector04 {
meta:
author = "ditekSHen"
description = "Detects downloader / injector"
strings:
$s1 = "Runner" fullword ascii
$s2 = "DownloadPayload" fullword ascii
$s3 = "RunOnStartup" fullword ascii
$a1 = "Antis" fullword ascii
$a2 = "antiVM" fullword ascii
$a3 = "antiSandbox" fullword ascii
$a4 = "antiDebug" fullword ascii
$a5 = "antiEmulator" fullword ascii
$a6 = "enablePersistence" fullword ascii
$a7 = "enableFakeError" fullword ascii
$a8 = "DetectVirtualMachine" fullword ascii
$a9 = "DetectSandboxie" fullword ascii
$a10 = "DetectDebugger" fullword ascii
$a11 = "CheckEmulator" fullword ascii
condition: uint16(0) == 0x5a4d and ((all of ($s*) and 5 of ($a*)) or 10 of ($a*))
}
rule MALWARE_Win_DarkComet {
meta:
author = "ditekSHen"
description = "Detects DarkComet"
strings:
$s1 = "%s, ClassID: %s" ascii
$s2 = "%s, ProgID: \"%s\"" ascii
$s3 = "#KCMDDC51#" ascii
$s4 = "#BOT#VisitUrl" ascii
$s5 = "#BOT#OpenUrl" ascii
$s6 = "#BOT#Ping" ascii
$s7 = "#BOT#RunPrompt" ascii
$s8 = "#BOT#CloseServer" ascii
$s9 = "#BOT#SvrUninstall" ascii
$s10 = "#BOT#URLUpdate" ascii
$s11 = "#BOT#URLDownload" ascii
$s12 = /BTRESULT(Close|Download|HTTP|Mass|Open|Ping\|Respond|Run|Syn|UDP|Uninstall\|uninstall|Update|Visit)/ ascii
$s13 = "dclogs\\" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_Macoute {
meta:
author = "ditekSHen"
description = "Detects Macoute"
strings:
$s1 = "scp%s%s%s%s" ascii
$s2 = "putfile %s %s" ascii
$s3 = "pscp|%s|%s:%s" ascii
$s4 = "connect %host %port\\n" ascii
$s5 = "/ecoute/spool/%s-%lu" ascii
$s6 = "<f n=\"%s\" s=\"%lu\" d=\"%d-%d-%d\"/>" ascii
$s7 = "CMPT;%s;%s;%s;%s;%s" ascii
$s8 = "%s\\apoScreen%lu.dll" ascii
$s9 = "/cap/%s%lu.jpg" ascii
$s10 = "INFO;%u;%u;%u;%d;%d;%d;%d;%d;%d;%d;%s" ascii
$s11 = "SUBJECT: %s is comming!" ascii
$s12 = "Content-type: multipart/mixed; boundary=\"#BOUNDARY#\"" ascii
$s13 = "FROM: %s@yahoo.com" ascii
$s14 = "<html><script language=\"JavaScript\">window.open(\"readme.eml\", null,\"resizable=no,top=6000,left=6000\")</script></html>" ascii
$s15 = "<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>" ascii
condition: uint16(0) == 0x5a4d and 10 of them
}
rule MALWARE_Win_CoinMiner04 {
meta:
author = "ditekSHen"
description = "Detects coinmining malware"
strings:
$s1 = "createDll" fullword ascii
$s2 = "getTasks" fullword ascii
$s3 = "SetStartup" fullword ascii
$s4 = "loadUrl" fullword ascii
$s5 = "Processer" fullword ascii
$s6 = "checkProcess" fullword ascii
$s7 = "runProcess" fullword ascii
$s8 = "createDir" fullword ascii
$cnc1 = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0" fullword wide
$cnc2 = "?hwid=" fullword wide
$cnc3 = "?timeout=1" fullword wide
$cnc4 = "&completed=" fullword wide
$cnc5 = "/cmd.php" wide
condition: uint16(0) == 0x5a4d and (5 of ($s*) and 1 of ($cnc*))
}
rule MALWARE_Win_SideWalk {
meta:
author = "ditekSHen"
description = "Detects SideWalk"
strings:
$s1 = "Decommit" fullword ascii
$s2 = "Shellc0deRunner" fullword ascii
$s3 = "shellc0de" fullword ascii
$s4 = "C:\\Windows\\System32\\msdt.exe" fullword wide
$s5 = "StartProcessWOPid" fullword ascii
$s6 = "StartProcessWithParent" fullword ascii
$m1 = "alloctype" fullword ascii
$m2 = "ThreadIoPriority" fullword ascii
$m3 = "PebAddress" fullword ascii
$m4 = "dotnet.4.x64.dll" fullword wide
$m5 = "LogonNetCredentialsOnly" fullword ascii
$m6 = "ThreadIdealProcessor" fullword ascii
$m7 = "LogonWithProfile" fullword ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or all of ($m*) or (11 of them))
}
rule MALWARE_Win_VanillaRAT {
meta:
author = "ditekSHen"
description = "Detects VanillaRAT"
strings:
$stub = "VanillaStub." ascii wide
$s1 = "Client.Send: " wide
$s2 = "Connected to chat" fullword wide
$s3 = "GetStoredPasswords" fullword wide
$s4 = "Started screen locker." fullword wide
$s5 = "[<\\MOUSE>]" fullword wide
$s6 = "YOUR SCREEN HAS BEEN LOCKED!" fullword wide
$s7 = "record recsound" fullword wide
$f1 = "<StartRemoteDestkop>d__" ascii
$f2 = "<ConnectLoop>d__" ascii
$f3 = "<Scan0>k__" ascii
$f4 = "<RemoteShellActive>k__" ascii
$f5 = "KillClient" fullword ascii
condition: uint16(0) == 0x5a4d and (($stub and (2 of ($s*) or 2 of ($f*))) or 6 of ($s*) or all of ($f*))
}
rule MALWARE_Win_SectopRAT {
meta:
author = "ditekSHen"
description = "Detects SectopRAT"
strings:
$s1 = "\\\\.\\root\\cimv2:Win32_Process" wide
$s2 = "\\\\.\\root\\cimv2:CIM_DataFile.Name=" wide
$s3 = "^.*(?=Windows)" fullword wide
$s4 = "C:\\Windows\\System32\\cmd.exe" wide
$s5 = "C:\\Windows\\explorer.exe" wide
$s6 = "Disabling IE protection" wide
$s7 = "stream started succces" wide
$b1 = "/C start Firefox" wide
$b2 = "/C start chrome" wide
$b3 = "/C start iexplore" wide
$m1 = "DefWindowProc" fullword ascii
$m2 = "AuthStream" fullword ascii
$m3 = "KillBrowsers" fullword ascii
$m4 = "GetAllNetworkInterfaces" fullword ascii
$m5 = "EnumDisplayDevices" fullword ascii
$m6 = "RemoteClient.Packets" fullword ascii
$m7 = "IServerPacket" fullword ascii
$m8 = "keybd_event" fullword ascii
condition: uint16(0) == 0x5a4d and ((5 of ($s*) and 2 of ($b*)) or all of ($s*) or (all of ($b*) and (4 of ($s*) or 5 of ($m*))))
}
rule MALWARE_Win_Neptune {
meta:
author = "ditekSHen"
description = "Detects Neptune keylogger / infostealer"
strings:
$x1 = "your keylogger has been freshly installed on" wide
$x2 = "Attached is a screenshot of the victim" wide
$x3 = "color: rgb(2, 84, 138);'>Project Neptune</span><br>" wide
$x4 = ">{Monitor Everything}</span><br><br>" wide
$x5 = "[First Run] Neptune" wide
$x6 = "Neptune - " wide
$s1 = "Melt" fullword wide
$s2 = "Hide" fullword wide
$s3 = "SDDate+" fullword wide
$s4 = "DelOff+" fullword wide
$s5 = "MsgFalse+" fullword wide
$s6 = "Clipboard:" fullword wide
$s7 = "information is valid and working!" wide
$s8 = ".exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f" wide
$s9 = "http://www.exampleserver.com/directfile.exe" fullword wide
condition: uint16(0) == 0x5a4d and (2 of ($x*) or 7 of ($s*) or (1 of ($x*) and 5 of ($s*)))
}
rule MALWARE_Win_Tomiris {
meta:
author = "ditekSHen"
description = "Detects Tomiris"
strings:
$f1 = "main.workPath" ascii
$f2 = "main.selfName" ascii
$f3 = "main.infoServerAddr" ascii
$f4 = "main.configFileName" ascii
$s1 = "C:/Projects/go/src/Tomiris/main.go" ascii
$s2 = "C:/GO/go1.16.2/src/os/user/lookup_windows.go" ascii
$s3 = "C:\\GO\\go1.16.2" ascii
$s4 = ".html.jpeg.json.wasm.webp/p/gf/p/kk1562515" ascii
$s5 = "\" /ST 10:00alarm clockassistQueueavx512vbmi2avx512vnniwbad" ascii
$s6 = "write /TR \" Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p=" ascii
$t1 = "SCHTASKS /DELETE /F /TN \"%s\"" ascii
$t2 = "SCHTASKS /CREATE /SC DAILY /TN" ascii
$t3 = "SCHTASKS /CREATE /SC ONCE /TN \"%s\" /TR \"%s\" /ST %s" ascii
$t4 = "SCHTASKS /CREATE /SC ONCE /TN \"%s\" /TR \"'%s' %s\" /ST %s" ascii
$r1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones" ascii
$r2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" ascii
condition: uint16(0) == 0x5a4d and ((all of ($f*) and 3 of ($s*) and 2 of ($t*) and 1 of ($r*)) or (4 of ($s*) and 2 of ($t*) and 1 of ($r*)) or 12 of them)
}
rule MALWARE_Win_JennLog {
meta:
author = "ditekSHen"
description = "Detects JennLog loader"
strings:
$x1 = "%windir%\\system32\\rundll32.exe advapi32.dll,ProcessIdleTasks" fullword wide
$x2 = "https://fkpageintheworld342.com" fullword wide
$s1 = "ExecuteInstalledNodeAndDelete" fullword ascii
$s2 = "ProcessExsist" fullword ascii
$s3 = "helloworld.Certificate.txt" fullword wide
$s4 = "ASCII85 encoded data should begin with '" fullword wide
$s5 = "] WinRE config file path: C:\\" ascii
$s6 = "] Parameters: configWinDir: NULL" ascii
$s7 = "] Update enhanced config info is enabled." ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 3 of ($s*)) or 5 of ($s*) or (all of ($x*) and 2 of ($s*)))
}
rule MALWARE_Win_LockFile {
meta:
author = "ditekSHen"
description = "Detects LockFile ransomware"
strings:
$x1 = "LOCKFILE" fullword ascii
$x2 = "25a01bb859125507013a2fe9737d3c33" fullword ascii
$s1 = "</key>" fullword ascii
$s2 = "<computername>%s</computername>" fullword ascii
$s3 = "<blocknum>%d</blocknum>" fullword ascii
$s4 = "%s\\%s-%s-%d%s" fullword ascii
$s5 = ">RAC=OQD:S>P@:AO?R:EEOS:ARDD=N?EENSB" ascii wide
$m1 = "<title>LOCKFILE</title>" ascii wide nocase
$m2 = "<hta:application id=LOCKFILE applicationName=LOCKFILE" ascii wide nocase
condition: uint16(0) == 0x5a4d and (all of ($x*) or all of ($s*) or (1 of ($x*) and (2 of ($s*) or 1 of ($m*))) or (1 of ($m*) and (1 of ($x*) or 2 of ($s*))))
}
rule MALWARE_Win_HUNT_FoggyWeb {
meta:
author = "ditekSHen"
description = "Attempt on hunting FoggyWeb"
strings:
$u1 = "/adfs/portal/images/theme/light01/" ascii wide
$u2 = "/adfs/services/trust/2005/samlmixed/upload" ascii wide
$s1 = "ProcessGetRequest" ascii wide
$s2 = "ProcessPostRequest" ascii wide
$s3 = "UrlGetFileNames" ascii wide
$s4 = "GetWebpImage" ascii wide
$s5 = "GetWebpHeader" ascii wide
$s6 = "ExecuteAssemblyRoutine" ascii wide
$s7 = "ExecuteBinary" ascii wide
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_HUNT_Apostle {
meta:
author = "ditekSHen"
description = "Attempt on hunting new variants of Apostle"
strings:
$x1 = "://t.me/x4ran" ascii wide nocase
$x2 = "43JuFUyzfcKQwTzCTHpQoA8uLGtbwFBLyeeXoYEEU5dZLhLT1cZJDk4cytjcgQT7kdjSerJqpEp2gUcH91bjLcoq2bqik3j" ascii wide
condition: any of them
}
rule MALWARE_Win_HUNT_GhostEmperor_RemoteControlPayload {
meta:
author = "ditekSHen"
description = "Attempt on hunting GhostEmperor Stage 4 Remote Control Payload"
reference = "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf"
condition: uint16(0) == 0x5a4d and pe.is_dll() and pe.number_of_exports == 2 and pe.exports("1") and pe.exports("__acrt_iob_func")
}
rule MALWARE_Win_Alkhal {
meta:
author = "ditekSHen"
description = "Detects Alkhal ransomware"
strings:
$s1 = "ReadMe.txt" fullword wide
$s2 = "Recovery.bmp" fullword wide
$d1 = "\\$RECYCLE.BIN\\" fullword wide
$d2 = "\\BOOT\\" fullword wide
$d3 = "\\RECOVERY\\" fullword wide
$d4 = "\\MICROS~1\\" fullword wide
$d5 = "\\CODECA~1\\js\\" fullword wide
$a1 = "takeown.exe" fullword wide
$a2 = "AppLaunch.exe" fullword wide
$a3 = "MpCmdRun.exe" fullword wide
$a4 = "wordpad.exe" fullword wide
$a5 = "winload.exe" fullword wide
$a6 = "prevhost.exe" fullword wide
$a7 = "credwiz.exe" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($s*) and 4 of ($d*) and 3 of ($a*))
}
rule MALWARE_Win_Unicorn {
meta:
author = "ditekSHen"
description = "Detects Unicorn infostealer"
strings:
$x1 = "WinHTTP Downloader/1.0" fullword wide
$x2 = "[CTRL + %c]" fullword wide
$x3 = "\\UnicornLog.txt" fullword wide
$x4 = "/*INITIALIZED*/" fullword wide
$s1 = { 2f 00 63 00 20 00 22 00 43 00 4f 00 50 00 59 00
20 00 2f 00 59 00 20 00 2f 00 42 00 20 00 22 00
25 00 73 00 22 00 20 00 22 00 25 00 73 00 22 00
22 00 00 00 63 00 6d 00 64 00 2e 00 65 00 78 00
65 }
$s2 = { 72 00 75 00 6e 00 64 00 6c 00 6c 00 33 00 32 00
2e 00 65 00 78 00 65 00 00 00 00 00 25 00 73 00
20 00 22 00 25 00 73 00 22 00 2c 00 25 00 68 00
73 }
$s3 = "%*[^]]%c%n" fullword ascii
$s4 = "file://%s%s%s" fullword ascii
$s5 = "%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s" fullword ascii
$s6 = "regex_start_injects" fullword ascii
$s7 = "DLEXEC" fullword ascii
$s8 = "^((((3|1)[A-Za-z0-9]{33}))(\\s|$)|(bc1q)[A-Za-z0-9]{38}(\\s|$))" fullword ascii
$s9 = "^(0x)?[A-Za-z0-9]{40}(\\s|$)" fullword ascii
$s10 = "clipRegex" fullword ascii
$s11 = "%s?k=%s&src=clip&id=%s" fullword ascii
$s12 = "http://izuw6rclbgl2lwsh.onion/o.php" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or 8 of ($s*) or (3 of ($x*) and 5 of ($s*)))
}
rule MALWARE_Win_Spectre {
meta:
author = "ditekSHen"
description = "Detects Spectre infostealer"
snort_sid = "920233-920234"
strings:
$s1 = "\\../../../json.h" wide
$s2 = "static_cast<std::size_t>(index) < kCachedPowers.size()" fullword wide
$s3 = " cmd.exe" fullword wide
$s4 = "m_it.object_iterator != m_object->m_value.object->end()" fullword wide
$h1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" fullword wide
$h2 = "----974767299852498929531610575" ascii wide
$h3 = "Content-Disposition: form-data; name=\"file\"; filename=\"" fullword ascii
condition: (uint16(0) == 0x5a4d and ((all of ($s*) and 1 of ($h*)) or (all of ($h*) and 2 of ($s*)))) or (6 of them)
}
rule MALWARE_Win_HUNT_BlackByte {
meta:
author = "ditekSHen"
description = "Attempt on hunting BlackByte ransomware"
strings:
$s1 = "WalkDirAndEncrypt" ascii wide nocase
$s2 = "FileEncrypt" ascii wide nocase
$s3 = "BlackByte." ascii wide nocase
$s4 = "EnumerateDirAndEncrypt" ascii wide nocase
$s5 = "Dismount-DiskImage" ascii wide nocase
$s6 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" ascii wide nocase
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_DLInjector05 {
meta:
author = "ditekSHen"
description = "Detects downloader / injector (NiceProcess)"
strings:
$s1 = "pidhtmpfile.tmp" fullword ascii
$s2 = "pidhtmpdata.tmp" fullword ascii
$s3 = "pidHTSIG" fullword ascii
$s4 = "Taskmgr.exe" fullword ascii
$s5 = "[HP][" ascii
$s6 = "[PP][" ascii
$s7 = { 70 69 64 68 74 6d 70 66 69 6c 65 2e 74 6d 70 00
2e 64 6c 6c 00 00 00 00 70 69 64 48 54 53 49 47
00 00 00 00 ?? ?? 00 00 54 61 73 6b 6d 67 72 2e
65 78 65 }
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_Kutaki {
meta:
author = "ditekSHen"
description = "Detects Kutaki"
strings:
$x1 = "AASEaHR0cDovL29qb3JvYmlhLmNsdWIvbGFwdG9wL2xhcHRvcC5waHA" ascii
$x2 = "aHR0cDovL3RlcmViaW5uYWhpY2MuY2x1Yi9zZWMva29vbC50eHQ" ascii
$s1 = "wewqeuuiwe[XXXXXXX]" ascii
$s2 = "alt|aHR0cD" ascii
$s3 = "<rdf:Description about='uuid:fb761dc9-9daf-11d9-9a32-fcf1da45dca2'" ascii
$s4 = "<rdf:Description about='uuid:0ab54f47-96d6-11d9-a59c-cbc93330e07e'" ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 1 of ($s*)) or (all of ($s*)))
}
rule MALWARE_Win_DLInjector06 {
meta:
author = "ditekSHen"
description = "Detects downloader / injector"
strings:
$s1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" ascii wide
$s2 = "Content-Type: application/x-www-form-urlencoded" wide
$s3 = "https://ipinfo.io/" wide
$s4 = "https://db-ip.com/" wide
$s5 = "https://www.maxmind.com/en/locate-my-ip-address" wide
$s6 = "https://ipgeolocation.io/" wide
$s7 = "POST" fullword wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_Crown {
meta:
author = "ditekSHen"
description = "Detects Crown Tech Support Scam"
snort_sid = "920251-920261"
strings:
$d1 = "//prodownload.live" ascii
$c1 = "&uid=" ascii
$c2 = "&ver=" ascii
$c3 = "&mcid=" ascii
$c4 = ".php?uid=" ascii
$c5 = ".php?ip=" ascii
$s1 = "Operating System Support ID:" ascii
$s2 = "taskkill /IM explorer.exe -f" ascii nocase
$s3 = "/C taskkill /IM Taskmgr.exe -f" ascii nocase
$s4 = "FastSuport" fullword ascii
$s5 = "Support Override!" fullword wide
$s6 = "Support Assistance Override Activated!" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($c*) or 4 of ($s*) or (1 of ($d*) and (3 of ($c*) or 2 of ($s*))))
}
rule MALWARE_Win_FloodFix {
meta:
author = "ditekSHen"
description = "Detects FloodFix"
condition: uint16(0) == 0x5a4d and pe.is_dll() and (pe.exports("FloodFix") or pe.exports("FloodFix2")) and pe.exports("crc32")
}
rule MALWARE_Win_UNK_InfoStealer {
meta:
author = "ditekSHen"
description = "Detects unknown information stealer"
snort_sid = "920263"
hash1 = "b7a2cb34d3bc42d6d4c9d9af7dd406e2a5caef8ea46e5d09773feeb9920a6b21"
hash2 = "dd95377842932d77e225b126749e1e6e8ecd6f5c6540d084a551a80a54d02d7d"
hash3 = "12f790d9a0775b5e62effc6ea9e55bbef345fffbfb2f671f85098c4f7661dd0f"
hash4 = "0a4cea763dffde451c75a434143fc5d014c32c6d1f8f34920ea5f2854e62118f"
strings:
$s1 = "%s\\%s\\%s-Qt" fullword wide
$s2 = "%s\\%s.json" fullword wide
$s3 = "*.mmd*" fullword wide
$s4 = "%s\\%s.vdf" fullword wide
$s5 = "%-50s %s" fullword wide
$s6 = "dISCORD|lOCAL" fullword ascii nocase
$s7 = "sTORAGE|LEVELDB" fullword ascii nocase
$s8 = ".coin" fullword ascii
$s9 = ".emc" fullword ascii
$s10 = ".lib" fullword ascii
$s11 = ".bazar" fullword ascii
$s12 = "id=%d" fullword ascii
$s13 = "2:?/v /v /v /^Y" fullword ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_DECAF {
meta:
author = "ditekSHen"
description = "Detects DECAF ransomware"
strings:
$s1 = "main.EncWorker" fullword ascii
$s2 = "Paths2Encrypt" fullword ascii
$s3 = "/cmd/encryptor/main.go" ascii
$s4 = "*win.FileUtils; .autotmp_41 *lib.Encryptor; .autotmp_" ascii
$s5 = "\"Microsoft Window" fullword wide
$s6 = "Legal_Policy_Statement" fullword wide
$s7 = ").Encrypt." ascii
$s8 = "*struct { F uintptr; pw *os.File; c *" ascii
$s9 = ".ListFilesToEnc." ascii
$m1 = "WINNER WINNER CHICKEN DINNER" ascii
$m2 = "All your servers and computers are encrypted" ascii
$m3 = "We guarantee to decrypt one image file for free." ascii
$m4 = "We WILL NOT be able to RESTORE them." ascii
condition: uint16(0) == 0x5a4d and (4 of ($s*) or 3 of ($m*) or (1 of ($m*) and 2 of ($s*)))
}
rule MALWARE_Win_WinDealer {
meta:
author = "ditekSHen"
description = "Detects WinDealer"
snort_sid = "920264"
strings:
$d1 = "downfile" fullword ascii
$d2 = "getmypath" fullword ascii
$d3 = "content-type: monitor" fullword ascii
$d4 = "content-type: UsedType" fullword ascii
$d5 = "write command error" fullword ascii
$d6 = "C:\\WINDOWS\\system32\\kernel32.dll" fullword ascii
$l1 = "currentconfig" fullword ascii
$l2 = "remotedomain" fullword ascii
$l3 = "reserveip" fullword ascii
$l4 = "otherinfo" fullword ascii
$l5 = "filelen" fullword ascii
$l6 = "%s%s.bak" fullword wide
$l7 = "localmachine" fullword ascii
$l8 = "remoteip" fullword ascii
$l9 = "datastate" fullword ascii
$l10 = "SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\%s\\Connection" fullword ascii
$s1 = "%s\\%s\\V5_History.dat" fullword wide
$s2 = "%s\\%s\\history2.dat" fullword wide
$s3 = "%s\\%s\\history.imw" fullword wide
$s4 = "%s\\%s\\main.imw" fullword wide
$s5 = "%s%d.%d.%d.%dWindows/%u" fullword ascii
$s6 = "%s\\%c_%s_tmp" fullword wide
$s7 = "%s\\%s\\main.db" fullword wide
condition: uint16(0) == 0x5a4d and ((4 of ($d*) and 1 of ($s*)) or (5 of ($s*) and 1 of ($d*)) or 6 of ($l*) or (pe.exports("DealC") and pe.exports("DealR") and pe.exports("DealS") and 1 of them))
}
rule MALWARE_Win_ExMatter {
meta:
author = "ditekSHen"
description = "Detects BlackMatter data exfiltration tool"
hash1 = "4a0e10e1e9fea0906379f99fa350b91c2af37f0fd2cc55491643cc71a9887d30"
hash2 = "a5e050f1278473d41c3a3d6f98f3fd82932f51a937bc57d8f5605815f0efb0f8"
strings:
$s1 = "Renci.SshNet." ascii
$s2 = "DirNotEmpty" fullword ascii
$s3 = "MkDir" fullword ascii
$s4 = "RmDir" fullword ascii
$s5 = "get_MainWindowHandle" fullword ascii
$s6 = "GetCurrentProcess" fullword ascii
$s7 = "]]>]]>" fullword wide
$s8 = "1.3.132.0.35" fullword wide
$s9 = "1.3.132.0.34" fullword wide
$s10 = "1.2.840.10045.3.1.7" fullword wide
$x1 = "sender2.pdb" fullword ascii
$x2 = { 64 00 61 00 74 00 61 00 ?? 72 00 6f 00 6f 00 74 }
$x3 = "157.230.28.192" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($s*) or (1 of ($x*) and 7 of ($s*)))
}
rule MALWARE_Win_BrbBot {
meta:
author = "ditekSHen"
description = "Detects BrbBot"
snort_sid = "920265"
strings:
$x1 = "brbconfig.tmp" fullword ascii
$x2 = "brbbot" fullword ascii
$s1 = "%s?i=%s&c=%s&p=%s" fullword ascii
$s2 = "exec" fullword ascii
$s3 = "CONFIG" fullword ascii wide
$s4 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" fullword ascii
$s5 = { 43 4f 4e 46 49 47 00 00 65 6e 63 6f 64 65 00 00
73 6c 65 65 70 00 00 00 65 78 69 74 00 00 00 00
63 6f 6e 66 00 00 00 00 66 69 6c 65 00 00 00 00
65 78 65 63 }
condition: uint16(0) == 0x5a4d and ((all of ($x*) and 1 of ($s*)) or (1 of ($x*) and 4 of ($s*)) or all of ($s*))
}
rule MALWARE_Win_BabylonRAT {
meta:
author = "ditekSHen"
description = "Detects BabylonRAT / CollectorStealer / ParadoxRAT"
strings:
$x1 = "Babylon RAT Client" wide nocase
$x2 = "ParadoxRAT_Client" fullword ascii
$s1 = "@ConfigsEx" fullword wide
$s2 = "ClipBoard.txt" fullword wide
$s3 = "[%02d/%02d/%d %02d:%02d:%02d] [%s] (%s):" fullword wide
$s4 = "\\%Y %m %d - %I %M %p" fullword wide
$s5 = "[%02d/%02d/%d %02d:%02d:%02d] (%s)" fullword wide
$s6 = " c:\\Windows\\system32\\cmd.exe" fullword wide
$s7 = "Update Failed [OpenProcess]" wide
$s8 = "DoS Already Active..." fullword wide
$s9 = "File Downloaded and Execut" wide
$s10 = "LgDError33x98dGetProcAddress" fullword wide
$s11 = "@SPYNET" fullword wide
$s12 = "Recovery.Recovery" fullword wide
$s13 = "GetChrome" fullword wide
$s14 = "\\drivers\\etc\\HOSTS" fullword ascii
$s15 = "plugin-container.exe" fullword ascii
$s16 = "bss_server.usrRelay" fullword ascii
$s17 = "sckRelay" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or (1 of ($x*) and 3 of ($s*)) or 8 of ($s*))
}
rule MALWARE_Win_NetSupport {
meta:
author = "ditekSHen"
description = "Detects NetSupport client"
snort_sid = "920266-920267"
strings:
$s1 = ":\\nsmsrc\\nsm\\" fullword ascii
$s2 = "name=\"NetSupport Client Configurator\"" fullword ascii
$s3 = "<description>NetSupport Manager Remote Control.</description>" fullword ascii
condition: uint16(0) == 0x5a4d and 2 of them
}
rule MALWARE_Win_GoBrutLoader {
meta:
author = "ditekSHen"
description = "Detects GoBrut StealthWorker laoder"
condition: uint16(0) == 0x5a4d and pe.exports("@SetFirstEverVice@8")
}
rule MALWARE_Win_Milan {
meta:
author = "ditekSHen"
description = "Detects Milan Lyceum backdoor"
hash1 = "21ab4357262993a042c28c1cdb52b2dab7195a6c30fa8be723631604dd330b29"
hash2 = "a2754d7995426b58317e437f8ed6770cd7bb7b18d971e23b2b300b75e34fa086"
hash3 = "b46949feeda8726c0fb86d3cd32d3f3f53f6d2e6e3fcd6f893a76b8b2632b249"
hash4 = "b54a67062bdcd32dfa9f3d7b69780d2e6e4925777290bc34e8f979a1b4b72ea2"
hash5 = "b766522dd4189fef7775d663e5649ba9d8be8e03022039d20848fcbc3643e5f2"
hash6 = "d3606e2e36db0a0cb1b8168423188ee66332cae24fe59d63f93f5f53ab7c3029"
hash7 = "857e2f63a1078d49adc59a03482f7b362563f16fb251f174bdaa7759ed47922a"
hash8 = "4f1b8c9209fa2684aa3777353222ad1c7716910dbb615d96ffc7882eb81dd248"
strings:
$ua1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)" fullword wide
$ua2 = "Mozilla/5.0 (Android; Mobile; rv:28.0) Gecko/28.0 Firefox/28.0" fullword wide
$ua3 = "Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 520)" fullword wide
$ua4 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)" fullword wide
$ua5 = "Mozilla/5.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko" fullword wide
$ua6 = "Mozilla/5.0 (iPad; U; CPU OS 5_1_1 like Mac OS X; en-us) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/19.0.1084.60 Mobile/9B206 Safari/7534.48.3" fullword wide
$ua7 = "Mozilla/5.0 (Linux; Android 4.1; Galaxy Nexus Build/JRN84D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Mobile Safari/535.19" fullword wide
$ua8 = "Mozilla/5.0 (Linux; Android 7.1.1; ASUS_X017DA Build/NGI77B; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/1.5.1(11790) Chrome/74.0.3729.157 Mobile Safari/537.36" fullword wide
$ua9 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0" fullword wide
$ua10 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" fullword wide
$ua11 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword wide
$ua12 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" fullword wide
$n1 = "charset={[A-Za-z0-9\\-_]+}" fullword wide
$n2 = "Content-Length: {[0-9]+}" fullword wide
$n3 = "Location: {[0-9]+}" fullword wide
$n4 = "Set-Cookie:\\b*{.+?}\\n" fullword wide
$n5 = "{<html>}" fullword wide
$n6 = "&formid=" fullword ascii
$n7 = "/?id=" fullword ascii
$p1 = "\\milan\\Debug\\Milan.pdb" ascii
$p2 = "\\milan\\Release\\Milan.pdb" ascii
$p3 = "\\BackDor Last\\" ascii
$p4 = "\\BackDorLast\\" ascii
$s1 = "/q \"%s\" & waitfor" wide
$s2 = "/q \"%s\" & schtasks /delete" wide
$s3 = "*BOT@;" fullword ascii
$s4 = "mofcomp \"" fullword ascii
$s5 = "\"WQL\";};instance of " ascii
$s6 = "</svalue>" fullword wide
$s7 = "cmd.exe /C " wide nocase
$d1 = "akastatus.com" ascii
$d2 = "centosupdatecdn.com" ascii
$d3 = "checkinternet.org" ascii
$d4 = "cybersecnet.co.za" ascii
$d5 = "cybersecnet.org" ascii
$d6 = "defenderlive.com" ascii
$d7 = "defenderstatus.com" ascii
$d8 = "digitalmarketingagency.net" ascii
$d9 = "dnsanalizer.com" ascii
$d10 = "dnscatalog.net" ascii
$d11 = "dnscdn.org" ascii
$d12 = "dnsstatus.org" ascii
$d13 = "excsrvcdn.com" ascii
$d14 = "hpesystem.com" ascii
$d15 = "livednscdn.com" ascii
$d16 = "micrsoftonline.net" ascii
$d17 = "ndianmombais.com" ascii
$d18 = "online-analytic.com" ascii
$d19 = "securednsservice.net" ascii
$d20 = "sysadminnews.info" ascii
$d21 = "uctpostgraduate.com" ascii
$d22 = "updatecdn.net" ascii
$d23 = "web-traffic.info" ascii
$d24 = "windowsupdatecdn.com" ascii
$d25 = "wsuslink.com" ascii
$d26 = "zonestatistic.com" ascii
condition: uint16(0) == 0x5a4d and ((1 of ($p*) and (2 of ($s*) or 2 of ($ua*))) or (5 of ($n*) and (2 of ($ua*) or 1 of ($p*) or 1 of ($s*))) or (3 of ($s*) and (2 of ($ua*) or 5 of ($n*))) or (2 of ($d*) and 6 of them))
}
rule MALWARE_Win_UNK05 {
meta:
author = "ditekSHen"
description = "Detects potential BazarLoader"
strings:
$s1 = "/api/get" ascii wide
$s2 = "PARENTCMDLINE" fullword ascii
$s3 = "https://microsoft.com/telemetry/update.exe" ascii wide
$s4 = "api.opennicproject.org" fullword ascii wide
$s5 = "https://%hu.%hu.%hu.%hu:%u" fullword ascii wide
$s6 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31" ascii wide
$s7 = "PARENTJOBID" fullword ascii wide
$s8 = "\\System32\\rundll32.exe" fullword ascii wide
$s9 = "{ccc38b40-5b04-4fb1-a684-07c7e448d4df}" fullword ascii wide // mutex
$s10 = "{065f6686-990b-46fc-829c-a53ec188a723}" fullword ascii wide // mutex
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_ClipBanker01 {
meta:
author = "ditekSHen"
description = "Detects ClipBanker infostealer"
strings:
$s1 = "Clipper" fullword wide
$s2 = "Ushell" fullword wide
$s3 = "Banker" fullword wide
$s4 = "ClipPurse" fullword wide nocase
$s5 = "SelfClip" fullword wide
$s6 = "Cliper" fullword wide
$s7 = "FHQD4313-33DE-489D-9721-6AFF69841DEA" fullword wide
$s8 = "Remove.bat" fullword wide
$s9 = "\\w{1}\\d{12}" fullword wide
$s10 = "SELECT * FROM Win32_ComputerSystem" fullword wide
$s11 = "red hat" fullword wide
$s12 = { 73 00 63 00 68 00 74 00 61 00 73 00 6b 00 73 00
2e 00 65 00 78 00 65 00 00 ?? 2f 00 63 00 72 00
65 00 61 00 74 00 65 00 20 00 2f 00 73 00 63 00
20 00 00 ?? 20 00 2f 00 6d 00 6f 00 20 00 00 ??
20 00 2f 00 72 00 6c 00 20 00 00 ?? 20 00 2f 00
74 00 6e 00 20 00 00 ?? 20 00 2f 00 74 00 72 00
20 00 00 ?? 20 00 ?? 00 ?? 00 00 ?? 2f 00 64 00
65 00 6c 00 65 00 74 00 65 00 20 00 2f 00 74 00
6e }
$s13 = "ClipChanger" fullword ascii
$s14 = "CheckVirtual" fullword ascii
$s15 = "InjReg" fullword ascii
$s16 = "SuicideFile" fullword ascii
$s17 = "HideFile" fullword ascii
$s18 = "AntiVm" fullword ascii
condition: uint16(0) == 0x5a4d and 7 of them
}
rule MALWARE_Win_ZombieBoy {
meta:
author = "ditekSHen"
description = "Detects ZombieBoy Downloader"
strings:
$s1 = ":\\Users\\ZombieBoy\\" ascii wide
$s2 = "RookIE/1.0" fullword ascii wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_PCRat {
meta:
author = "ditekSHen"
description = "Detects PCRat / Gh0st"
strings:
$s1 = "ClearEventLogA" fullword ascii
$s2 = "NetUserAdd" fullword ascii
$s3 = "<H1>403 Forbidden</H1>" fullword ascii
$s4 = ":]%d-%d-%d %d:%d:%d" fullword ascii
$s5 = "Mozilla/4.0 (compatible)" fullword ascii
$s6 = "<Enter>" fullword ascii
$s7 = "\\cmd.exe" fullword ascii
$s8 = "Program Files\\Internet Explorer\\IEXPLORE.EXE" fullword ascii
$s9 = "Collegesoft ScenicPlayer" fullword wide
$a1 = "360tray.exe" fullword ascii
$a2 = "avp.exe" fullword ascii
$a3 = "RavMonD.exe" fullword ascii
$a4 = "360sd.exe" fullword ascii
$a5 = "Mcshield.exe" fullword ascii
$a6 = "egui.exe" fullword ascii
$a7 = "kxetray.exe" fullword ascii
$a8 = "knsdtray.exe" fullword ascii
$a9 = "TMBMSRV.exe" fullword ascii
$a10 = "avcenter.exe" fullword ascii
$a11 = "ashDisp.exe" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of ($s*) and 6 of ($a*)
}
rule MALWARE_Win_Rapid {
meta:
author = "ditekSHen"
description = "Detects Rapid ransomware"
strings:
$s1 = "encblklen" fullword ascii
$s2 = ".rapid" fullword ascii
$s3 = "BgIAAACkAABSU0E" ascii
$s4 = "IFdlIHNlbmQ" ascii
$s5 = "Software\\EncryptKeys" fullword ascii
$s6 = "local_enc_private_key" fullword ascii
$s7 = "local_public_key" fullword ascii
$s8 = "How Recovery Files.txt" ascii
$s9 = "recovery.txt" ascii
$s10 = "thr %i run %s" fullword ascii
$s11 = " /TN Encrypter" ascii
$s12 = /Encrypter_\d+/ fullword ascii
$s13 = "BleepingComputer_rapid" ascii wide
$m1 = "tell us your unique ID - ID-" ascii
$m2 = "really want to restore your files?" ascii
condition: uint16(0) == 0x5a4d and (6 of ($s*) or (1 of ($m*) and 4 of ($s*)))
}
rule MALWARE_Win_Satana {
meta:
author = "ditekSHen"
description = "Detects Satana ransomware"
snort_sid = "920269-920270"
strings:
$bf1 = "Try Decrypt: uc_size = %d, c_size = %d" ascii
$bf2 = "dwMailSelector = %d dwBtcSelector = %d" ascii
$bf3 = "%s: Error DecB: 0x%X" ascii
$bf4 = "MBR written to Disk# %d" ascii
$bf5 = "!SATANA!" ascii wide nocase
$bf6 = "1 -th start" fullword ascii
$bf7 = "id=%d&code=%d&sdata=%d.%d.%d %d %d %s %s %d&name=%s&md5=%s&dlen=%s" ascii
$bf8 = "threadAdminFlood: %s %s %s" wide
$bf9 = "%s: NET RES FOUND: %s" wide
condition: (uint16(0) == 0x5a4d and 4 of ($bf*)) or (5 of ($bf*))
}
rule MALWARE_Win_VirLock {
meta:
author = "ditekSHen"
description = "Detects VirLock ransomware"
strings:
$x1 = "BThere are two ways to pay a fine:" fullword wide
$x2 = "^Es gibt zwei M" fullword wide
$x3 = "glichkeiten, eine Strafe zahlen." fullword wide
$x4 = /usertile\d+\.bmp/ fullword wide
$s1 = "WinSock 2.0" fullword ascii
$s2 = "Running" fullword ascii
$s3 = "echo WScript.Sleep(50)>%TEMP%/file.vbs" fullword ascii
$s4 = "cscript %TEMP%/file.vbs" fullword ascii
$s5 = "del /F /Q file.js" fullword ascii
$s6 = "del /F /Q %1" fullword ascii
$s7 = "del /F /Q %0" fullword ascii
condition: (uint16(0) == 0x5a4d and ((2 of ($x*) and 2 of ($s*)) or (5 of ($s*) and 1 of ($x*)))) or (8 of them)
}
rule MALWARE_Win_PirateStealer {
meta:
author = "ditekSHen"
description = "Detects PirateStealer"
strings:
$s1 = "PirateStealerBTW" wide
$s2 = "/PirateStealer/main/src/" wide
$s3 = "%WEBHOOK_LINK%" fullword wide
$s4 = "your_webhook_here" fullword wide
$s5 = "PirateMonsterInjector" ascii wide
$s6 = "DiscordProcesses" fullword ascii
$s7 = "GetDiscords" fullword ascii
$s8 = { 44 6f 77 6e 6c 6f 61 64 53 74 72 69 6e 67 00 47
65 74 46 6f 6c 64 65 72 50 61 74 68 00 57 65 62
68 6f 6f 6b 00 4b 69 6c 6c 00 50 72 6f 67 72 61
6d 00 53 79 73 74 65 6d 00 4d 61 69 6e 00 }
condition: uint16(0) == 0x5a4d and 3 of them
}
rule MALWARE_Win_NGLite {
meta:
author = "ditekSHen"
description = "Detects NGLite"
strings:
$x1 = "/lprey/main.go" ascii
$x2 = "/NGLiteV1.01/lprey/" ascii
$x3 = "/ng.com/lprey/" ascii
$x4 = "/mnt/hgfs/CrossC2-2.2/src/" ascii
$x5 = "WHATswrongwithUu" ascii
$s1 = "main.Preylistener" fullword ascii
$s2 = "main.Runcommand" fullword ascii
$s3 = "main.RandomPass" fullword ascii
$s4 = "main.AesEncode" fullword ascii
$s5 = "main.RsaEncode" fullword ascii
$s6 = "main.AesDecode" fullword ascii
$s7 = "main.initonce" fullword ascii
$s8 = "main.SendOnce" fullword ascii
$s9 = "main.clientConf" fullword ascii
$s10 = "main.Sender" fullword ascii
condition: (uint16(0) == 0x5a4d or uint16(0) == 0x457f or uint16(0) == 0xfacf) and ((1 of ($x*) and 2 of ($s*)) or (6 of ($s*)))
}
rule MALWARE_Win_KdcSponge {
meta:
author = "ditekSHen"
description = "Detects KdcSponge"
hash1 = "e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c"
strings:
$x1 = "\\share\\kdcdll\\user641.pdb" ascii
$x2 = "5ADSelf@tech*7890" fullword wide
$kdc1 = "KdcVerifyEncryptedTimeStamp" ascii wide nocase
$kdc2 = "KerbHashPasswordEx3" ascii wide nocase
$kdc3 = "KerbFreeKey" ascii wide nocase
$r1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii
$r2 = "KDC Service" fullword ascii
$s1 = "download//symbols//%S//%S//%S" fullword wide
$s2 = "c:\\windows\\system32\\kdcsvc.dll" fullword wide nocase
$s3 = /WinHttp(Send|Receive)(Request|Response) failed (0x%.8X)/ fullword wide
condition: uint16(0) == 0x5a4d and (
(1 of ($x*) and 2 of them) or (all of ($kdc*) and (1 of ($x*) or all of ($r*) or 2 of ($s*))) or (8 of them) or
(
pe.exports("MainFun") and
pe.exports("NetApiBufferFree") and
pe.exports("BeaEngineRevision") and
pe.exports("BeaEngineVersion") and
pe.exports("Disasm") and
pe.exports("DllRegisterServer") and
pe.exports("DsGetDcName") and
2 of them
)
)
}
rule MALWARE_Win_Chinotto {
meta:
author = "ditekSHen"
description = "Detects Chinotto"
strings:
$x1 = "xxxchinotto" ascii wide
$x2 = "\\Chinotto.pdb" ascii wide
$x3 = { 50 4f 53 54 20 25 73 20 48 54 54 50 2f 31 2e 31
0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e
67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65
0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f
7a 69 6c 6c 61 2f 34 2e 30 28 63 6f 6d 70 61 74
69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20
57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20
53 56 31 29 0d 0a 41 63 63 65 70 74 3a 20 69 6d
61 67 65 2f 67 69 66 2c 20 69 6d 61 67 65 2f 78
2d 78 62 69 74 6d 61 70 2c 20 69 6d 61 67 65 2f
6a 70 65 67 2c 20 69 6d 61 67 65 2f 70 6a 70 65
67 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78
2d 73 68 6f 63 6b 77 61 76 65 2d 66 6c 61 73 68
2c 20 2a 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67
75 61 67 65 3a 20 65 6e 2d 75 73 0d 0a 43 6f 6e
74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69
70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 62
6f 75 6e 64 61 72 79 3d 25 73 0d 0a 48 6f 73 74
3a 20 25 73 3a 25 64 0d 0a 43 6f 6e 74 65 6e 74
2d 4c 65 6e 67 74 68 3a 20 25 64 0d 0a 43 6f 6e
6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c
69 76 65 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72
6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a
00 00 00 00 48 54 54 50 2f 31 2e 31 20 32 30 30
20 4f 4b 00 0d 0a 0d 0a 00 00 00 00 65 72 72 6f
72 3c 2f 62 3e }
$s1 = "Run /v xxxzexs /t REG_SZ /d %s /f" ascii wide
$s2 = "ShellExecute Error, ret" ascii wide
$s3 = "Run app succeed" ascii
$s4 = "cleartemp:" fullword ascii
$s5 = "wakeup:" fullword ascii
$s6 = "updir:" fullword ascii
$s7 = "regstart:" fullword ascii
$s8 = "chdec:" fullword ascii
$s9 = "cmd:" fullword ascii
$s10 = "error</b>" fullword ascii
$c1 = "Host: %s:%d" ascii wide
$c2 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1; SV1)" ascii wide
$c3 = "Mozilla/5.0(Windows NT 10.0; Win64; x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/78.0.3904.108 Safari/537.36" ascii wide
$c4 = "id=%s&type=hello&direction=send" ascii wide
$c5 = "id=%s&type=command&direction=receive" ascii wide
$c6 = "id=%s&type=file&direction=" ascii wide
$c7 = "id=%s&type=result&direction=" ascii wide
condition: uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and (2 of ($s*) or 2 of ($c*))) or 4 of ($c*) or 5 of ($s*))
}
rule MALWARE_Win_Tardigrade {
meta:
author = "ditekSHen"
description = "Detects Tardigrade"
hash1 = "c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858"
hash2 = "966b2c7c72a28310acd58bb23af4d3c893b2afca264b2d9c0ec42db815c77487"
hash3 = "88be5da274df704dc7fd9882c661a0afdd35f1ce0a7145e30f51c292abd2a86b"
hash4 = "cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe"
hash5 = "4afd9f0dde092daeac3f3e6ffb0aee06682b3dba6005d2bd1a914eefd5cc6a30"
strings:
$x1 = "cmd.exe /c echo kOJAdtQoDcMuogIZIl>\"%s\"&exit" fullword ascii
$x2 = "cmd.exe /c echo HBnBcZPeUevCDQmKGzXxYJHqpzRAbRCQCihOxiLi>\"%s\"&exit" fullword ascii
$x3 = "cmd.exe /c set kpUUCjoLWLZvJFc=3167 & reg add HKCU\\SOFTWARE\\EQwIobTRgsJ /v PDMXPmqSYnUx /t REG_DWORD /d 10080 & exit" fullword ascii
//$x4 = "DEMOBLABLA" fullword ascii
$s1 = "ReplaceFileA" ascii
$s2 = "FlushFileBuffers" ascii
$s3 = "WaitNamedPipeA" ascii
$s4 = "ImpersonateNamedPipeClient" ascii
$s5 = "RegFlushKey" ascii
$s6 = /cmd\.exe \/c (echo|set)/ ascii
$s7 = ">\"%s\"&exit" ascii
condition: uint16(0) == 0x5a4d and pe.is_dll() and (1 of ($x*) or 6 of ($s*)) and
(
pe.exports("DllGetClassObject") and
pe.exports("DllMain") and
pe.exports("DllRegisterServer") and
pe.exports("DllUnregisterServer") and
pe.exports("InitHelperDll") and
pe.exports("StartW")
)
}
rule MALWARE_Win_ClipBanker02 {
meta:
author = "ditekSHen"
description = "Detects ClipBanker infostealer"
strings:
$x1 = "\\Allcome\\Source code\\Clipper\\" ascii nocase
$x2 = "\\cleaper\\Release\\cleaper.pdb" ascii nocase
$v1_1 = "&username=" fullword ascii
$v1_2 = "/card.php?data=" fullword ascii
$v1_3 = "/Create /tn MicrosoftDriver /sc MINUTE /tr" fullword ascii
$v1_4 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" fullword ascii
$v1_5 = "/API/Clipper/ykesqk0o.php?cf6zrlhn=" fullword ascii
$v1_6 = "&di7ztth6=" fullword ascii
$v1_7 = "/API/Clipper/hr627gzk.php?v6etwxo5=" fullword ascii
$v2_1 = "bitcoincash:" fullword ascii
$v2_2 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" ascii
$re1 = "^[0-9]{16}$" fullword ascii
$re2 = "^[0-9]{4}\\s[0-9]{4}\\s[0-9]{4}\\s[0-9]{4}" fullword ascii
$re3 = "^\\d{2}\\D\\d{2}" fullword ascii
$re4 = "^[0-9]{3}" fullword ascii
$re5 = "([\\W]?[0-9]{4}[\\W]?[0-9]{4}[\\W]?[0-9]{4}[\\W]?[0-9]{4}[\\W]?)" fullword ascii
$re6 = "(\\d{2}\\D\\d{2})" fullword ascii
$re7 = "(\\d{3})" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and (5 of ($v1*) or all of ($v2*))) or (3 of ($re*) and (2 of ($v1*) or 2 of ($v2*))))
}
rule MALWARE_Win_BadJoke {
meta:
author = "ditekSHen"
description = "Detects BadJoke / Witch"
strings:
$s1 = "msdownld.tmp" fullword ascii
$s2 = "UPDFILE%lu" fullword ascii
$s3 = "Command.com /c %s" fullword ascii
$s4 = "launch.cmd" fullword ascii
$s5 = "virus.vbs" fullword ascii
$s6 = "virus.py" fullword ascii
$m1 = "Message from Google Virus" ascii
$m2 = "you cannot get rid of this virus" ascii
condition: uint16(0) == 0x5a4d and (all of ($m*) or all of ($s*) or (1 of ($m*) and 2 of ($s*)))
}
rule MALWARE_Win_Heracles {
meta:
author = "ditekSHen"
description = "Detects Heracles infostealer"
strings:
$x1 = "aHR0cHM6Ly9uYWNrZXIudG9hbnNlY3UuY29tL3VwbG9hZHM/a2V5PX" wide
$b1 = "XEdvb2dsZVxDaHJvbWVc" wide
$b2 = "XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3Nlcl" wide
$b3 = "XENvY0NvY1xCcm93c2VyX" wide
$b4 = "VXNlciBEYXRh" wide
$b5 = "RGVmYXVsdA" wide
$b6 = "UHJvZmlsZQ" wide
$b7 = "Q29va2llcw" wide
$b8 = "TG9naW4gRGF0YQ" wide
$b9 = "TG9jYWwgU3RhdGU" wide
$b10 = "bG9jYWxzdGF0ZQ" wide
$b11 = "bG9naW5kYXRh" wide
$s1 = "encrypted_key" fullword wide
$s2 = "<GetIpInfoAsync>d__" ascii
$s3 = "<reqHTML>5__" ascii
$s4 = "<idHardware>5__" ascii
$s5 = "<profilePaths>5__" ascii
$s6 = "<cookieFile>5__" ascii
$s7 = "<loginDataFile>5__" ascii
$s8 = "<localStateFile>5__" ascii
$s9 = "<postData>5__" ascii
condition: uint16(0) == 0x5a4d and (1 of ($x*) or 8 of ($s*) or (4 of ($b*) and 4 of ($s*)))
}
rule MALWARE_Win_OnlyLogger {
meta:
author = "ditekSHen"
description = "Detects OnlyLogger loader variants"
strings:
$s1 = { 45 6c 65 76 61 74 65 64 00 00 00 00 4e 4f 54 20 65 6c 65 76 61 74 65 64 }
$s2 = "\" /f & erase \"" ascii
$s3 = "/c taskkill /im \"" ascii
$s4 = "KILLME" fullword ascii
$s5 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
$gn = ".php?pub=" ascii
$ip = /\/1[a-z0-9A-Z]{4,5}/ fullword ascii
$h1 = "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1" fullword ascii
$h2 = "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8" fullword ascii
$h3 = "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1" fullword ascii
$h4 = "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0" fullword ascii
$h5 = "Content-Type: application/x-www-form-urlencoded" fullword wide
condition: uint16(0) == 0x5a4d and (all of ($s*) or (#ip > 5 and ($gn or 3 of ($s*) or all of ($h*))) or (all of ($h*) and 3 of ($s*)))
}
rule MALWARE_Win_BlackByteGo {
meta:
author = "ditekSHen"
description = "Detects BlackByte ransomware Go variants"
strings:
$x1 = "BlackByteGO/_cgo_gotypes.go" fullword ascii
//$x2 = "_cgo_dummy_export" fullword ascii
$x3 = "BlackByteGO/" ascii nocase
$s1 = ".Disconnect" ascii
$s2 = ".OpenService" ascii
$s3 = ".ListServices" ascii
$s4 = ".Start" ascii
$s5 = ".Encrypt" ascii
$s6 = ".Decrypt" ascii
$s7 = ".MustFindProc" ascii
$s8 = ".QuoRem" ascii
$s9 = "C:\\Windows\\regedit.exe" fullword wide
condition: uint16(0) == 0x5a4d and (1 of ($x*) or all of ($s*))
//uint16(0) == 0x5a4d and (1 of ($x*) or all of ($s*) or (1 of ($x*) and 5 of ($s*)))
}
rule MALWARE_Win_Vulturi {
meta:
author = "ditekSHen"
description = "Detects Vulturi infostealer"
strings:
$x1 = "Vulturi_" ascii wide
$x2 = "VulturiProject" fullword ascii
$s1 = { 5b 00 2d 00 5d 00 20 00 53 00 65 00 72 00 76 00
65 00 72 00 20 00 ?? ?? 20 00 69 00 73 00 20 00
6f 00 66 00 66 00 6c 00 69 00 6e 00 65 00 2e 00
2e 00 2e 00 00 ?? 5b 00 2b 00 5d 00 20 00 53 00
65 00 72 00 76 00 65 00 72 00 20 00 00 ?? ?? 00
69 00 73 00 20 00 6f 00 6e 00 6c 00 69 00 6e 00
65 00 }
$s2 = "Writing is not alowed" wide
$s3 = "System\\ProcessList.txt" fullword wide
$s4 = "[X] GetSSL ::" fullword wide
$s5 = "Failed to steal " wide
$s6 = "StealerStub" fullword ascii
$s7 = "/C chcp 65001 && netsh" wide
$n1 = "fetch_options" fullword wide
$n2 = "send_report" fullword wide
$n3 = "?username=" fullword wide
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and any of them) or all of ($n*) or 5 of ($s*) or (1 of ($n*) and 3 of ($s*)))
}
rule MALWARE_Win_Tofsee {
meta:
author = "ditekSHen"
description = "Detects Tofsee"
strings:
$s1 = "n%systemroot%\\system32\\cmd.exe" fullword wide
$s2 = "loader_id" fullword ascii
$s3 = "start_srv" fullword ascii
$s4 = "lid_file_upd" fullword ascii
$s5 = "localcfg" fullword ascii
$s6 = "Incorrect respons" fullword ascii
$s7 = "mx connect error" fullword ascii
$s8 = "Error sending command (sent = %d/%d)" fullword ascii
$s9 = "%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_Khonsari {
meta:
author = "ditekSHen"
description = "Detects Khonsari ransomware"
strings:
$x1 = ".khonsari" fullword wide nocase
$s1 = "Encrypt" fullword ascii
$s2 = "CreateEncryptor" fullword ascii
$s3 = "GenerateKey" fullword ascii
$s4 = "277e5e6a-4da6-4138-97fa-3fecbdad0176" ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 2 of ($s*)) or (all of ($s*)))
}
rule MALWARE_Win_Quantum {
meta:
author = "ditekSHen"
description = "Detects Quantum locker / ransomware"
strings:
$x1 = "\\t<title>Quantum</title>" ascii wide
$x2 = "Quantum Locker.<br><br>" ascii wide
$s1 = "ERROR" fullword wide
$s2 = ".log" fullword wide
$s3 = "SLOW" fullword wide
$s4 = "Create" fullword wide
$s5 = "Integrity" fullword wide
$s6 = "Disabled" fullword wide
$s7 = "Deny" fullword wide
$s8 = "FAST" fullword wide
$s9 = "Mandatory" fullword wide
$s10 = "plugin.dll" fullword ascii
$s11 = "NetGetDCName" fullword ascii
$s12 = "NetShareEnum" fullword ascii
$s13 = "NetGetJoinInformation" fullword ascii
condition: (uint16(0) == 0x5a4d and (all of ($x*) or 9 of ($s*) or (pe.number_of_exports == 2 and pe.exports("RunW") and pe.exports("runW") and 5 of ($s*)))) or all of ($x*)
}
rule MALWARE_Win_Owowa {
meta:
author = "ditekSHen"
description = "Detects Owowa"
strings:
$u1 = "jFuLIXpzRdateYHoVwMlfc" fullword ascii wide
$u2 = "Fb8v91c6tHiKsWzrulCeqO" fullword ascii wide
$u3 = "dEUM3jZXaDiob8BrqSy2PQO1" fullword ascii wide
$s1 = "powershell.exe" fullword wide
$s2 = "<RSAKeyValue><Modulus>" wide
$s3 = "HealthMailbox" fullword wide
$s4 = "6801b573-4cdb-4307-8d4a-3d1e2842f09f" ascii
$s5 = "<PreSend_RequestContent>b__" ascii
$s6 = "ClearHeaders" fullword ascii
$s7 = "get_UserHostAddress" fullword ascii
$s8 = "ExtenderControlDesigner" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($u*) or (2 of ($u*) and 3 of ($s*)) or 6 of ($s*))
}
rule MALWARE_Win_Chebka {
meta:
author = "ditekSHen"
description = "Detects Chebka"
strings:
$s1 = "-k netsvcs" wide
$s2 = "%ssvchost.exe -k SystemNetworkService" wide
$s3 = "Mozilla/4.0 (compatible)" wide
$s4 = "_kasssperskdy" wide
$s5 = "winssyslog" wide
$s6 = "LoaderDll%d" wide
$s7 = "cmd.exe /c rundll32.exe shell32.dll," wide
$s8 = /cmd.exe \/c start (chrome|msedge|firefox|iexplorer)\.exe/ wide
$f1 = ".?AVCHVncManager@@" fullword ascii
$f2 = ".?AVCNetstatManager@@" fullword ascii
$f3 = ".?AVCTcpAgentListener@@" fullword ascii
$f4 = ".?AVIUdpClientListener@@" fullword ascii
$f5 = ".?AVCShellManager@@" fullword ascii
$f6 = ".?AVCScreenSpy@@" fullword ascii
condition: uint16(0) == 0x5a4d and (5 of ($s*) or all of ($f*) or (3 of ($f*) and 3 of ($s*)) or (#s8 > 2 and 5 of them))
}
rule MALWARE_Win_Flagpro {
meta:
author = "ditekSHen"
description = "Detects Flagpro"
strings:
$s1 = "download...." fullword ascii
$s2 = "~MYTEMP" fullword wide
$s3 = ".?AVCV20_LoaderApp@@" fullword ascii
$s4 = ".?AVCV20_LoaderDlg@@" fullword ascii
$s5 = "ExecYes" fullword ascii
$s6 = /<BODY ID=CV\d+_LoaderDlg BGCOLOR=/ ascii
$n1 = "://139.162.87.180" wide
$n2 = "://172.104.109.217" wide
$n3 = "://org.misecure.com/index.html" wide
$b1 = /(get all|click|close|maybe|get_outerHTML|download\d) (finished|pass|ok|windows|failed)!/ fullword ascii
condition: uint16(0) == 0x5a4d and 4 of ($s*) or (1 of ($n*) and (2 of ($s*) or 1 of ($b*))) or (2 of ($s*) and 1 of ($b*))
}
rule MALWARE_Win_NPlusMiner {
meta:
author = "ditekSHen"
description = "Detects PowerShell based NPlusMiner"
snort_sid = "920284"
strings:
$s1 = "$Core | Add-Member @{IsReadOnly = $((Get-ItemProperty -Path \".\\Includes\\Core.ps1\").IsReadOnly)} -Force" fullword ascii
$s2 = "$Core | Add-Member @{MinerCustomConfig = $((Get-Content \".\\Config\\MinerCustomConfig.json\" -Raw))} -Force" fullword ascii
$s3 = "If ($Variables.CheatGuy -and $Core.corehash -in $Hashes -and $Core.ScriptStartDate -le (Get-Date)" ascii
$s4 = "Try{(Get-ItemProperty -Path \".\\Includes\\Core.ps1\").IsReadOnly = $false} catch {}" fullword ascii
$s5 = " NPlusMiner/" ascii
condition: 3 of them
}
rule MALWARE_Win_PWSH_PoshCookieStealer {
meta:
author = "ditekSHen"
description = "Detects PowerShell PoshCookieStealer"
strings:
$s1 = "\\User Data\\default\\Network\\Cookies" ascii nocase
$s2 = "Send-ToEmail" ascii
$s3 = "[Security.Cryptography.ProtectedData]::Unprotect($" ascii
$s4 = "$($env:LOCALAPPDATA)\\" ascii
$s5 = "$($env:HOMEPATH)\\" ascii
$s6 = "|ForEach-Object ToString X2) -join ''" ascii
$s7 = ".Attachments.Add($" ascii
condition: 5 of them
}
rule MALWARE_Win_GarrantDecrypt {
meta:
author = "ditekSHen"
description = "Detects GarrantDecrypt ransomware"
strings:
$x1 = "%appdata%\\_uninstalling_.png" fullword wide
$x2 = "C:\\Windows\\sysnative\\vssadmin.exe" fullword wide
$x3 = /(ICQ|Skype) (@nuncatarde|@supersuso|@Whitehorsedecryption|@likeahorse|@Konwarszawski|@zipzipulya|Whitehorsedecryption|LIKEAHORSE DECRYPTION|Zip Zipulya)/ ascii
$s1 = "your unique ID" ascii
$s2 = "Google market ICQ" ascii
$s3 = "If you want to restore them, install ICQ" ascii
$s4 = "Write to our ICQ @" ascii
condition: uint16(0) == 0x5a4d and ((2 of ($x*) and 1 of ($s*)) or all of ($s*))
}
rule MALWARE_Win_Locked {
meta:
author = "ditekSHen"
description = "Detects Locked ransomware"
strings:
$x1 = "http://xxxx.onion/xxxx-xxxx-xxxx-xxxx" ascii
$x2 = "http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion" ascii
$x3 = "dHA6Ly94eHh4Lm9uaW9uL3h4eHgteHh4eC14eHh4LXh4eHg" ascii
$s1 = "choice /t 1 /d y /n >nul" ascii
$s2 = ".locked" fullword ascii
$s3 = "c:\\system volume information" fullword ascii
$s4 = "__$$RECOVERY_README$$__.html" fullword ascii
$s5 = "Trunc..." fullword ascii
$s6 = /C:\\windows\\temp\\[a-z0-9A-Z]{6}\.tmp/ fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or all of ($s*) or (1 of ($x*) and 4 of ($s*)) or (#s6 > 1 and 4 of them))
}
rule MALWARE_Win_Maze {
meta:
author = "ditekSHen"
description = "Detects Maze ransomware"
strings:
$x1 = "Uc32nbspacec97c98c99c100c101c102c103c104c105c106c107c108c109c110c" ascii
$s1 = "\"%s\" shadowcopy delete" wide
$s2 = "[%windir%\\system32\\wbem\\wmic" wide
$s3 = "process call create \"cmd /c start %s\"" wide
$s4 = "DECRYPT-FILES.html" fullword wide
$s5 = "Dear %s, your files" wide
$s6 = "%s! Alert! %s! Alert!" wide
$s7 = "%BASE64_PLACEHOLDER%" fullword ascii
$s8 = "-orDGorX0or" fullword ascii
$s9 = { 47 45 54 20 2f 25 73 20 48 54 54 50 2f 31 2e 31
0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 25 73
0d 0a 48 6f 73 74 3a 20 25 73 0d 0a 43 6f 6e 6e
65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69
76 65 0d 0a 0d 0a 00 50 4f 53 54 20 2f 25 73 20
48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41
67 65 6e 74 3a 20 25 73 0d 0a 48 6f 73 74 3a 20
25 73 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65
3a 20 25 73 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65
6e 67 74 68 3a 20 25 64 0d 0a 43 6f 6e 6e 65 63
74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65
0d 0a 0d 0a 00 0d 0a 0d 0a 00 43 6f 6e 74 65 6e
74 2d 4c 65 6e 67 74 68 3a 20 00 }
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 3 of ($s*)) or 6 of ($s*))
}
rule MALWARE_Win_TeslaRevenge {
meta:
author = "ditekSHen"
description = "Detects TeslaRevenge ransomware"
strings:
$s1 = "autospreadifnoav=" ascii wide
$s2 = "autospread=" ascii wide
$s3 = "noencryptext=" ascii wide
$s4 = "teslarvng" wide
$s5 = "finished encrypting" wide nocase
$s6 = "net scan" wide nocase
$s7 = "for /f %%x in ('wevtutil el') do wevtutil cl" ascii
$s8 = "tasklist | find /i \"SDELETE.exe\"" ascii
$e1 = "mshta.exe" ascii wide nocase
$e2 = "sc.exe" ascii wide nocase
$e3 = "vssadmin.exe" ascii wide nocase
$e4 = "wbadmin.exe" ascii wide nocase
$e5 = "cmd.exe" ascii wide nocase
condition: uint16(0) == 0x5a4d and (4 of ($s*) or (all of ($e*) and 2 of ($s*)))
}
rule MALWARE_Win_LokiLocker {
meta:
author = "ditekSHen"
description = "Detects LokiLocker ransomware"
strings:
$x1 = "SOFTWARE\\Loki" fullword wide
$x2 = "Cpriv.Loki" fullword wide
$x3 = "Loki/" wide
$x4 = /loki(\s)?locker/ fullword wide nocase
$s1 = "Restore-My-Files.txt" wide
$s2 = "loading encryption keys" wide
$s3 = "Kill switch -> enabled" wide
$s4 = "ScanSMBShares" fullword ascii
$s5 = "RewriteMBR" fullword ascii
$s6 = /Encrypt(Drives|File|WinVolume|OsDrive)/ fullword ascii
$n1 = "unique-id=" ascii wide
$n2 = "&disk-size=" ascii wide
$n3 = "&user=Darwin&cpu-name=" ascii wide
$n4 = "&ram-size=" ascii wide
$n5 = "&os-name=" ascii wide
$n6 = "&chat-id=" ascii wide
$n7 = "&msg-id=" ascii wide
$n8 = "&elapsed-time=" ascii wide
condition: uint16(0) == 0x5a4d and (2 of ($x*) or 4 of ($s*) or 6 of ($n*) or (3 of ($s*) and 3 of ($n*)) or (1 of ($x*) and (2 of ($s*) or 2 of ($n*))))
}
rule MALWARE_Osx_DazzleSpy {
meta:
author = "ditekSHen"
description = "Attemp at hunting for DazzleSpy"
strings:
$x1 = "/osxrk_commandline/" ascii wide nocase
$x2 = "/Users/wangping/pangu/" ascii wide nocase
$s1 = "heartbeat" ascii wide
$s2 = "scanFiles" ascii wide
$s3 = "restartCMD" ascii wide
$s4 = "downloadFile" ascii wide
$s5 = "RDPInfo" ascii wide
condition: uint16(0) == 0xfacf and (all of ($x*) or all of ($s*) or (1 of ($x*) and 3 of ($s*)))
}
rule MALWARE_Win_BHunt {
meta:
author = "ditekSHen"
description = "Detects BHunt infostealer"
strings:
$x1 = "BHUNT.Resources.resources" fullword ascii
$x2 = "//minecraftsquid.hopto.org/" wide
$s1 = "chaos_crew" ascii wide
$s2 = "golden7" ascii wide
$s3 = "mrpropper" ascii wide
$s4 = "/ifo.php?" ascii wide
$s5 = "bonanza=:=" ascii wide
$s6 = "blackjack=:=" ascii wide
$s7 = "SendPostData" fullword ascii
$c1 = "cmd /c REG ADD" wide
$c2 = "taskkill /F /IM" wide
$c3 = "cmd.exe /c wmic" wide
$g1 = "$ca9a291d-266c-41dc-9f1c-93cfe0dcac16" fullword ascii
$g2 = "$6d0feb35-213d-4b9f-afc7-06d168cfcb5e" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or (1 of ($x*) and (5 of ($s*) or 2 of ($c*))) or (6 of ($s*) and 2 of ($c*)) or (all of ($g*) and 2 of them))
}
rule MALWARE_Win_Lorenz {
meta:
author = "ditekSHen"
description = "Detects Lorenz ransomware"
strings:
$x1 = "143.198.117.43" fullword ascii
$x2 = "157.90.147.28" fullword ascii
$x3 = "//kpb3ss3vwvfejd4g3gvpvqo6ad7nnmvcqoik4mxt2376yu2adlg5fwyd.onion" ascii
$x4 = "http://lorenz" ascii
$x5 = "\\lora\\Release\\lora.pdb" ascii
$x6 = "--MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ" ascii
$x7 = "/USER:'HOMEOFFICE.COM\\" ascii
$x8 = "/USER:'Sentinel.com\\" ascii
$s1 = "to->_What == nullptr && to->_DoFree == false" fullword wide
$s2 = "*it == '\\0'" fullword wide
$s3 = "process call create 'cmd.exe /c" ascii
$s4 = "\\Control Panel\\Desktop\" /V Wallpaper /T REG_SZ /F /D" ascii
$s5 = "HELP_SECURITY_EVENT.html" ascii
$s6 = "<br>[+] Whats Happen?" ascii
$s7 = /\.Lorenz\.sz\d+$/ fullword ascii
$s8 = "TW9Vc29Db3JlV29ya2VyLmV4ZQ==" fullword ascii
$s9 = ".Speak(\"You've been hack" ascii nocase
$s10 = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAo" ascii
$n1 = "ame_serv=" ascii
$n2 = "&ip=" ascii
$n3 = "&winver=Windows" ascii
$n4 = "&list_drive=" ascii
$n5 = "&file=" ascii
condition: uint16(0) == 0x5a4d and (2 of ($x*) or 8 of ($s*) or (4 of ($n*) and 2 of them) or (1 of ($x*) and 6 of them))
}
rule MALWARE_Win_BlackCat {
meta:
author = "ditekSHen"
description = "Detects BlackCat ransomware"
strings:
$x1 = "{\"config_id\":\"\",\"public_key\":\"MIIBIjANBgkqhkiG9w0BAQEFAAO" ascii
$x2 = "C:\\Users\\Public\\All Usersdeploy_note_and_image_for_all_users=" fullword ascii
$s1 = "encrypt_app::windows" ascii
$s2 = /locker::core::os::windows::(desktop_note|self_propagation|privilege_escalation|psexec|shadow_copy)/ ascii
$s3 = "uac_bypass::shell_exec=" ascii
$s4 = "-u-p-s-d-f-cpropagate::attempt=" ascii
$s5 = "masquerade_peb" ascii
$s6 = "RECOVER-${EXTENSION}-FILES.txt" ascii
$s7 = ".onion/?access-key=${ACCESS_KEY}" ascii
$s8 = "-vm-killno-vm-snapshot-killno-vm-kill-" ascii
$s9 = "esxi_vm_killenable_esxi_vm_snapshot_killstrict_" ascii
$s10 = /enum_(shares|servers)_sync::ok/ fullword ascii
$s11 = "hidden_partitions::mount_all::mounting=" ascii
//bcdedit /set {default}bcdedit /set {default} recoveryenabled No
//kill_all::found=
condition: (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and (all of ($x*) or 5 of ($s*) or (1 of ($x*) and 3 of ($s*)))
}
rule MALWARE_Win_Koxic {
meta:
author = "ditekSHen"
description = "Detects Koxic ransomware"
strings:
$c1 = " INFO: >> %TEMP%\\" ascii wide
$c2 = "cmd /c \"wmic" ascii wide
$c3 = "cmd /c \"echo" ascii wide
$c4 = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"" fullword wide
$c5 = /sc config.{1,30}start=disabled/ fullword ascii wide
$s1 = "Container: %s" fullword wide
$s2 = "Shotcut dir : %s" fullword wide
$s3 = "\\Microsoft\\Windows\\Network Shortcuts\\" fullword wide
$s4 = "Thread %d started." fullword ascii
$s5 = "ADD our TOXID:" wide
$s6 = "[Recommended] Using an email" wide
condition: uint16(0) == 0x5a4d and ((4 of ($s*) and 1 of ($c*)) or (2 of ($s*) and (#c1 > 5 or #c2 > 5 or #c3 > 5 or #c5 > 5)))
}
rule MALWARE_Win_TimeTime {
meta:
author = "ditekSHen"
description = "Detects TimeTime ransomware"
strings:
$s1 = "@_DECRYPTOR_@" ascii wide
$s2 = "@__RECOVER_YOUR_FILES__@" wide
$s3 = "\\TimeTime.pdb" ascii
$s4 = "runCommand" fullword ascii
$s5 = "decryptor_file_name" fullword ascii
$s6 = "encryption_hiding_process" fullword ascii
$s7 = "admin_hiding_process" fullword ascii
$s8 = "security_vaccine" fullword ascii
$s9 = "EncrFiles_Load" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_StrifeWater {
meta:
author = "ditekSHen"
description = "Detects StrifeWater RAT"
strings:
$s1 = "example/1.0" fullword wide
$s2 = "coname:" fullword ascii
$s3 = "*elev:" fullword ascii
$s4 = "*uname:" fullword ascii
$s5 = "--BoundrySign" ascii
$s6 = "000000c:\\users\\public\\libraries\\tmp.bi" ascii
$s7 = "9c4arSBr32g6IOni" fullword ascii
$pdb = "\\win8\\Desktop\\ishdar_win8\\" ascii
$xn1 = "techzenspace.com" fullword wide
$xn2 = "87.120.8.210" wide
$xn3 = "192.168.40.27" wide
$n1 = /RVP\/index\d+\.php/ fullword wide
$n2 = "tid=%d&code=%s&fname=%s&apiData=%s" fullword ascii
$n3 = "code=%s&tid=%d&fname=%s&apiData=%s" fullword ascii
$n4 = "Content-Disposition: form-data; name=\"token\"" fullword ascii
$n5 = "Content-Disposition: form-data; name=\"apiData\"" fullword ascii
$n6 = "Content-Disposition: form-data; name=\"data\"; filename=\"" fullword ascii
$n7 = "Content-Disposition: form-data; name=\"tid\"" fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($xn*) or 6 of ($s*) or 6 of ($n*) or (1 of ($xn*) and 4 of them) or ($pdb and 4 of them) or (3 of ($s*) and 3 of ($n*)))
}
rule MALWARE_Win_Surtr {
meta:
author = "ditekSHen"
description = "Detects Surtr ransomware. Ransom note is similar to LockFile"
strings:
$s1 = "<title>SurtrRansomware</title>" ascii
$s2 = "<HTA:APPLICATION ID=\"SurtrRansomware\"" ascii
$s3 = "APPLICATIONNAME=\"SurtrRansomware\"" ascii
$s4 = "src=\"data:image/jpeg; base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wCEAAgICAgJCAkKCgkNDgwODRMREBARExwUFhQWFBwrGx8bGx8bKyYuJSMlLiZENS8v" ascii
$s5 = "4rbgxisigb4pxnloxzc265rmzaj7fslrhyouegtrph2a7xhh55r6xaid.onion" ascii
$s6 = "schtasks /CREATE /SC ONLOGON /TN svchos" wide
$s7 = "reg add HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ /v \"svchos" ascii
$s8 = "reg add HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ /v \"svchos" ascii
$s9 = "SURTR_README.txt" wide
$s10 = "surtr-decrypt.top" ascii
$s11 = /(Public|Private|ID)_DATA\.surt/ wide
// Dropper
//$d1 = "AES SMALL decryption - %s failed: 0x%08x"
//$d2 = "Payload successfully decrypted"
//$d3 = "\\Dev\\source\\repos\\Dropper\\x64\\Release\\Dropper.pdb"
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_UDPRat {
meta:
author = "ditekSHen"
description = "Detects UDPRat"
strings:
$s1 = "\\code\\UDP\\Client\\" ascii
$s2 = "ssdp:discover" ascii
$s3 = ": Device:" ascii
$s4 = "for the SNMP U encountered" ascii
$s5 = "privat:InternetGatewayelink" fullword ascii
$s6 = "schemas A jet error was" ascii
$s7 = "msidentity" fullword ascii
$s8 = "microsoftonliser-based Securi" ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_JesterStealer {
meta:
author = "ditekSHen"
description = "Detects JesterStealer"
strings:
$s1 = /\[(Credman|Networks|Screenshot|Vault)\]\s\{0\}/ fullword wide
$s3 = "encoding=\"base64\"" fullword wide
$s4 = "/json/list" fullword wide
$s5 = "/L1ghtM4n/TorProxy/" ascii wide
$s6 = "<EnumerateCredentials>" ascii
$s7 = "<EnumerateBrowsers>" ascii
$s8 = "<PerformSelfDestruct>" ascii
$s9 = "<get_GrabberCount>" ascii
$s10 = "AnalyzeData" fullword ascii
$s11 = "CheckCard" fullword ascii
$s12 = "CreateGrabberZipPath" fullword ascii
$s13 = "Jester" fullword ascii
$s14 = /Stealer\.(Recovery|Grabber|Investigation)\./ ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_SoranoStealer {
meta:
author = "ditekSHen"
description = "Detects SoranoStealer / HogGrabber. Available on Github: /Alexuiop1337/SoranoStealer"
strings:
$x1 = "OiCuntJollyGoodDayYeHavin_" ascii
$x2 = { 00 56 4d 50 72 6f 74 65 63 74 00 52 65 61 63 74
6f 72 00 64 65 34 66 75 63 6b 79 6f 75 00 42 61
62 65 6c 4f 62 66 75 73 63 61 74 6f 72 41 74 74
72 69 62 75 74 65 00 43 72 79 74 70 6f 4f 62 66
75 73 63 61 74 6f 72 00 }
$x3 = { 00 4f 62 66 75 73 63 61 74 65 64 42 79 47 6f 6c
69 61 74 68 00 42 65 64 73 2d 50 72 6f 74 6f 72 00 }
$s1 = ".Binaries.whysosad" ascii
$s2 = "Adminstrator permissons are required" wide
$s3 = "12:03:33:4A:04:AF" fullword wide
$s4 = "RemoveEXE" fullword ascii
$s5 = "$340becfa-1688-4c32-aa49-30fdb4005e4b" fullword ascii
$s6 = "$99cffbcc-6ad7-4d32-bd1f-450967cf4a6b" fullword ascii
$s7 = "\"cam\": " ascii
$s8 = " - 801858595527371999762718088" fullword ascii
$s9 = " - 96188142294460126639341306" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or (2 of ($x*) and 3 of ($s*)) or 5 of ($s*))
}
rule MALWARE_Win_GloomaneStealer {
meta:
author = "ditekSHen"
description = "Detects GloomaneStealer"
strings:
$x1 = "=GLOOMANE STEALER=" wide
$x2 = "Maded by GLOOMANE" wide
$s1 = "\\44CALIBER" ascii
$s2 = "Ethernet()" fullword wide
$s3 = ":spy: NEW LOG FROM" wide
$s4 = ":eye: IP:" wide
$s5 = ":file_folder: Grabbed Files" wide
$s6 = "$ebc25cf6-9120-4283-b972-0e5520d0000C" fullword ascii
$s7 = "$3b0e2d3d-3d66-42bb-8f9c-d6e188f359ae" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or (1 of ($x*) and 3 of ($s*)) or 5 of ($s*))
}
rule MALWARE_Win_LockDown {
meta:
author = "ditekSHen"
description = "Detects Lockdown / cantopen ransomware"
strings:
$s1 = "BgIAAACkAABSU0E" wide
$s2 = ".cantopen" fullword wide
$s3 = "\\HELP_DECRYPT_YOUR_FILES.txt" wide
$s4 = "SALT" fullword wide
$s5 = "$4e677664-9a63-458e-a365-deb792509557" fullword ascii
$s6 = "CreateEncryptor" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_UnamedStealer {
meta:
author = "ditekSHen"
description = "Detects unknown infostealer. Observed as 2nd stage and injects into .NET AppLaunch.exe"
strings:
$s1 = "HideMelt" fullword ascii
$s2 = ".Implant" ascii
$s3 = "SetUseragent" fullword ascii
$s4 = "SendReport" fullword ascii
$s5 = "cookiesList" fullword ascii
$s6 = "WriteAppsList" fullword ascii
$s7 = "Timeout /T 2 /Nobreak" fullword wide
$s8 = "Directory not exists" wide
$s9 = "### {0} ### ({1})" wide
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_ZXShell_Loader {
meta:
author = "ditekSHen"
description = "Detects ZXShell kernel driver loader"
hash1 = "a6020794bd6749e0765966cd65ca6d5511581f47cc2b38e41cb1e7fddaa0b221"
strings:
$s1 = "KillAvpProcess" ascii wide nocase
$s2 = "ProtectDllFile" ascii wide nocase
$s3 = "LoadSys"ascii wide nocase
$s4 = "CallDriver" ascii wide nocase
$s5 = "DoRVA" fullword ascii wide
$s6 = "TdiProxy" ascii // "\\\\.\\TdiProxy0" fullword ascii
$s7 = "res.ini" fullword ascii
$s8 = "res.dat" fullword ascii
$s9 = "google64.p" fullword ascii
$s10 = "google32.p" fullword ascii
$s11 = "OneSelfKey" fullword ascii
$x1 = "antiscan" ascii
$x2 = "removeprocessnotify" ascii
$x3 = "setprocessnotify" ascii
$x4 = "antiantigp" ascii
$x5 = "hideproc" ascii
$x6 = "hidekey" ascii
$x7 = "hidefile" ascii
$x8 = "sc create %s binpath= \"%%SystemRoot%%\\System32\\svchost.exe -k %s\" type= share start= auto" fullword ascii
$m1 = "St4rtServ1ce" ascii
$m2 = "ch3ck dr1ver failed" ascii
$m3 = "L0ad dr1ver failed" ascii
$m4 = "Write Dr1ver Failed" ascii
$m5 = "over writed succ3ssfully" ascii
$m6 = "can k1ll the pr0cessId" ascii
condition: uint16(0) == 0x5a4d and (
3 of ($m*) or
5 of ($s*) or
5 of ($x*) or
(3 of ($s*) and 3 of ($x*)) or
(2 of ($s*) and 1 of ($x*) and 1 of ($m*)) or
(pe.exports("KillAvpProcess") and pe.exports("ProtectDllFile") and pe.exports("LoadSys")) or (
3 of them and (
pe.exports("KillAvpProcess") or
pe.exports("ProtectDllFile") or
pe.exports("LoadSys") or
pe.exports("CallDriver") or
pe.exports("DoRVA")
)
)
)
}
rule MALWARE_Win_Bandit {
meta:
author = "ditekSHen"
description = "Detects Bandit Infostealer"
strings:
$x1 = "@Banditshopbot" ascii
$x2 = "BANDIT STEALER" ascii
$x3 = "Banditstealer" ascii
$n1 = "bandit/browsers." ascii
$n2 = "bandit/crypto." ascii
$n3 = "bandit/decrypt." ascii
$n4 = "bandit/messenger." ascii
$n5 = "bandit/userdata." ascii
$n6 = "bandit/utils." ascii
$f1 = "main.sendZipToTelegram" fullword ascii
$f2 = "main.killProcessHoldingFileHandle" fullword ascii
$f3 = "main.killProcessByName" fullword ascii
$f4 = "main.killProcessesHoldingFile" fullword ascii
$f5 = "main.deleteDir" fullword ascii
$f6 = "main.deleteUserDataDirs" fullword ascii
$path = /bandit\/(browsers|common|crypto|messenger|userdata|utils)\/(browsers|common|crypto|messenger|userdata|utils)\.go/ ascii
$m1 = "banditbot" ascii wide nocase
$m2 = "blackListedIPS = [" ascii wide nocase
$m3 = "blackListedPCNames = [" ascii wide nocase
$m4 = "blackListedMacs = [" ascii wide nocase
$m5 = "blacklisted_hwids = [" ascii wide nocase
$m6 = "blacklisted_users = [" ascii wide nocase
$m7 = "blacklisted_processes = [" ascii wide nocase
$s1 = "User-AgentVirtualBox" ascii
$s2 = "%s%sBinanceChainWallet" ascii
$s3 = "coinbaseWalletcontent-lengthdata" ascii
$s4 = "coinbaseWalletExtensioncommand" ascii
$s5 = "\\s+pid:\\s+(\\d+)\\s+" ascii
$s6 = "/user:Administrator" ascii
condition:
uint16(0) == 0x5a4d and (2 of ($x*) or 4 of ($n*) or 5 of ($f*) or ($path and (1 of ($n*) or 1 of ($f*))) or (1 of ($x*) and (1 of ($n*) or 1 of ($f2*))) or 6 of ($m*) or (all of ($s*)))
}
rule MALWARE_Win_LapLas {
meta:
author = "ditekSHen"
description = "Detects LapLas Infostealer"
clamav_sig1 = "MALWARE.Win.LapLas-DotNET"
clamav_sig2 = "MALWARE.Win.LapLas-GoLang"
strings:
// Go variant
$c1 = "/bot/" ascii
$c2 = "key=" ascii
$f1 = "main.isRunning" fullword ascii
$f2 = "main.writePid" fullword ascii
$f3 = "main.isStartupEnabled" fullword ascii
$f4 = "main.enableStartup" fullword ascii
$f5 = "main.waitOpenClipboard" fullword ascii
$f6 = "main.clipboardWrite" fullword ascii
$f7 = "main.setOnline" fullword ascii
$f8 = "main.getRegex" fullword ascii
// .NET variant
$v2_1 = "{0}/bot/{1}?{2}" wide
$v2_2 = /\{0\}\\\{1\}\.(exe|pid)/ wide
$v2_3 = "schtasks /create /tn" wide
$v2_4 = "SetOnline" fullword ascii
$v2_5 = "IsAutoRunInstance" fullword ascii
$v2_6 = "GetNewAddress" fullword ascii
$v2_7 = "RefreshRegex" fullword ascii
condition: uint16(0) == 0x5a4d and ((all of ($c*) and 5 of ($f*)) or (1 of ($c*) and 7 of ($f*)) or (6 of ($v2*)))
}
rule MALWARE_Win_Mystic {
meta:
author = "ditekSHen"
description = "Hunt for Mystic Infostealer"
strings:
$s1 = "LaStFiLe:)" ascii wide
$s2 = "LaStPrOcEsS:)" ascii wide
$s3 = "credit_cards" ascii wide
$s4 = "number_of_processors" ascii wide
$s5 = "computername" ascii wide
$p1 = "G:\\Projects\\Python\\morpher\\" ascii wide
$p2 = /G:\\Projects\\stealer\\.{15}\\Release\\.{5,25}\.pdb/ ascii wide
condition: (uint16(0) == 0x5a4d and (4 of ($s*) or (1 of ($p*) and 3 of ($s*)))) or (all of ($s*))
}
rule MALWARE_Linux_Buhti {
meta:
author = "ditekSHen"
description = "Detects Buhti Ransomware"
strings:
$x1 = "buhtiRansom" ascii
$x2 = "://satoshidisk.com/pay/" ascii
$s1 = "main.encrypt_file" fullword ascii
$s2 = "/path/to/be/encrypted" ascii
$s3 = "Restore-My-Files.txt" ascii
$s4 = ".buhti390625" ascii
condition: uint16(0) == 0x457f and (all of ($x*) or (1 of ($x*) and 3 of ($s*)) or 5 of them)
}
rule MALWARE_Win_CommonMagic {
meta:
author = "ditekSHen"
description = "Detects CommonMagic and Modules"
strings:
$p1 = "\\\\.\\pipe\\PipeMd" wide
$p2 = "\\\\.\\pipe\\PipeCrDtMd" wide
$p3 = "\\\\.\\pipe\\PipeDtMd" wide
$s1 = "graph.microsoft.com" fullword wide
$s2 = "CreateNamedPipe" ascii
$s3 = "\\CommonCommand\\" wide
$ua1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36" wide
$ua2 = "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136" wide
condition: uint16(0) == 0x5a4d and (2 of ($p*) and 1 of ($s*)) or (1 of ($ua*) and 1 of ($s*) and 1 of ($p*))
}
rule MALWARE_Win_GreetingGhoul {
meta:
author = "ditekSHen"
description = "Detects GreetingGhoul Cryptocurrency Infostealer"
strings:
$s1 = "peer_list" fullword ascii
$s2 = "seed_hash" fullword ascii
$s3 = "pool_id" fullword ascii
$s4 = "%smutex=%s:%lu" ascii
$s5 = "miner.cfg" fullword ascii
$s6 = "{\"method\": \"%s\"%s}" ascii
$s7 = "/app/manager/%s" ascii
$s8 = "X-VNC-STATUS" fullword ascii
$s9 = "%s\\%lu.zip" fullword ascii
$s10 = "\\??\\%programdata%\\" wide
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_Multi_Family_InfoStealer {
meta:
author = "ditekSHen"
description = "Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers"
strings:
$n1 = /Prynt|WorldWind|DarkEye(\s)?Stealer/ ascii wide
$n2 = "Stealerium" ascii wide
$x1 = "@FlatLineStealer" ascii wide
$x2 = "@CashOutGangTalk" ascii wide
$x3 = /\.Target\.(Passwords|Messengers|Browsers|VPN|Gaming)\./ ascii
$x4 = /\.Modules\.(Keylogger|Implant|Passwords|Messengers|Browsers|VPN|Gaming|Clipper)\./ ascii
$s1 = "Timeout /T 2 /Nobreak" fullword wide
$s2 = /---\s(AntiAnalysis|WebcamScreenshot|Keylogger|Clipper)/ wide
$s3 = "Downloading file: \"{file}\"" wide
$s4 = "/bot{0}/getUpdates?offset={1}" wide
$s5 = "send command to bot!" wide
$s6 = " *Keylogger " fullword wide
$s7 = "*Stealer" wide
$s8 = "Bot connected" wide
$s9 = "### {0} ### ({1})" wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_WorldWind {
meta:
author = "ditekSHen"
description = "Detects WorldWind infostealer"
strings:
$c1 = /WorldWind(\s)?Stealer/ ascii wide
$x2 = "@FlatLineStealer" ascii wide
$x3 = "@CashOutGangTalk" ascii wide
$m1 = ".Passwords.Targets." ascii
$m2 = ".Modules.Keylogger" ascii
$m3 = ".Modules.Clipper" ascii
$m4 = ".Modules.Implant" ascii
$s1 = "--- Clipper" wide
$s2 = "Downloading file: \"{file}\"" wide
$s3 = "/bot{0}/getUpdates?offset={1}" wide
$s4 = "send command to bot!" wide
$s5 = " *Keylogger " fullword wide
$s6 = "*Stealer" wide
$s7 = "Bot connected" wide
condition: uint16(0) == 0x5a4d and 1 of ($c*) and (1 of ($x*) or 2 of ($m*) or 3 of ($s*))
}
rule MALWARE_Win_Prynt {
meta:
author = "ditekSHen"
description = "Detects Prynt infostealer"
strings:
$c1 = /Prynt(\s)?Stealer/ ascii wide
$x2 = "@FlatLineStealer" ascii wide
$x3 = "@CashOutGangTalk" ascii wide
$m1 = ".Passwords.Targets." ascii
$m2 = ".Modules.Keylogger" ascii
$m3 = ".Modules.Clipper" ascii
$m4 = ".Modules.Implant" ascii
$s1 = "--- Clipper" wide
$s2 = "Downloading file: \"{file}\"" wide
$s3 = "/bot{0}/getUpdates?offset={1}" wide
$s4 = "send command to bot!" wide
$s5 = " *Keylogger " fullword wide
$s6 = "*Stealer" wide
$s7 = "Bot connected" wide
condition: uint16(0) == 0x5a4d and 1 of ($c*) and (1 of ($x*) or 2 of ($m*) or 3 of ($s*))
}
rule MALWARE_Win_DarkEye {
meta:
author = "ditekSHen"
description = "Detects DarkEye infostealer"
strings:
$c1 = /Prynt(\s)?Stealer/ ascii wide
$c2 = /WorldWind(\s)?Stealer/ ascii wide
$c3 = "ToxicEye" ascii wide
$x2 = "@FlatLineStealer" ascii wide
$x3 = "@CashOutGangTalk" ascii wide
$s1 = "--- Clipper" wide
$s2 = "Downloading file: \"{file}\"" wide
$s3 = "/bot{0}/getUpdates?offset={1}" wide
$s4 = "send command to bot!" wide
$s5 = " *Keylogger " fullword wide
$s6 = "*Stealer" wide
$s7 = "Bot connected" wide
condition: uint16(0) == 0x5a4d and not any of ($c*) and ((1 of ($x*) and 2 of ($s*)) or (4 of ($s*)))
}
rule MALWARE_Win_InvalidPrinter {
meta:
author= "ditekSHen"
description = "Invalid Printer (in2al5d p3in4er) Loader"
clamav_sig = "MALWARE.Win.InvalidPrinter"
strings:
$s1 = "in2al5d p3in4er" fullword ascii
$s2 = "CreateDXGIFactory" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 15000KB and all of them
}
rule MALWARE_Win_RaccoonV2 {
meta:
author = "ditekSHen"
description = "Detects Raccoon Stealer 2.0, also referred to as RecordBreaker"
strings:
$f1 = "sgnl_" fullword ascii
$f2 = "tlgrm_" fullword ascii
$f3 = "ews_" fullword ascii
$f4 = "grbr_" fullword ascii
$f5 = "dscrd_" fullword ascii
$f6 = "wlts_" fullword ascii
$f7 = "scrnsht_" fullword ascii
$f8 = "sstmnfo_" fullword ascii
$s1 = "machineId=" fullword ascii
$s2 = "&configId=" fullword ascii
$s3 = "URL:%s" fullword ascii
$s4 = "USR:%s" fullword ascii
$s5 = "PASS:%s" fullword ascii
$s6 = "Content-Type: application/x-object" fullword ascii
condition: ((uint16(0) == 0x5a4d and (4 of ($f*) or all of ($s*) or 7 of them)) or 10 of them)
}
rule MALWARE_Win_TrueBot {
meta:
author = "ditekSHen"
description = "Detects TrueBot"
strings:
$s1 = "%s\\rundll32.exe" fullword wide
$s2 = "ChkdskExs" fullword wide
$s3 = "n=%s&o=%s&a=%d&u=%s&p=%s&d=%s" ascii
$s4 = "KLLS" fullword ascii
$s5 = "%s\\%08x-%08x.ps1" fullword ascii
$s6 = ".JSONIP" ascii
$s7 = "CreateProcessAsUserW res %d err %d" fullword ascii
$s8 = "ldr_sys64.dll" fullword ascii
$s9 = "SVCHOST" fullword ascii
$s10 = "WINLOGON" fullword ascii
$s11 = { 67 6f 6f 67 6c 65 2e 63 6f 6d 00 00 00 00 00 00
2f 00 63 00 20 00 64 00 65 00 6c 00 20 00 00 00
20 00 3e 00 3e 00 20 00 4e 00 55 00 4c 00 }
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_LummaStealer {
meta:
author = "ditekSHen"
description = "Detects Lumma Stealer"
snort1 = "2023813001"
snort2 = "2023813002"
clamav1 = "MALWARE.Win.Trojan.LummaStealer"
strings:
$x1 = /Lum[0-9]{3}xedmaC2,\sBuild/ ascii
$x2 = /LID\(Lu[0-9]{3}xedmma\sID\):/ ascii
$s1 = /os_c[0-9]{3}xedrypt\.encry[0-9]{3}xedpted_key/ fullword ascii
$s2 = "c2sock" wide
$s3 = "c2conf" wide
$s4 = "TeslaBrowser/" wide
$s5 = "Software.txt" fullword wide
$s6 = "SysmonDrv" fullword
$s7 = "*.eml" fullword wide nocase
$s8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide
$s9 = "- Screen Resoluton:" ascii
$s10 = "lid=%s" ascii
$s11 = "&ver=" ascii
$s12 = "769cb9aa22f4ccc412f9cbc81feedd" fullword wide
$s13 = "gapi-node.io" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or (1 of ($x*) and 2 of ($s*)) or 5 of ($s*) or 7 of them)
}
rule MALWARE_Win_XWorm {
meta:
author = "ditekSHen"
description = "Detects XWorm"
clamav_sig = "MALWARE.Win.XWorm"
strings:
$x1 = "XWorm " wide nocase
$x2 = /XWorm\s(V|v)\d+\.\d+/ fullword wide
$s1 = "RunBotKiller" fullword wide
$s2 = "XKlog.txt" fullword wide
$s3 = /(shell|reg)fuc/ fullword wide
$s4 = "closeshell" fullword ascii
$s5 = { 62 00 79 00 70 00 73 00 73 00 00 ?? 63 00 61 00 6c 00 6c 00 75 00 61 00 63 00 00 ?? 73 00 63 00 }
$s6 = { 44 00 44 00 6f 00 73 00 54 00 00 ?? 43 00 69 00 6c 00 70 00 70 00 65 00 72 00 00 ?? 50 00 45 00 }
$s7 = { 69 00 6e 00 6a 00 52 00 75 00 6e 00 00 ?? 73 00 74 00 61 00 72 00 74 00 75 00 73 00 62 }
$s8 = { 48 6f 73 74 00 50 6f 72 74 00 75 70 6c 6f 61 64 65 72 00 6e 61 6d 65 65 65 00 4b 45 59 00 53 50 4c 00 4d 75 74 65 78 78 00 }
$v2_1 = "PING!" fullword wide
$v2_2 = "Urlhide" fullword wide
$v2_3 = /PC(Restart|Shutdown)/ fullword wide
$v2_4 = /(Start|Stop)(DDos|Report)/ fullword wide
$v2_5 = /Offline(Get|Keylogger)/ wide
$v2_6 = "injRun" fullword wide
$v2_7 = "Xchat" fullword wide
$v2_8 = "UACFunc" fullword ascii wide
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and (3 of ($s*) or 3 of ($v2*))) or 6 of them)
}
rule MALWARE_Win_ClipBanker03 {
meta:
author = "ditekSHen"
description = "Detects ClipBanker"
strings:
$s1 = "UNIC_KEY" fullword wide
$s2 = "[StartUp]" fullword wide
$s3 = "[Kill]" fullword wide
$s4 = "[antivm]" fullword wide
$s5 = "AntiVM" fullword ascii
$s6 = "AntiKill" fullword ascii
$s7 = "hWndRemove" fullword ascii
$s8 = "/Clip(watch|Chang|Mon)/" fullword ascii
$w1 = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0" fullword wide
$w2 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" fullword wide
$w3 = "/create /sc MINUTE /mo 1 /tn \"Windows Service\" /tr \"" fullword wide
$w4 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" fullword wide
$w5 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
condition: uint16(0) == 0x5a4d and (5 of ($s*) or all of ($w*) or 6 of them)
}
rule MALWARE_Win_dotRunpeX {
meta:
author = "ditekSHen"
description = "Detects dotRunpeX injector"
strings:
$s1 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" fullword wide
$s2 = "KoiVM" ascii
$s3 = "RunpeX.Stub.Framework" wide
$s4 = "ExceptionServices.ExceptionDispatchInfo" wide
$s5 = "Kernel32.Dll" wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_CyberStealer {
meta:
author = "ditekSHen"
description = "Detects CyberStealer infostealer"
strings:
$x1 = "\\Cyber Stealer\\" ascii
$s1 = "[Virtualization]" fullword wide
$s2 = "\"encryptedPassword\":\"([^\"]+)\"" fullword wide
$s3 = "CreditCard" fullword ascii
$s4 = "DecryptPassword" fullword ascii
$s5 = "_modTime" fullword ascii
$s6 = "_pathname" fullword ascii
$s7 = "_pathnameInZip" fullword ascii
$s8 = "GetBookmarksDBPath" fullword ascii
$s9 = "GrabberImages" fullword ascii
$r1 = "^1[a-km-zA-HJ-NP-Z1-9]{25,34}$" wide // Crypto Wallet Address
$r2 = "^3[a-km-zA-HJ-NP-Z1-9]{25,34}$" wide // Crypto Wallet Address
$r3 = "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" wide
$r4 = "^(?!:\\/\\/)([a-zA-Z0-9-_]+\\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\\.[a-zA-Z]{2,11}?$" wide
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and (2 of ($s*) or 2 of ($r*))) or 7 of ($s*) or (5 of ($s*) and 2 of ($r*)) or (all of ($r*) and 4 of ($s*)))
}
rule MALWARE_Win_ArrowRAT {
meta:
author = "ditekSHen"
description = "Detects ArrowRAT"
strings:
$s1 = "29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb" wide
$s2 = "Software\\Classes\\ms-settings\\shell\\open\\command" wide
$s3 = "DelegateExecute" fullword wide
$s4 = "powershell" wide
$s5 = "DESKTOP_HOOKCONTROL" fullword ascii
$s6 = "PROCESS_INFORMATION" fullword ascii
$s7 = "STARTUP_INFORMATION" fullword ascii
$s8 = /(Venom|Pandora)\shVNC/ fullword wide
$s9 = "cmd.exe /k START" fullword wide
$s10 = "ExclusionWD" fullword ascii
$s11 = "WinExec" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_DuckTail {
meta:
author = "ditekSHen"
description = "Detects DuckTail"
strings:
$s1 = "&global_scope_id=" wide
$s2 = "#ResolveMyIpAll" wide
$s3 = "#ApproveInvitesHandler" wide
$s4 = "#ProcessShareCok" wide
$s5 = "#InviteEmpHandler" wide
$s6 = "__activeScenarioIDs=%" wide
$s7 = "&__a=1&fb_dtsg=" wide
$s8 = "adAccountLimit\":(.*?)}" wide
$s9 = "|PUSH|" fullword wide
$s10 = "|SCREEN|" fullword wide
$s11 = "|SCREEC|" fullword wide
$s12 = "_ad_accounts>k__" ascii
$s13 = "get_Pwds" fullword ascii
$s14 = "Telegram.Bot" ascii
$s15 = { 2f 00 7b 00 43 00 59 00 52 00 7d 00 2e 00 74 00
78 00 74 00 00 15 2f 00 7b 00 4c 00 4f 00 47 00
7d 00 2e 00 74 00 78 00 74 00 00 15 2f 00 7b 00
43 00 46 00 47 00 7d 00 2e 00 74 00 78 00 74 00
00 15 2f 00 7b 00 50 00 52 00 53 00 7d 00 2e 00
74 00 78 00 74 00 00 15 2f 00 7b 00 53 00 43 00
52 00 7d 00 2e 00 6a 00 70 00 67 }
condition: uint16(0) == 0x5a4d and 13 of them
}
rule MALWARE_Win_Grum {
meta:
author = "ditekSHen"
description = "Detect Grum spam bot"
strings:
$s1 = "loader_id" fullword ascii
$s2 = "start_srv" fullword ascii
$s3 = "lid_file_upd" fullword ascii
$s4 = "----=_NextPart_%03d_%04X_%08.8lX.%08.8lX" fullword ascii
$s5 = "rcpt to:<%s>" fullword ascii
$s6 = "ehlo %s" fullword ascii
$s7 = "%OUTLOOK_BND_" fullword ascii
condition: (uint16(0) == 0x5a4d and 5 of them) or (all of them)
}
rule MALWARE_Win_DLInjector07 {
meta:
author = "ditekSHen"
description = "Detects downloader injector"
strings:
$x1 = "23lenrek[||]lldtn[||]daerhTemuseR[||]txetnoCdaerhTteS46woW[||]txetnoCdaerhTteS[||]txetnoCdaerhTteG46woW[||]txetnoCdaerhTteG[||]xEcollAlautriV[||]yromeMssecorPetirW[||]yromeMssecorPdaeR[||]noitceSfOweiVpamnUwZ[||]AssecorPetaerC" wide
$l1 = "[||]" wide
$r1 = "yromeMssecorPetirW" wide
$r2 = "xEcollAlautriV" wide
$r3 = "daerhTemuseR" ascii wide
$r4 = "noitceSfOweiVpamnUwZ" wide
$s1 = "Debugger Detected" fullword wide
$s2 = "payload" fullword ascii
$s3 = "_ENABLE_PROFILING" fullword wide // Confuser Anti-Debug
condition: uint16(0) == 0x5a4d and (1 of ($x*) or (1 of ($l*) and 2 of ($r*)) or 6 of them)
}
rule MALWARE_Win_Stealerium {
meta:
author = "ditekSHen"
description = "Detects Stealerium infostealer"
strings:
$x1 = "Stealerium" ascii wide
$x2 = /\.Target\.(Passwords|Messengers|Browsers|VPN|Gaming)\./ ascii
$x3 = /\.Modules\.(Keylogger|Implant|Passwords|Messengers|Browsers|VPN|Gaming|Clipper)\./ ascii
$s1 = "Timeout /T 2 /Nobreak" fullword wide
$s2 = "Directory not exists" wide
$s3 = "### {0} ### ({1})" wide
$s4 = /---\s(AntiAnalysis|WebcamScreenshot|Keylogger|Clipper)/ wide
$s5 = " *Keylogger " fullword wide
condition: uint16(0) == 0x5a4d and (all of ($x*) or (2 of ($x*) and all of ($s*)))
}
rule MALWARE_Linux_GobRAT {
meta:
author = "ditekSHen"
description = "Detects GobRAT"
strings:
$x1 = "BotList" ascii
$x2 = "BotCount" ascii
$x3 = "/etc/services/zone/bot.log" ascii
$x4 = "aaa.com/bbb/me" ascii
$s1 = "encoding/gob." ascii
$s2 = ".GetMacAddress" ascii
$s3 = ".IpString2Uint32" ascii
$s4 = ".RegisterLogFile" ascii
$s5 = ".UniqueAppendString" ascii
$s6 = ".NewDaemon" ascii
$s7 = ".SimpleCommand" ascii
condition: uint16(0) == 0x457f and (3 of ($x*) or (2 of ($x*) and 3 of ($s*)) or (1 of ($x*) and 5 of ($s*)) or all of ($s*))
}
rule MALWARE_Win_HakunaMatata {
meta:
author = "ditekSHen"
description = "Detects HakunaMatata ransomware"
strings:
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s2 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" wide
$s3 = "<RSAKeyValue><Modulus>" wide
$s4 = "HAKUNA MATATA" ascii wide
$s5 = "EXCEPTIONAL_FILE" ascii
$s6 = "TRIPLE_ENCRYPT" ascii
$s7 = "FULL_ENCRYPT" ascii
$s8 = "TARGETED_EXTENSIONS" ascii
$s9 = "CHANGE_PROCESS_NAME" ascii
$s10 = "KILL_APPS_ENCRYPT_AGAIN" ascii
$s11 = "<ALL_DRIVES>b__" ascii
$s12 = "dataToEncrypt" ascii
$s13 = "<RECURSIVE_DIRECTORY_LOOK>" ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_HakunaMatata_Builder {
meta:
author = "ditekSHen"
description = "Detects HakunaMatata ransomware builder"
strings:
$s1 = "ENCRYPT FILES IN PROCESS" wide
$s2 = "#TARGET_FILES" ascii wide
$s3 = "HAKUNA MATATA" ascii wide nocase
$s4 = "#PRIVATE_KEY" ascii wide
$s5 = "/target:winexe /platform:anycpu /optimize+" wide
$s6 = "/win32icon:" fullword wide
$s7 = "SkippedFolders" ascii
$s8 = "RECURSIVE_DIRECTORY_LOOK(" ascii
$s9 = "DRAW_WALLPAPER(" ascii
$s10 = "startupKey.SetValue(MESSAGE_FILE.Split('.')[0], executablePath);" ascii
$s11 = /\\obj\\(Debug|Release)\\Hakuna\sMatata\.pdb/ ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_TWarBot {
meta:
author = "ditekSHen"
description = "Detect TWarBot IRC Bot"
strings:
$x1 = "TWarBot" fullword ascii
$s1 = "PRIVMSG #" ascii
$s2 = "C:\\marijuana.txt" fullword ascii
$s3 = "C:\\rar.bat" fullword ascii
$s4 = "C:\\zip.bat" fullword ascii
$s5 = "software\\microsoft\\windows\\currentversion\\app paths\\winzip32.exe" ascii
$s6 = "software\\microsoft\\windows\\currentversion\\app paths\\WinRAR.exe" ascii
$s7 = "a -idp -inul -c- -m5" ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 3 of ($s*)) or 5 of ($s*))
}
rule MALWARE_Win_G0Crypt {
meta:
author = "ditekSHen"
description = "Detects G0Crypt / BRG0SNet / NovaGP ransomware"
strings:
$x1 = "G0Crypt/go/" ascii
$x2 = "BRG0SNet" ascii
$x3 = "/NovaGroup" ascii
$x4 = "novagroup@onionmail.org" ascii nocase
$x5 = "# Nova Group" ascii
$f1 = "main.HaveRun" ascii
$f2 = "main.FindFile" ascii
$f3 = "main.deriveKey" ascii
$f4 = "main.Pwd" fullword ascii
$f5 = "/ClearBashFile" ascii
$f6 = "/ClearUserTempFiles" ascii
$f7 = "/KillProccess" ascii
$f8 = "/Encryptor" ascii
$f9 = "/NoDirEncrypt" ascii
$f10 = "/RunCmdEexecutable" ascii
$f11 = "/StopImportantServices" ascii
$f12 = "/GetPwd" ascii
$s1 = "\\$Recycle.Bin"
$s2 = ".README.txt"
$s3 = "\\BRSPATH.exe"
$s4 = "taskkill /F /IM sql*"
$s5 = "C:\\inetpub\\logs\\"
$s6 = "shutdown /r"
$s7 = ":\\Program Files\\VMware\\"
$s8 = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Message /t REG_SZ /d"
$s9 = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v DelLogSoft /t REG_SZ /d"
condition: uint16(0) == 0x5a4d and (2 of ($x*) or 7 of ($f*) or (1 of ($x*) and (5 of ($f*) or 5 of ($s*))) or (6 of ($f*) and 4 of ($s*)) or 12 of them)
}
rule MALWARE_Win_SNAKE {
meta:
author = "ditekSHen"
description = "Detects Snake implant"
strings:
$c1 = { 25 73 23 31 }
$c2 = { 25 73 23 32 }
$c3 = { 25 73 23 33 }
$c4 = { 25 73 23 34 }
$c5 = { 2e 74 6d 70 }
$c6 = { 2e 73 61 76 }
$c7 = { 2e 75 70 64 }
$s1 = "tapisetschema.dll" fullword wide
$s2 = "\\\\.\\%s\\\\" fullword ascii wide
$s3 = "\\BaseNamedObjects\\%S" fullword wide
$s4 = "{CACE3174-CF88-4906-921A-A16A7DC8CF4B}.{B6066E99-37D7-4668-9B06-301CE2C1D367}.crmlog" ascii
$s5 = "-crash-" fullword ascii
$s6 = "rcv_buf=%d%c" fullword ascii
$s7 = "write_peer_nfo=%s:%d%cfrag_no_scrambling=Y%c" fullword ascii
condition: (uint16(0) == 0x5a4d and (all of ($s*) or (all of ($c*) and 1 of ($s*)))) or (all of ($c*) and 1 of ($s*))
}
rule MALWARE_Win_ModiLoader {
meta:
author = "ditekSHen"
description = "Detects ModiLoader"
strings:
$x1 = "*()%@5YT!@#G__T@#$%^&*()__#@$#57$#!@" fullword wide
$x2 = "dntdll" fullword wide
$x3 = "USERPROFILE" fullword wide
$s1 = "%s, ProgID: \"%s\"" ascii
$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii
$s3 = "responsetext" ascii
$s4 = "C:\\Users\\Public\\" ascii
$s5 = "[InternetShortcut]" fullword ascii
$c1 = "start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command \"Add-MpPreference -ExclusionPath 'C:\\Users'\" & exit" ascii nocase
$c2 = "mkdir \"\\\\?\\C:\\Windows \"" ascii nocase
$c3 = "mkdir \"\\\\?\\C:\\Windows \\System32\"" ascii nocase
$c4 = "ECHO F|xcopy \"" ascii nocase
$c5 = "\"C:\\Windows \\System32\" /K /D /H /Y" ascii nocase
$c6 = "ping 127.0.0.1 -n 6 > nul" ascii nocase
$c7 = "del /q \"C:\\Windows \\System32\\*\"" ascii nocase
$c8 = "rmdir \"C:\\Windows \\System32\"" ascii nocase
$c9 = "rmdir \"C:\\Windows \"" ascii nocase
$g1 = "powershell" ascii nocase
$g2 = "mkdir \"\\\\?\\C:\\" ascii nocase
$g3 = "\" /K /D /H /Y" ascii nocase
$g4 = "ping 127.0.0.1 -n" ascii nocase
$g5 = "del /q \"" ascii nocase
$g6 = "rmdir \"" ascii nocase
condition: uint16(0) == 0x5a4d and
(
(2 of ($x*) and (all of ($g*) or (2 of ($s*) and 2 of ($c*)))) or
(all of ($s*) and (2 of ($c*) or all of ($g*))) or
(4 of ($c*) and (1 of ($x*) or 2 of ($s*))) or
(all of ($g*) and 4 of ($c*)) or
13 of them
)
}
rule MALWARE_Win_Akira {
meta:
author = "ditekSHen"
description = "Detects Akira Ransomware Windows"
strings:
$x1 = "https://akira" ascii
$x2 = ":\\akira\\" ascii
$x3 = ".akira" ascii
$x4= "akira_readme.txt" ascii
$x5 = "\\akira\\asio\\include\\asio\\impl\\co_spawn.hpp" ascii
$s1 = "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" ascii
$s2 = "Win32_ProcessStartup" fullword wide
$s3 = /Failed\sto\smake\s(part|full|spot)\sencrypt/ ascii wide
$s4 = "--encryption_" ascii
$s5 = "--share_file" ascii
$s6 = { 24 00 52 00 45 00 43 00 59 00 43 00 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 6? 6? 6? 00 (24|57) 00 (52|69) 00 }
$s7 = " PUBLIC KEY-----" ascii
$s8 = ".onion" ascii
$s9 = "/Esxi_Build_Esxi6/./" ascii nocase
$s10 = "No path to encrypt" ascii
$s11 = "-fork" fullword ascii
condition: uint16(0) == 0x5a4d and (3 of ($x*) or (1 of ($x*) and 4 of ($s*)) or 6 of ($s*))
}
rule MALWARE_Linux_Akira {
meta:
author = "ditekSHen"
description = "Detects Akira Ransomware Linux"
strings:
$x1 = "https://akira" ascii
$x2 = ":\\akira\\" ascii
$x3 = ".akira" ascii
$x4= "akira_readme.txt" ascii
$s1 = "--encryption_" ascii
$s2 = "--share_file" ascii
$s3 = { 00 24 52 65 63 79 63 6c 65 2e 42 69 6e 00 24 52 45 43 59 43 4c 45 2e 42 49 4e 00 }
$s4 = " PUBLIC KEY-----" ascii
$s5 = ".onion" ascii
$s6 = "/Esxi_Build_Esxi6/./" ascii nocase
$s7 = "No path to encrypt" ascii
$s8 = "-fork" fullword ascii
condition: uint16(0) == 0x457f and (3 of ($x*) or (1 of ($x*) and 4 of ($s*)) or 6 of ($s*))
}
rule MALWARE_Win_Underground {
meta:
author = "ditekSHen"
description = "Detects Underground ransomware"
strings:
$x1 = "Underground team" ascii
$ip1 = "172.16.10." ascii
$ip2 = "10.10.10." ascii
$s1 = "temp.cmd" ascii wide
$s2 = "%s\\!!readme!!!.txt" wide
$s3 = "VIPinfo.txt" wide
$s4 = "File opening error is:%d" wide
$s5 = "\\\\?\\%s" fullword wide
$s6 = "http://undgr" ascii
$s7 = "password:" ascii
$s8 = "login:" ascii
$s9 = ".onion" ascii
$b1 = "\\microsoft\\" fullword wide
$b2 = "\\google\\chrome" fullword wide
$b3 = "\\mozilla\\firefox" fullword wide
$b4 = "\\opera\\" fullword wide
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and ((all of ($ip*) and 2 of ($s*)) or 4 of ($s*) or (2 of ($b*) and 2 of ($s*)))) or 7 of ($s*) or (3 of ($b*) and 4 of ($s*)) or (1 of ($ip*) and 2 of ($b*) and 2 of ($s*)))
}
rule MALWARE_Win_RomCom_Loader {
meta:
author = "ditekShen"
description = "Hunt for RomCom loader"
//strings:
//$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes" wide nocase
//$s2 = "\\REGISTRY\\USER" wide nocase
//$s3 = "CreateToolhelp32Snapshot" fullword ascii
condition: uint16(0) == 0x5a4d and pe.is_dll() and (
pe.exports("DllCanUnloadNow") and pe.exports("DllGetClassObject")
and pe.exports("DllRegisterServer") and pe.exports("DllUnregisterServer")
and pe.exports("GetProxyDllInfo")
) and for any fn in pe.export_details: (
fn.forward_name contains "Dll"
)
}
rule MALWARE_Win_RomCom_Worker {
meta:
author = "ditekShen"
description = "Hunt for RomCom worker"
strings:
$s1 = "UpdateProcThreadAttribute" fullword ascii
$s2 = "WriteFile" fullword ascii
$s3 = "GetAdaptersAddresses" fullword ascii nocase
$s4 = /inflate\s\d+\.\d+\.\d+\sCopyright/ ascii
$s5 = "SetHandleInformation" fullword ascii
$s6 = "PeekNamedPipe" fullword ascii
condition: uint16(0) == 0x5a4d and pe.is_dll() and pe.number_of_exports == 1 and pe.exports("Main") and all of them
}
rule MALWARE_Win_RomCom_Dropper {
meta:
author = "ditekShen"
description = "Hunt for RomCom worker"
strings:
$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes" wide nocase
$s2 = "\\REGISTRY\\USER" wide nocase
$s3 = "BINARY" fullword wide
$s4 = "POST" fullword wide
condition: uint16(0) == 0x5a4d and pe.is_dll() and pe.number_of_exports == 1 and pe.exports("Main") and 3 of them
}
rule MALWARE_Win_STEALDEAL {
meta:
author = "ditekShen"
description = "Hunt for STEALDEAL stealer"
strings:
$x1 = "stealDll.dll" fullword ascii
$s1 = "SqlExec" fullword ascii
$s2 = "etilqs_" fullword ascii
$s3 = "SUBQUERY %u" fullword ascii
condition: uint16(0) == 0x5a4d and pe.is_dll() and pe.exports("stub") and (1 of ($x*) or all of ($s*))
}
rule MALWARE_Win_DarkCloud {
meta:
author = "ditekSHen"
description = "Detects DarkCloud infostealer"
strings:
$x1 = "=DARKCLOUD=" wide
$x2 = "#DARKCLOUD#" wide
$x3 = "DARKCLOUD" wide
$s1 = "DC-Creds" fullword wide
$s2 = "shell.application" fullword wide
$s3 = "VBSQLite3.dll" ascii wide nocase
$s4 = "getbinaryvalue" fullword wide
$s5 = "sqlite_exec" fullword ascii
$i1 = "RegWrite" fullword wide
$i2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$i3 = "\\Templates\\Stub\\Project" wide
$i4 = "\\Credentials" wide
$i5 = "SELECT " wide
$i6 = "\\163MailContacts.txt" fullword wide
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and (3 of ($s*) or 3 of ($i*))) or (all of ($s*) and 1 of ($i*)) or (4 of ($s*) and 4 of ($i*)))
}
rule MALWARE_Win_ARCrypt {
meta:
author = "ditekSHen"
description = "Detects ARCrypt / ChileLocker ransomware"
strings:
$c1 = "readme_for_unlock.txt" wide
$c2 = "vssadmin.exe delete shadows /all /quiet" wide
$c3 = "START /b \"\" cmd /c wmic /node:" wide
$c4 = "START /b \"\" cmd /c DEL \"" wide
$c5 = "process call create cmd /c START" wide
$c6 = "net config server /autodisconnect:" wide
$c7 = "/NOBREAK>NUL) ELSE (START /b \"\" cmd /c DEL \"%~f" ascii
$c8 = ":\\_ARC\\_WorkSolution\\cryptopp" ascii // or just \\cryptopp
$e1 = /\.crYpt([A-F]{0,1}(\d+)?)?/ fullword wide
$e2 = ".dnt___.crYpt" wide nocase
$s1 = "create_directory" fullword ascii
$s2 = "create_directories" fullword ascii
$s3 = "NoClose" fullword ascii
$s4 = "StartMenuLogOff" fullword ascii
$s5 = "NoLogOff" fullword ascii
$s6 = "DisableTaskMgr" fullword ascii
$s7 = "DisableChangePassword" fullword ascii
$s8 = "HideFastUserSwitching" fullword ascii
$s9 = "RemotePath" fullword ascii
condition: uint16(0) == 0x5a4d and (5 of ($c*) or 7 of ($s*) or (3 of ($c*) and 4 of ($s*)) or (1 of ($e*) and (1 of ($c*) and 1 of ($s*))) or (all of ($e*) and (1 of ($c*) or 1 of ($s*))))
}
rule MALWARE_Win_RootTeamStealer {
meta:
author = "ditekSHen"
description = "Detects RootTeam infostealer"
strings:
$x1 = "RootTeamStl" ascii
$x2 = "Bot: https://t.me/rootteam_bot" ascii
$x3 = "rootteam_bot" ascii
$x4 = "Root Team" ascii
$s1 = "-ldflags=\"-s -w -H windowsgui -X" ascii
$s2 = "'RootTeamStl/vars." ascii
$s3 = "{ Hostname string \"json:\\\"hostname\\\"\"; EncryptedUsername string \"json:\\\"encryptedUsername\\\"\"; EncryptedPassword string \"json:\\\"encryptedPassword\\\"\" }" ascii
$s4 = "\\Program Files (x86)\\Steam\\config\\loginusers.vdf" ascii
$s5 = /RootTeamStl\/managers\/(browser|coldwallets|discord|filegrabber|steam|userinformation)?/ ascii
condition: uint16(0) == 0x5a4d and (3 of ($x*) or (1 of ($x*) and 3 of ($s*)) or 4 of ($s*) or 5 of them)
}
rule MALWARE_Win_StrelaStealer {
meta:
author = "ditekSHen"
description = "Detects StrelaStealer"
clamav_sig = "MALWARE.Win.StrelaStealer"
strings:
$x1 = "strela" fullword ascii
$s1 = "/server.php" fullword ascii
$s2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" ascii
$s3 = "SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\" ascii
$s4 = "%s%s\\logins.json" fullword ascii
$s5 = "%s%s\\key4.db" fullword ascii
$s6 = /IMAP\s(Server|User|Password)/ fullword ascii
$s7 = "\\Thunderbird\\Profiles\\" fullword ascii
$s8 = "%s,%s,%s" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 1 of ($s*)) or (7 of ($s*)))
}
rule MALWARE_Win_EspioLoader {
meta:
author = "ditekSHen"
description = "Detects Espio loader and obfuscator"
clamav_sig = "MALWARE.Win.EspioLoader"
strings:
$pdb = /\\loader\\x64\\(Release|Debug)\\Espio\.pdb/ ascii
$s1 = "obfuscatedPayload" fullword wide
$s2 = "OBFUSCATEDPAYLOAD" fullword wide
$s3 = "\\??\\C:\\Windows\\System32\\werfault.exe" fullword wide
$s4 = "C:\\windows\\system32\\ntdll.dll" fullword ascii
condition: uint16(0) == 0x5a4d and ($pdb or 3 of ($s*))
}
rule MALWARE_Win_CelestyBinderLoader {
meta:
author = "ditekSHen"
description = "Detects Celesty Binder loader"
strings:
$s1 = "\\DarkCoderSc\\Desktop\\Celesty Binder\\Stub\\STATIC\\Stub.pdb" ascii
$s2 = "DROPIN" fullword ascii wide
$s3 = "EXEC" fullword ascii wide
$s4 = "RBIND" fullword ascii wide
$s5 = "%LAPPDATA%" fullword ascii wide
$s6 = "%USERDIR%" fullword ascii wide
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_BlitzGrabber {
meta:
author = "ditekSHen"
description = "Detects BlitzGrabber infostealer"
strings:
$x1 = "**BLITZED GRABBER V" wide
$x2 = "\\BlitzedGrabberV" ascii
$x3 = "Kyanite" ascii wide nocase
$s1 = /;\/\/(SCREENSHOT|PASSWORDS|FORKBOMB|MELTSTUB)\/\// ascii wide
$s2 = "KryptedWare" wide
$s3 = "chckcopyTemp" wide
$s4 = "chckscreenShot" wide
$s5 = "Plugin.Banking." ascii
$s6 = "sChromiumPswPaths" ascii
$s7 = ".CreateDownloadLink(" ascii
$s8 = "CaptureScreen()" ascii
$s9 = ".UploadFile(\"https://api.anonfiles.com/upload\"" ascii
condition: uint16(0) == 0x5a4d and (1 of ($x*) and 3 of ($s*)) or (7 of ($s*))
}
rule MALWARE_Win_Bagle {
meta:
author = "ditekSHen"
description = "Detect Bagle / Beagle email worm"
strings:
$s1 = "SOFTWARE\\DateTime" fullword ascii
$s2 = "%s?p=%lu" fullword ascii
$s3 = "-upd" ascii
$s4 = "[%RAND%]" fullword ascii
$s5 = "MAIL FROM:<%s>" fullword ascii
$s6 = "RCPT TO:<%s>" fullword ascii
$s7 = "Message-ID: <%s%s>" fullword ascii
$s8 = "Content-Disposition: attachment; filename=\"%s%s\"" fullword ascii
$s9 = "http://www.%s" fullword ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_RageStealer {
meta:
author = "ditekShen"
description = "Detect Rage / Priv8 infostealer"
strings:
$x1 = "\\RageStealer\\obj\\" ascii
$x2 = "Priv8 Stealer" wide
$s1 = "\\Screen.png" wide
$s2 = "Content-Disposition: form-data; name=\"document\"; filename=\"{1}\"" wide
$s3 = "NEW LOG FROM" wide
$s4 = "GRABBED SOFTWARE" wide
$s5 = "DOMAINS DETECTED" wide
$s6 = "snder" ascii
condition: uint16(0) == 0x5a4d and (1 of ($x*) and 4 of ($s*))
}
rule MALWARE_Win_AbubasbanditBot {
meta:
author = "ditekSHen"
description = "Detects Abubasbandit Bot. Observed to drop cryptocurrency miner detected by MALWARE_Win_CoinMiner02"
strings:
$x1 = "magickeycmd" ascii
$x2 = "chat_id" ascii
$x3 = "GetTempPathW" ascii
$x4 = "Add-MpPreference" ascii
$x5 = "-Command" ascii
$s1 = "application/x-www-form-urlencoded" ascii
$s2 = "gzip, deflate/index.html" ascii
$s3 = "powershellAdd-MpPreference -ExclusionPath" ascii
$s4 = "tar-xf-C" ascii
$s5 = "temp_file.bin" ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) or (4 of ($x*) and 2 of ($s*)) or ((all of ($s*) and 3 of ($x*))) or (8 of them))
}
rule MALWARE_Win_OracRAT {
meta:
author = "ditekSHen"
description = "Detects OracRAT / Comfoo / Babar"
strings:
$s1 = "\\\\.\\DevCtrlKrnl" fullword ascii
$s2 = "SOFTWARE\\Microsoft\\IE4\\Setup" fullword ascii
$s3 = "\\PLUGINS" fullword ascii
$s4 = "\\config\\sam" fullword ascii
$s5 = "\\iexplore.exe\" about:blank" fullword ascii
$s6 = "usbak.sys" fullword ascii
$s7 = "userctfm" fullword ascii
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_PhemedroneStealer {
meta:
author = "ditekSHen"
description = "Detects Phemedrone Stealer infostealer"
strings:
$p1 = /\{ file = \{(0|file)\}, data = \{(1|data)\} \}/ ascii wide
$p2 = "{ <>h__TransparentIdentifier0 = {0}, match = {1} }" wide
$p3 = "{ <>h__TransparentIdentifier1 = {0}, encrypted = {1} }" wide
$p4 = "{<>h__TransparentIdentifier0}, match = {match} }" ascii
$p5 = "{<>h__TransparentIdentifier1}, encrypted = {encrypted} }" ascii
$s1 = "<KillDebuggers>b__" ascii
$s2 = "<ParseExtensions>b__" ascii
$s3 = "<ParseDiscordTokens>b__" ascii
$s4 = "<IsVM>b__" ascii
$s5 = "<Key3Database>b__" ascii
$s6 = "masterPass" ascii
$s7 = "rootLocation" ascii
$s8 = "rgsServiceNames" ascii
$s9 = "rgsFilenames" ascii
condition: uint16(0) == 0x5a4d and ((all of ($p*) and 3 of ($s*)) or (3 of ($p*) and 4 of ($s*)) or (7 of ($s*)))
}
rule MALWARE_Win_WSHRAT {
meta:
author = "ditekSHen"
description = "Detects WASHRAT"
strings:
$x1 = "WSH Rat v" wide
$x2 = "SOFTWARE\\WSHRat" wide
$x3 = "WSH Remote" wide nocase
$x4 = "WSHRAT" wide nocase
$s1 = "shellobj.regwrite \"HKEY_" ascii nocase
$s2 = "shellobj.run(\"%comspec% /c" ascii nocase
$s3 = "objhttpdownload.setrequestheader \"user-agent:\"," ascii nocase
$s4 = "WScript.CreateObject(\"Shell.Application\").ShellExecute" ascii nocase
$s5 = "objwmiservice.ExecQuery(\"select" ascii nocase
$s6 = "httpobj.open(\"post\",\"http" ascii nocase
$s7 = /(rdp|keylogger|get-pass|uvnc)\|http/ wide
condition: uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and 1 of ($s*)) or (6 of ($s*)))
}
rule MALWARE_Win_RustyStealer {
meta:
author = "ditekSHen"
description = "Detect Rusty / Luca stealer"
strings:
$s1 = "EdgeMicrosoftedgechromiumChromium7star7StaramigoAmigobraveBrave" ascii
$s2 = "BrowserchromeChromekometaKometaorbitumOrbitumsputnikSputniktorchTorchucozmediaUranuCozMediavivaldiVivaldiatom" ascii
$s3 = ".kdbx.pdf.doc.docx.xls.xlsx.ppt.pptx.odt.odp\\logscx\\sensfiles.zip" ascii
$s4 = "dumper.rs" ascii
$s5 = "decryption_core.rs" ascii
$s6 = "anti_emulation.rs" ascii
$s7 = "discord.rs" ascii
$s8 = /\\logscx\\(passwords_|cookies_|creditcards_)/ ascii
$s9 = "VirtualBoxVBoxVMWareVMCountry" ascii
$s10 = "New Log From ( / )" ascii
$s11 = "BrowserChromeKometaOrbitumSputnikTorchUranuCozMediaVivaldiAtomMail" ascii
$s12 = "BrowserBraveSoftwareCentBrowserChedotChrome" ascii
$s13 = "ChromeKometaOrbitumSputnikTorchUranuCozMediaVivaldi" ascii
$s14 = "hostnameencryptedUsernameencryptedPasswordstruct" ascii
$s15 = "encryptedPassword" fullword ascii
$s16 = "AutoFill@~" fullword ascii
condition: uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_SimplePacker {
meta:
author = "ditekSHen"
description = "Detects Hydrochasma packer / dropper"
strings:
$p1 = "\\cloud-compiler-" ascii
$p2 = "\\deps\\simplepacker.pdb" ascii
$s1 = "uespemosarenegylmodnarodsetybdetqueue" ascii
$s2 = "None{\"" ascii
condition: uint16(0) == 0x5a4d and (all of ($p*) or (1 of ($p*) and all of ($s*)))
}
/*
rule MALWARE_Win_Fabookie_01 {
meta:
author = "ditekSHen"
description = "Detects Fabookie. Camouflages as Windows native 'cttune.exe'"
strings:
$s1 = "SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" fullword ascii wide
$s2 = "Elevation:Administrator!new:%s" fullword ascii wide
$s3 = "Software\\Microsoft\\Avalon.Graphics" fullword ascii wide
$s4 = "SELECT * FROM" fullword ascii wide
$s5 = /win:(Start|Stop|Informational)/ fullword wide
$s6 = "CTWIZWINCLASS" wide
condition: uint16(0) == 0x5a4d and 5 of them
}
*/
rule MALWARE_Win_Fabookie_02 {
meta:
author = "ditekSHen"
description = "Detects Fabookie / NAPAgent"
strings:
$s1 = "\"%1\\control.exe\" ncpa.cpl%2" wide
$s2 = "Elevation:Administrator!new:%s" wide
$s3 = "quar_qclintfy_mtx" wide
$s4 = "Software\\Microsoft\\NetworkAccessProtection\\UI\\Branding\\%" wide
$s5 = "napagent" fullword wide
$s6 = "napstat.pdb" fullword ascii
/*
$fk1 = "GetKeyState" fullword ascii // keystrokes capture
$fs1 = "CreateCompatibleDC" // screen capture
$fs2 = "CreateCompatibleBitmap" // screen capture
$fs3 = "GetSystemMetrics" // screen capture
*/
condition: uint16(0) == 0x5a4d and 4 of ($s*)
//uint16(0) == 0x5a4d and 4 of ($s*) or (2 of ($s*) and 1 of ($fk1) and 2 of ($fs2))
}
rule MALWARE_Multi_GolangBypassAV {
meta:
author = "ditekSHen"
description = "Detect Go executables using GolangBypassAV"
clamav1 = "MALWARE.Win.Trojan.GolangBypassAV"
clamav2 = "MALWARE.Linux.Trojan.GolangBypassAV"
strings:
$s1 = "/GolangBypassAV/gen/" ascii
condition: (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and 1 of them
}
rule MALWARE_Win_BlankStealer {
meta:
author = "ditekSHen"
description = "Detects BlankStealer / BlankGrabber / Blank-c Stealer"
snort = "923829001"
strings:
$s1 = "Blank-c" ascii
$s2 = "Stealer License" ascii
$s3 = "UID=" ascii
$h1 = { 42 6c 61 6e 6b 2d 63 0a 53 74 65 61 6c 65 72 20 4c 69 63 65 6e 73 65 0a 55 49 44 3d }
condition: (uint16(0) == 0x4152 and 2 of them) or (all of ($s*) or 1 of ($h*))
}
rule MALWARE_Linux_GetShell {
meta:
author = "ditekSHen"
description = "Detect GetShell Linux backdoor"
clamav1 = "MALWARE.Linux.Trojan.GetShell"
strings:
$x1 = "cat <(echo '@reboot echo socks5_backconnect" ascii
$x2 = "(cd && )') <(sed '/socks5_backconnect" ascii
$s1 = "cat <(echo '@" ascii
$s2 = "(cd && )') <(sed '" ascii
$s3 = "PORT1:" ascii
$s4 = "HOST1:" ascii
$s5 = "queryheader" ascii
$s6 = "qsectionpost" ascii
$s7 = "packedip" ascii
$s8 = "copydata" ascii
$s9 = "synsend" ascii
$s10 = "bc_connect" ascii
condition: uint16(0) == 0x457f and ((all of ($x*) and 1 of ($s*)) or 5 of ($s*))
}
rule MALWARE_Win_SolarMarker {
meta:
author = "ditekSHen"
description = "Detects SolarMarker"
strings:
$x1 = "token_type" fullword ascii
$x2 = "request_data" fullword ascii
$x3 = "request_timeout" fullword ascii
$x4 = { 74 6f 6b 65 6e 73 00 66 72 6f 6d 00 74 6f 00 73 5f (66|72) }
$s1 = "set_UseShellExecute" fullword ascii
$s2 = "<Select>b__0" fullword ascii
$s3 = "<get>b__e" fullword ascii
$s4 = "<get>b__10" fullword ascii
$s5 = "<get>b__f" fullword ascii
$s6 = "<set>b__0" fullword ascii
$s7 = "<set>b__1" fullword ascii
condition: uint16(0) == 0x5a4d and (all of ($x*) and 4 of ($s*))
}
rule MALWRE_Win_DarkGate {
meta:
author = "ditekSHen"
description = "Detects DarkGate infostealer and coinminer"
strings:
$x1 = "SYSTEM Elevation: Completed, new DarkGate connection with SYSTEM privileges" ascii
$x2 = "-u 0xDark" ascii
$x3 = "DarkGate" ascii
$x4 = "/c cmdkey /generic:\"127.0.0.2\" /user:\"SafeMode\" /pass:\"darkgatepassword0\"" ascii
$s1 = "c:\\temp\\crash.txt" ascii
$s2 = "/cookiesfile \"" ascii
$s3 = "/c rmdir /s /q \"" ascii
$s4 = "/c xcopy /E /I /Y \"%s\" \"%s\" && exit" ascii
$s5 = "U_MemScan" ascii
$s6 = "U_Google_AD" ascii
$s7 = "untBotUtils" ascii
$s8 = "____padoru____" ascii
$s9 = "u_SysHook" ascii
$s10 = "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=" ascii
$s11 = "C:\\Windows\\System32\\ntdll.dll" fullword ascii
$s12 = /(SYSTEM )?Elevation: (Cannot|I already|AT RAW|FAILURE)/ ascii
$s13 = /Stub: (WARNING:|Configuration updated:|Global Ping Invoked)/ ascii
condition: (uint16(0) == 0x5a4d and ((3 of ($x*)) or (2 of ($x*) and 3 of ($s*)) or (1 of ($x*) and 5 of ($s*)) or (6 of ($s*)))) or (10 of them)
}
rule MALWARE_Win_RookIE_Downloader {
meta:
author = "ditekSHen"
description = "Detect malware downlaoder, variant of ZombieBoy downloader"
clamav1 = "MALWARE.Win.Trojan.RookIE-Downloader"
strings:
$s1 = "shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" fullword ascii
$s2 = "taskkill /f /im hh.exe" fullword ascii
$s3 = "RookIE/1.0" fullword ascii
$s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0" fullword ascii
$s5 = "#32770" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_Fiber {
meta:
author = "ditekSHen"
description = "Detects Fiber .NET injector"
strings:
$x1 = "Fiber.dll" fullword ascii
$s1 = "-WindowStyle Hidden Copy-Item -Path *.vbs -Destination" wide
$s2 = "-WindowStyle Hidden {0} -WindowStyle Hidden Start-Sleep 5; Start-Process {1}" wide
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s4 = "WScript.Shell" fullword wide
$s5 = "{0}_{1:N}.lnk" fullword wide
$s6 = "notepad.exe,0" fullword wide
$i1 = "AppLaunch.exe" fullword wide
$i2 = "aspnet_regbrowsers.exe" fullword wide
$i3 = "cvtres.exe" fullword wide
$i4 = "ilasm.exe" fullword wide
$i5 = "jsc.exe" fullword wide
$i6 = "MSBuild.exe" fullword wide
$i7 = "RegAsm.exe" fullword wide
$i8 = "RegSvcs.exe" fullword wide
$v1 = "is tampered" wide
$v2 = "Debugger Detected" wide
$v3 = "RepositoryUrl" ascii
$v4 = { 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00
74 00 75 00 61 00 6c 00 20 00 00 0b 41 00 6c 00
6c 00 6f 00 63 00 00 0d 57 00 72 00 69 00 74 00
65 00 20 00 00 11 50 00 72 00 6f 00 63 00 65 00
73 00 73 00 20 00 00 0d 4d 00 65 00 6d 00 6f 00
72 00 79 00 00 0f 50 00 72 00 6f 00 74 00 65 00
63 00 74 00 00 0b 4f 00 70 00 65 00 6e 00 20 00
00 0f 50 00 72 00 6f 00 63 00 65 00 73 00 73 00
00 0d 43 00 6c 00 6f 00 73 00 65 00 20 00 00 0d
48 00 61 00 6e 00 64 00 6c 00 65 00 00 0f 6b 00
65 00 72 00 6e 00 65 00 6c }
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 3 of ($s*) and 2 of ($i*)) or (4 of ($s*) and 4 of ($i*)) or (2 of ($s*) and 6 of ($i*)) or (1 of ($x*) and 3 of ($v*)) or (all of ($v*)))
}
rule MALWARE_Win_Unknown_PackedLoader_01 {
meta:
author = "ditekShen"
description = "Detects unknown loader / packer. Observed running LummaStealer"
strings:
$s1 = "Error at hooking API \"%S\"" wide
$s2 = "Dumping first %d bytes:" wide
$s3 = "Error at initialization of bundled DLL: %s" wide
$s4 = "GetMemoryForDLL()" ascii
$s5 = "type=activation&code=" ascii
$s6 = "activation.php?code=" ascii
$s7 = "&hwid=" ascii
$s8 = "&hash=" ascii
$s9 = "type=deactivation&hash=" ascii
$s10 = "deactivation.php?hash=" ascii
$s11 = "BANNED" fullword ascii
$s12 = "GetAdaptersInfo" ascii
condition: uint16(0) == 0x5a4d and 11 of them
}
rule MALWARE_Win_LOLKEK {
meta:
author = "ditekShen"
description = "Detects LOLKEK / GlobeImposter ransowmare"
strings:
$s1 = "$Recycle.bin" fullword wide
$s2 = "\\\\?\\%c:" fullword wide
$s3 = ".MMM" fullword wide
$s4 = "ReadMe.txt" fullword wide
$s5 = "select * from Win32_ShadowCopy" fullword wide
$s6 = "Win32_ShadowCopy.ID='%s'" fullword wide
$s7 = "W3CRYPTO LOCKER" ascii
$s8 = "http://mmcb" ascii
$s9 = "yip.su/2QstD5" ascii
$s10 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe" ascii
condition: uint16(0) == 0x5a4d and 7 of them
}
rule MALWARE_Win_Spacecolon {
meta:
author = "ditekSHen"
description = "Detects Spacecolon ransomware"
strings:
$s1 = "eraseext" fullword ascii
$s2 = "*.encrypted" fullword ascii
$s3 = "TIMATOMA#" fullword wide
$s4 = ".Encrypted" fullword wide
$s5 = "Already Encrypted" wide
$s6 = "note.txt" fullword wide
$s7 = "HOW TO RECOVERY FILES.TXT" fullword wide
$s8 = "taskkill /f /im \"" wide nocase
$s9 = "\\kill.bat" wide
$s10 = "Search cancelled -" fullword wide
$s11 = "%d folder(s) searched and %d file(s) found - %.3f second(s)" fullword wide
$s12 = "Our TOX ID :" ascii
$s13 = "tufhackteam@gmail.com" ascii
condition: uint16(0) == 0x5a4d and 8 of them
}
rule MALWARE_Win_Rhysida {
meta:
author = "ditekSHen"
description = "Detects Rhysida ransomware"
strings:
$s1 = "cmd.exe /c reg add \"HK" ascii
$s2 = "rundll32.exe user32.dll,UpdatePerUserSystemParameters" fullword ascii
$s3 = "C:/Users/Public/bg.jpg" fullword ascii
$s4 = "CriticalBreachDetected.pdf" fullword ascii
$s5 = "rhysida" ascii
$s6 = "cmd.exe /c reg delete \"HKCU\\Cont" ascii
$s7 = "Rhysida-" ascii
condition: uint16(0) == 0x5a4d and 5 of ($s*) or (3 of ($s*) and #s1 > 5)
}
rule MALWARE_Win_PovertyStealer {
meta:
author = "ditekSHen"
description = "Detects PovertyStealer"
clamav1 = "MALWARE.Win.Trojan.PovertyStealer"
strings:
$x1 = "Poverty is the parent of crime." ascii
$s2 = "OperationSystem: %d:%d:%d" ascii
$s3 = "ScreenSize: {lWidth=%d, lHeight=%d}" ascii
$s4 = "VideoAdapter #%d: %s" ascii
$s5 = "$d.log" fullword wide
condition: ((uint16(0) == 0x5a4d and (1 of ($x*) or all of ($s*))) or all of them)
}
rule MALWARE_Win_JanelaRAT {
meta:
author = "ditekSHen"
description = "Detects JanelaRAT"
strings:
$x1 = "<Janela>k__" ascii
$x2 = "janela" fullword ascii
$x3 = "\\CSHARP\\RAT\\" ascii
$s1 = "<SystemInfos>k__" ascii
$s2 = "<SendKeepAlives>b__" ascii
$s3 = "hookStruct" fullword ascii
$s4 = "[^a-zA-Z]" fullword wide
$s5 = "GetRecycled" fullword ascii
$s6 = "import \"bcl.proto\";" wide
$s7 = "\\KL_FINAL\\" ascii
$s8 = "\\KL_FASEAVAST" ascii
$s9 = "\\kl c++" ascii
$s10 = "VisaoAPP" ascii wide
condition: uint16(0) == 0x5a4d and (all of ($x*) or (2 of ($x*) and 3 of ($s*)) or (1 of ($x*) and 5 of ($s*)) or (6 of ($s*)))
}
rule MALWARE_Win_QwixxRAT {
meta:
author = "ditekSHen"
description = "Detects QwixxRAT. Uses ToxicEye / TelegramRAT as base (MALWARE_Win_TelegramRAT)"
strings:
$s1 = /Qwixx(\s)?Stealer/ ascii wide
$s2 = "discord.gg/UXVFHzTjYe" wide
$s3 = "t.me/QwixxTwixx" wide
$s4 = "Secret Qwixx" wide
$s5 = "\\Qwixx Rat\\" ascii
condition: uint16(0) == 0x5a4d and 2 of them
}
rule MALWARE_Win_ToxicEye {
meta:
author = "ditekSHen"
description = "Detects ToxicEye / TelegramRAT. Observed used as the basis for many infostealers"
strings:
$s1 = "[~] Handling command" wide
$s2 = "[?] Sleeping {0}" wide
$s3 = "GETPASSWORDS" wide
$s4 = "FORKBOMB" wide
$s5 = "SENDKEYPRESS" wide
$s6 = "KEYLOGGER" wide
$s7 = "/ToxicEye/master/TelegramRAT/" wide
$s8 = "desktopScreenshot" ascii
$s9 = "MeltFile" ascii
$s10 = "AutoStealer" ascii
$s11 = /\/LimerBoy\/(ToxicEye|Adamantium-Thief|hackpy)/ wide
condition: uint16(0) == 0x5a4d and 7 of them
}
/*
rule MALWARE_Win_RDPCredsStealer {
meta:
author = "ditekSHen"
description = "Detects RDP Credentials Stealer"
clamav1 = "MALWARE.Win.Trojan.RDPCredsStealer"
strings:
$x1 = "MyCredUnPackAuthenticationBufferW Hooked Function" ascii
$x2 = "\\RDPCredsStealerDLL\\" ascii
$x3 = "\\RDPCreds.txt" ascii
$s1 = "CredUnPackAuthenticationBufferW" ascii
$s2 = "Installing Hooked Function" ascii
$s3 = "SymLoadModule64" fullword ascii
$s4 = "memmove" fullword ascii
condition: uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and 2 of ($s*)) or 3 of ($s*))
}
*/
rule MALWARE_Win_RDPCredsStealerInjector {
meta:
author = "ditekSHen"
description = "Detects RDP Credentials Stealer injector"
clamav1 = "MALWARE.Win.Trojan.RDPCredsStealer-Injector"
strings:
$s1 = "\\APIHookInjectorBin\\" ascii
$s2 = "\\RDPCredsStealerDLL.dll" ascii
$s3 = "DLL Injected" ascii
$s4 = "Code Injected" ascii
$s5 = /(OpenProcess|VirtualAllocEx|CreateRemoteThread)\(\) failed:/ fullword ascii
condition: uint16(0) == 0x5a4d and 3 of them
}
rule MALWARE_Win_KrakenStealer {
meta:
author = "ditekSHen"
description = "Detect Kraken infostealer"
snort = "923828002"
strings:
$x1 = /Kraken(_)?(Stub|Keyboard|Clipboard|GeneratorMachine|PostLogs|Screenshot|Keylogs|Password)/ ascii wide
$s1 = /(get|set)_(Clipboard|Keyboard|Screen)Recorder/ fullword ascii
$s2 = /Dumping(FileZilla|360_China|Opera|Epic|CocCoc|Thunderbird|Brave)/ fullword ascii
$s3 = "ScreenPostData" fullword ascii
$s4 = "encrypt_data" fullword ascii
$s5 = "KeyboardProc" fullword ascii
$s6 = "UploadsKeyboard" fullword ascii
$s7 = "ClpUploader" fullword ascii
$s8 = "StartKeylogger" fullword ascii
$s9 = "ClipoDetectedRemover" fullword ascii
$s10 = "Disable_Regis" fullword ascii
$s11 = "RecordedClips" fullword ascii
$s12 = "HoneyPotStatus" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 2 of ($s*)) or 9 of ($s*))
}
rule MALWARE_Win_WhiffyRecon {
meta:
author = "ditekSHen"
description = "Detects Whiffy Recon"
strings:
$s1 = "WLANSVC" fullword wide
$s2 = "f02fe1c0-137a-4802-8881-55dd300c5022" fullword wide
$s3 = "\\wlan.lnk" fullword wide
$s4 = "str-12.bin" wide
$s5 = "/geolocation/v1/geolocate?key=" wide
$s6 = "/wlan" fullword wide
$s7 = "/scanned" fullword wide
$s8 = "/bots/" fullword wide
$s9 = "wlan.pdb" fullword ascii
$s10 = "botId" fullword ascii
$s11 = "wifiAccessPoints" fullword ascii
$s12 = "considerIp" fullword ascii
$s13 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" fullword wide
condition: uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_QuiteRAT {
meta:
author = "ditekSHen"
description = "Detects QuiteRAT"
strings:
$x1 = "< No Pineapple! >" ascii // error message
$x2 = ".?AVPineapple" ascii
$x3 = ".?AVApple@@" ascii
$s1 = "XgsdCwsRFxZF" ascii // http
$s2 = "XggZChkVRQ==" ascii // http
$s3 = "RxUZERQRHEU=" ascii // http
$s4 = "XhkbDBEXFkU" ascii // http
condition: uint16(0) == 0x5a4d and ((all of ($x*) and 1 of ($s*)) or (1 of ($x*) and 3 of ($s*)))
}
rule MALWARE_PWSH_CUMII {
meta:
author = "ditekSHen"
description = "Detects multi-dropper PowerShell"
clamav = "ditekSHen.MALWARE.PWSH.CUMII"
strings:
$s1 = ".('{1}{$}'.replace('$','0')" ascii nocase
$s2 = ",'I').replace('!','ex')" ascii nocase
$s3 = "'.replace('*','0001')" ascii nocase
$s4 = "Remove-Item $" ascii nocase
$s5 = "the File will start cumiing" ascii nocase
$b1 = "011001100111010101101110011*" ascii
$b2 = "0101001000*1110110*010011111" ascii
$b3 = "01001101010110101001*11*0000" ascii
condition:
(3 of ($s*) and 1 of ($b*))
}
rule MALWARE_Win_AgnianeStealer {
meta:
author = "ditekSHen"
description = "Detects Agniane infostealer"
snort = "923828001"
clamav = "ditekSHen.MALWARE.Win.AgnianeStealer"
strings:
$x1 = "Agniane.pdb" ascii
$x2 = "IEnumerable<Agniane.Classes.LogRecord>." ascii
$x3 = "Agniane Stealer" wide
$x4 = "cinoshibot" wide
$x5 = "yqbiguuno2zp5jxsmqbev4rwckvy27bqws5cgm3hiid7xolt65j72kqd.onion" wide
$s1 = "<Pass encoding=\"base64\">" wide
$s2 = "Domain Detect: detected {0}" wide
$s3 = "DOMAINDETECTCOOKIES" ascii
$s4 = /(Opera|Edge|Chrome|Brave|Vivaldi|Blink|Universal|Gecko|OperaGx|Firefox)Grabber/ fullword ascii
$u1 = "/antivm.php?id=" wide
$u2 = "/ferr.php?id=" wide
$u3 = ".php?ownerid=" wide
$u4 = "&buildid=" wide
$u5 = "&username=" wide
$u6 = "&BSSID=" wide
$u7 = "&rndtoken=" wide
$u8 = "&domaindetects=" wide
condition:
uint16(0) == 0x5a4d and (2 of ($x*) or (1 of ($x*) and (2 of ($s*) or 3 of ($u*))) or (all of ($s*) and 3 of ($u*)) or (7 of ($u*)))
}
rule MALWARE_Win_TOITOIN_KritaLoader {
meta:
author = "ditekSHen"
description = "Detects TOITOIN KritaLoader"
clamav = "ditekSHen.MALWARE.Win.Trojan.TOITOIN"
strings:
$p1 = ":\\Trabalho_2023\\OFF_2023\\" ascii
$p2 = "DLL_Start_OK.pdb" ascii
$s1 = "krita_main" fullword ascii
condition:
uint16(0) == 0x5a4d and (1 of ($p*) and 1 of ($s*))
}
rule MALWARE_Win_TOITOIN_InjectorDLL {
meta:
author = "ditekSHen"
description = "Detects TOITOIN InjectorDLL"
clamav = "ditekSHen.MALWARE.Win.Trojan.TOITOIN"
strings:
$p1 = ":\\Trabalho_2023\\OFF_2023\\" ascii
$p2 = "DLL_START_IN.pdb" ascii
$s1 = ".ini" fullword ascii
$s2 = "\\users\\Public\\Documents\\" fullword ascii
condition:
uint16(0) == 0x5a4d and (1 of ($p*) and all of ($s*))
}
rule MALWARE_Win_TOITOIN_Downloader {
meta:
author = "ditekSHen"
description = "Detects TOITOIN Downloader"
clamav = "ditekSHen.MALWARE.Win.Trojan.TOITOIN"
strings:
$p1 = ":\\Trabalho_2023\\OFF_2023\\" ascii
$s1 = { 20 2f 63 20 22 [6-15] 63 00 6d 00 64 00 00 00 6f 00 70 00 65 00 6e }
$o1 = { 48 83 fa 10 72 34 48 8b 8d 10 ?? 00 00 48 ff c2 }
condition:
uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_VenomRAT {
meta:
author = "ditekSHen"
description = "Detects VenomRAT"
strings:
$x1 = "Venom RAT + HVNC" fullword ascii
$x2 = "Venom" fullword ascii
$x3 = "VenomByVenom" fullword wide
$s1 = "/c schtasks /create /f /sc onlogon /rl highest /tn \"" fullword wide
$s2 = "UmVjZWl2ZWQ" wide
$s3 = "Pac_ket" fullword wide
$s4 = "Po_ng" fullword wide
condition:
uint16(0) == 0x5a4d and (1 of ($x*) and 2 of ($s*))
}
rule MALWARE_Win_SapphireStealer {
meta:
author = "ditekSHen"
description = "Detects SapphireStealer"
strings:
$s1 = "Sapphire.Modules." ascii
$s2 = "sapphire\\" wide
$s3 = "by r3vengerx0" wide
$s4 = "Sapphire\\obj\\" ascii
$s5 = "[ERROR_GETSECRETKEY_METHOD]" fullword wide
$s6 = "[ERROR_CANT_GET_PASSWORD]" fullword wide
$s7 = "<h2>------NEW LOGS------</h2>" wide
$s8 = "[ERROR] can't create grab directory" wide
$s9 = "<UploadToTelegram>d__" ascii
$s10 = "UploadToTelegram" ascii
$s11 = ".SendLog+<UploadToTelegram>d__" ascii
condition:
uint16(0) == 0x5a4d and 5 of them
}
rule MALWARE_Win_R77 {
meta:
author = "ditekSHen"
description = "Detects r77 rootkit"
strings:
$s1 = "startup" fullword wide
$s2 = "process_names" fullword wide
$s3 = "paths" fullword wide
$s4 = "service_names" fullword wide
$s5 = "tcp_local" fullword wide
$s6 = "tcp_remote" fullword wide
$s7 = "\\\\.\\pipe\\" wide
$s8 = "SOFTWARE\\" wide
condition: uint16(0) == 0x5a4d and (
all of ($s*) or
(5 of them and pe.exports("ReflectiveDllMain")) or
(5 of them and
for any i in (0 .. pe.number_of_sections) : (
(
pe.sections[i].name == ".detourd"
)
)
)
)
}
rule MALWARE_Win_Disco_NightClub {
meta:
author = "ditekSHen"
description = "Hunts for Disco NightClub"
strings:
$s1 = "\\OfficeBroker\\OfficeBroker.exe" ascii wide nocase
$s2 = "\\EDGEUPDATE\\EDGEAOUT" ascii wide nocase
$s3 = "\\EDGEUPDATE\\update" ascii wide nocase
$s4 = "windows.system.update.com" ascii wide nocase
$s5 = "edgeupdate-security-windows.com" ascii wide nocase
$s6 = "nightclub::" ascii wide nocase
$s7 = "EncryptedPasswordFlt" ascii wide nocase
$s8 = "Microsoft\\def\\Gfr45.cfg" ascii wide nocase
$s9 = "::keylog::" ascii wide nocase
$pdb1 = "\\AbcdMainProject\\Rootsrc\\Projects\\MainS\\Ink\\" ascii wide nocase
$pdb2 = "\\Autogen\\Kh\\AutogenAlg\\" ascii wide nocase
condition:
uint16(0) == 0x5a4d and ((1 of ($pdb*) and 2 of ($s*)) or (4 of ($s*)))
}
rule MALWARE_Win_RisePro {
meta:
author = "ditekShen"
description = "Detects RisePro infostealer"
strings:
$x1 = "t.me/riseprosupport" ascii wide nocase
$s1 = "failed readpacket" fullword wide
$s2 = "faield sendpacket" fullword wide
$s3 = "PersistWal" fullword wide
$s4 = /CRED_ENUMERATE_(ALL|SESSION)_CREDENTIALS/ fullword ascii
$s5 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36" fullword wide
$s6 = { 4c 00 6f 00 67 00 69 00 6e 00 20 00 44 00 61 00
74 00 61 [10] 57 00 65 00 62 00 20 00 44 00 61 00
74 00 61 [2] 48 00 69 00 73 00 74 00 6f 00 72 00
79 [21] 43 00 6f 00 6f 00 6b 00 69 00 65 00 73 }
$s7 = { 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00
69 00 6f 00 6e 00 2f 00 78 00 2d 00 77 00 77 00
77 00 2d 00 66 00 6f 00 72 00 6d 00 2d 00 75 00
72 00 6c 00 65 00 6e 00 63 00 6f 00 64 00 65 00
64 00 3b 00 20 00 63 00 68 00 61 00 72 00 73 00
65 00 74 00 3d 00 75 00 74 00 66 00 2d 00 38 00
42 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74
00 69 00 6f 00 6e 00 2f 00 6a 00 73 00 6f 00 6e
00 2c 00 20 00 74 00 65 00 78 00 74 00 2f 00 70
00 6c 00 61 00 69 00 6e 00 2c 00 20 00 2a 00 2f
00 2a }
$s8 = /_(SET|GET)_(GRABBER|LOADER)/ wide
$s9 = /catch (save )?(windows cred|screen|pluginscrypto|historyCC|autofill|cookies|passwords|passwords sql|autofills sql|dwnlhistory sql|discordToken|quantum|isDropped)/ fullword wide
condition: uint16(0) == 0x5a4d and (1 of ($x*) or 6 of ($s*))
}
rule MALWARE_Win_GraphicalProton_rsockstun {
meta:
author = "ditekShen"
description = "Detects GraphicalProton custom rsockstun"
strings:
$m1 = "main.connectviaproxy" ascii
$m2 = "main.connectForSocks" ascii
$m3 = "main.listenForClients" ascii
$m4 = "main.listenForSocks" ascii
$s1 = "Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=" ascii
$s2 = "Server: nginx/1.14.1" ascii
$s3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" ascii
$s4 = "wine_get" ascii
condition: uint16(0) == 0x5a4d and ((all of ($m*) and 2 of ($s*)) or (all of ($s*) and 1 of ($m*)) or 7 of them)
}
rule MALWARE_Win_PWSHDLLDL {
meta:
author = "ditekShen"
description = "Detects downloader"
strings:
$s1 = "powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file " fullword wide nocase
$s2 = "objShell.run \"powershell -WindowStyle hidden -command wscript.exe //b //nologo '" fullword wide nocase
$s3 = "cmd.exe /c schtasks.exe /create /tn \"" fullword wide nocase
$s4 = "-WindowStyle hidden -command wscript.exe //b //nologo '" fullword wide nocase
$s6 = "\" /tr \"wscript.exe //b //nologo '" fullword wide nocase
$s7 = "\" -Value \"Powershell.exe -WindowStyle hidden \"\"& '" fullword wide nocase
$op0 = { 61 01 00 34 53 79 73 74 65 6d 2e 57 65 62 2e 53 }
$op1 = { 4b 04 00 00 34 01 00 00 7f 05 00 00 1a }
condition: uint16(0) == 0x5a4d and pe.is_dll() and 5 of them
}
rule MALWARE_Win_NPPSpy {
meta:
author = "ditekShen"
description = "Detects NPPSpy / Ntospy"
strings:
$s1 = "ntskrnl.dll" fullword ascii
$s2 = "PasswordStealing.dll" fullword ascii
$s3 = "ntoskrnl.dll" fullword ascii
$s4 = "\\programdata\\packag~" ascii
$s5 = "NPPSPY.dll" fullword ascii
$s6 = "MSControll.dll" fullword ascii
$s7 = "\\Windows\\Temp\\" ascii
$s8 = "\\NPPSpy\\" ascii
// hunt
$s9 = "NPGetCaps" fullword ascii
$s10 = "NPLogonNotify" fullword ascii
// C:\Users\GrzegorzTworek\source\repos\NPPSpy\x64\Release\NPPSPY.pdb
$path = "\\GrzegorzTworek\\" ascii
condition:
uint16(0) == 0x5a4d and ((pe.is_dll() and filesize < 110KB and pe.number_of_exports == 2 and ((pe.exports("NPGetCaps") and pe.exports("NPLogonNotify")) or (1 of ($s*) and (pe.exports("NPGetCaps") or pe.exports("NPLogonNotify"))))) or (($path) and any of ($s*)))
}
rule MALWARE_Win_AgentRacoon {
meta:
author = "ditekShen"
description = "Detects AgentRacoon. Not Raccoon"
strings:
$s1 = "UdpClient" fullword ascii
$s2 = "IPEndPoint" fullword ascii
$s3 = "get_Client" fullword ascii
$s4 = "set_ReceiveTimeout" fullword ascii
$s5 = "Command failed:" wide
$s6 = "uploaded" wide
$s7 = "downloaded" wide
$s8 = ".telemetry." wide
$s9 = "xn--" wide
condition:
uint16(0) == 0x5a4d and 7 of them
}
rule MALWARE_Win_Simda {
meta:
author = "ditekShen"
description = "Detects Simda / Shifu infostealer"
strings:
$s1 = "command=auth_loginByPassword&back_command=&back_custom1=&" fullword ascii
$s2 = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clma" ascii
$s3 = "debug_%s_%s.log" fullword ascii
$s4 = "Content-Disposition: form-data; name=\"file\"; filename=\"report\"" ascii
$s5 = "name=%s&port=%u" ascii
$s6 = "id=%s&ver=4.0.1&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d" ascii
$s7 = "{BotVer:" fullword ascii
$s8 = "software\\microsoft\\windows nt\\currentversion\\winlogon" ascii
$s9 = /(!|&|data_)inject(=ok)?/ fullword ascii
condition:
uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_VBSDownloader {
meta:
author = "ditekShen"
description = "Detects second stage VBS downloader of third stage VBS"
strings:
$s1 = "CreateObject(\"MSXML2.ServerXMLHTTP\")" wide
$s2 = ".Open \"GET\"," wide
$s3 = ".Send" wide
$s4 = ".responseText" wide
$s5 = "ExecuteGlobal" wide
condition:
filesize < 50KB and all of them
}
rule MALWARE_Win_UmbralStealer {
meta:
author = "ditekShen"
description = "Detects Umbral infostealer"
strings:
$x1 = "Umbral Stealer" wide
$x2 = "Umbral.payload." ascii
$s1 = "U2V0LU1wUHJlZmVyZW5jZ" wide
$s2 = "{{ Key = {0}, Value = {1} }}" wide
$s3 = "csproduct get uuid" wide
$s4 = "0.0.0.0 www."
$s5 = /(set|get)_Take(Screen|WebcamSnap)shot/ fullword ascii
$s6 = "still_pin" fullword ascii
$c1 = "kaspersky.com" wide
$c2 = "bitdefender.com" wide
$c3 = "virustotal.com" wide
$c4 = "malwarebytes.com" wide
$c5 = "clamav.net" wide
$c6 = "trendmicro.com" wide
condition:
uint16(0) == 0x5a4d and (1 of ($x*) or 5 of ($s*) or (3 of ($s*) and 4 of ($c*)))
}
rule MALWARE_Win_MetaStealer {
meta:
author = "ditekSHen"
description = "Detects MetaStealer infostealer"
strings:
$s1 = "! #\"'&(&*)>=@?POQOROSOTOUOVOWOXOYOZO[O^]{z|z}z~z" fullword wide
$s2 = "{0}{1}{2}" fullword wide
$s3 = "localhost" fullword wide
$s4 = "\\tdata" fullword wide
$s5 = "DecryptBlob" fullword ascii
$s6 = "GetMac" fullword ascii
$s7 = "GetHdc" fullword ascii
$s8 = "FindProc" fullword ascii
$s9 = "targetPid" fullword ascii
$s10 = "MessageSecurityOverTcp" fullword ascii
$s11 = "ListOfProcesses" fullword ascii
$s12 = "ListOfPrograms" fullword ascii
$s13 = "browserPaths" fullword ascii
$s14 = "configs" fullword ascii
$s15 = "scanners" fullword ascii
$s16 = "FileScannerRule" fullword ascii
condition: uint16(0) == 0x5a4d and 7 of ($s*)
}
rule MALWARE_Win_MediaPI {
meta:
author = "ditekSHen"
description = "Detects MediaPI"
strings:
$s1 = "SomeFunction" ascii
$s2 = "\"stealth" ascii
$s3 = "\"ServAddr" ascii
$s4 = "\"ServPort" ascii
$s5 = "\"ServIp" ascii
$s6 = "\"wsaData" ascii
$s7 = "\"-socket" ascii
condition: uint16(0) == 0x5a4d and pe.is_dll() and ((6 of them) or (3 of them and pe.exports("SomeFunction")))
}
rule MALWARE_Win_BlackHunt {
meta:
author = "ditekSHen"
description = "Detects BlackHunt ransomware"
strings:
$s1 = /#BlackHunt_(Logs|BG|Icon|Public|Private|ID|ReadMe|Update)\.(txt|jpg|ico|key|hta)/ ascii wide
$s2 = /-(biggame|noencrypt|netinfo|nospread)/ fullword wide
$s3 = "/v \"*BlackHunt\" /t REG_SZ /d" wide
$s4 = "/sc onstart /TN \"Windows Critical Update\" /TR \"'%s' %s\" /F" wide
$s5 = "/v \"DisableChangePassword\" /t REG_DWORD /d" wide
$s6 = "<span> %s </span>this ID (<span> %s </span>)" wide
$s7 = "}div.header h1 span#hunter" wide
$s8 = "BLACK_HUNT_MUTEX" fullword ascii
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_ScoutElite {
meta:
author = "ditekSHen"
description = "Detects ScoutElite"
reference = "https://github.com/ditekshen/back-in-2017"
strings:
$cmd1 = "command=scote_ping" fullword ascii
$cmd2 = "command=scote_info_ipconfig" fullword ascii
$cmd3 = "command=scote_info_systeminfo" fullword ascii
$cmd4 = "command=scote_connection|hwid=" fullword ascii
$cmd5 = "command=ping" fullword wide
$cmd6 = "command=screen_capture_init" fullword wide
$cmd7 = "command=screen_capture" fullword wide
$cmd8 = "command=silence_screenshot" fullword wide
$cmd9 = "command=silence_keylogger" fullword wide
$cmd10 = "command=silence_password" fullword wide
$cmd11 = "command=screen_thumb" fullword wide
$cmd12 = "command=filemanager_upload_tcp" fullword wide
$cmd13 = "command=filemanager_download" fullword wide
$cmd14 = "command=filemanager_init" fullword wide
$cmd15 = "command=filemanager_root" fullword wide
$cmd16 = "command=filemanager_folder_filemanager_file" fullword wide
$cmd17 = "command=filemanager_thumb" fullword wide
$cmd18 = "command=keylogger_init" fullword wide
$cmd19 = "command=keylogger_file" fullword wide
$cmd20 = "command=password_firefox" fullword wide
$cmd21 = "command=password_opera" fullword wide
$cmd22 = "command=password_chrome" fullword wide
$cmd23 = "command=password_all" fullword wide
$cmd24 = "command=password_init" fullword wide
$cmd25 = "command=misc_init" fullword wide
$cmd26 = "command=misc_process" fullword wide
$cmd27 = "command=misc_cmd" fullword wide
$cmd28 = "command=new_rcs" fullword wide
$cmd29 = "command=microphone_capture" fullword wide
$cmd30 = "command=microphone_capture_init" fullword wide
$cmd31 = "command=rvmedia_capture_init" fullword wide
$cmd32 = "command=rvmedia_list" fullword wide
$cmd33 = "command=rvmedia_resolution" fullword wide
$cmd34 = "command=webcam_capture_init" fullword wide
$cmd35 = "command=webcam_list" fullword wide
$cmd36 = "command=webcam_resolution" fullword wide
$cmd37 = "command=webcam_capture" fullword wide
$gcmd1 = "filemanager_download_ftp" fullword wide
$gcmd2 = "download_file_ftp" fullword wide
$gcmd3 = "filemanager_upload_http" fullword wide
$gcmd4 = "upload_file_http" fullword wide
$gcmd5 = "upload_url" fullword wide
$gcmd6 = "filemanager_delete" fullword wide
$gcmd7 = "filemanager_execute_file" fullword wide
$gcmd8 = /(microphone|webcam|rvmedia|keylogger|password|screen|filemanager)_(host|port|guid)/ nocase
$confs1 = "[nick_name]" fullword ascii
$confe1 = "[/nick_name]" fullword ascii wide
$confs2 = "[install_name]" fullword ascii wide
$confe2 = "[/install_name]" fullword ascii wide
$confs3 = "[install_folder]" fullword ascii wide
$confe3 = "[/install_folder]" fullword ascii wide
$confs4 = "[reg_startup]" fullword ascii wide
$confe4 = "[/reg_startup]" fullword ascii wide
$confs5 = "[folder_startup]" fullword ascii wide
$confe5 = "[/folder_startup]" fullword ascii wide
$confs6 = "[task_startup]" fullword ascii wide
$confe6 = "[/task_startup]" fullword ascii wide
$confs7 = "[injection]" fullword ascii wide
$confe7 = "[/injection]" fullword ascii wide
$confs8 = "[injection_process]" fullword ascii wide
$confe8 = "[/injection_process]" fullword ascii wide
$confs9 = "[connection]" fullword ascii wide
$confe9 = "[/connection]" fullword ascii wide
condition: (uint16(0) == 0x5a4d and (2 of ($cmd*) or 7 of ($gcmd*) or (2 of ($confs*) and 2 of ($confe*)) or (pe.exports("__elite") and 2 of them))) or (15 of them)
}
rule MALWARE_Win_ScoutElitePS {
meta:
author = "ditekshen"
description = "Detects actor PowerShell tool designed to steal browsers session cookie and passwords on-disk and in-memory"
reference = "https://github.com/ditekshen/back-in-2017"
strings:
$cnc1 = "http://beginpassport.com" ascii wide nocase
$cnc2 = "f_dump.php" ascii wide nocase
$cnc3 = "c_dump.php" ascii wide nocase
$cnc4 = "o_dump.php" ascii wide nocase
$db1 = "\\Google\\Chrome\\User Data\\Default\\Cookies" ascii wide nocase
$db2 = "\\Mozilla\\Firefox\\Profiles\\*.default" ascii wide nocase
$db3 = "\\Opera Software\\Opera Stable\\Cookies" ascii wide nocase
$db4 = "$($env:LOCALAPPDATA)\\Google\\Chrome\\User Data\\Default" ascii nocase
$db5 = "$($env:APPDATA)\\Mozilla\\Firefox\\Profiles\\*.default" ascii nocase
$db6 = "$($env:APPDATA)\\Opera Software\\Opera Stable" ascii nocase
$cond1 = "SSID" ascii wide
$cond2 = "MSPAuth" ascii wide
$cond3 = "\"'T'\"" ascii wide
$cond4 = "SNS_AA" ascii wide
$cond5 = "X-APPLE-WEBAUTH-TOKEN" ascii wide
$sql1 = "SELECT * FROM 'cookies' WHERE host_key LIKE $" ascii wide nocase
$sql2 = "SELECT * FROM 'moz_cookies' WHERE host LIKE $" ascii wide nocase
$sql3 = "SELECT origin_url, username_value ,password_value FROM 'logins'" ascii nocase
$def1 = "Add-Type -AssemblyName System.Security" ascii wide nocase
$def2 = "System.Security.SecureString" ascii wide nocase
$def3 = "ConvertFrom-SecureString" ascii wide nocase
$def4 = "[System.Security.Cryptography.ProtectedData]::Unprotect(" ascii wide nocase
$def5 = "[Security.Cryptography.DataProtectionScope]::LocalMachine" ascii wide nocase
$def6 = "[Security.Cryptography.DataProtectionScope]::CurrentUser" ascii wide nocase
$def7 = "System.Data.SQLite.SQLiteConnection" ascii wide nocase
$def8 = "[Environment]::OSVersion.ToString().Replace(\"Microsoft Windows \"," ascii wide nocase
$def9 = "Start-Sleep" ascii wide nocase
condition:
(1 of ($cnc*) and any of ($db*) and any of ($cond*) and any of ($sql*) and 7 of ($def*)) or (all of them)
}
rule MALWARE_Andr_Landroid {
meta:
author = "ditekshen"
description = "Detects Landroid"
reference = "https://github.com/ditekshen/back-in-2017"
strings:
$dex_header = { 64 65 78 }
$cnc1 = "phonebooks.site" fullword ascii /* found in .dex and .apk */
$cnc2 = "/full_data.php" ascii /* found in .dex */
$cnc3 = "/upload.php" ascii /* found in .dex */
$package = "com.androDiv." wide /* found in .apk */
$exfil1 = /ContDB?[A-Z]?/ fullword ascii
$exfil2 = "[X]" fullword ascii
$exfil3 = "/~RIP_" fullword ascii
$exfil4 = /^(.|\/)rip$/ fullword ascii
$http1 = "%s-retry [timeout=%s]" fullword ascii
$http2 = "%s-timeout-giveup [timeout=%s]" fullword ascii
$http3 = "HTTP response for request=<%s> [lifetime=%d], [size=%s], [rc=%d], [retryCount=%s]" fullword ascii
$http4 = "Cache[maxSize=%d,hits=%d,misses=%d,hitRate=%d%%]" fullword ascii
$s1 = "Landroid" fullword ascii
$s2 = "Lorg" fullword ascii
$s3 = "fileToUpload" fullword ascii
$s4 = "xtcp://" fullword ascii
$s5 = "/which su" fullword ascii
$s6 = "/Superuser.apk" fullword ascii
condition: (($dex_header at 0 and (2 of ($cnc*) or (all of ($exfil*) and (all of ($http*)) and (3 of ($s*))))) or (uint16(0) == 0x4b50 and $package and 1 of ($cnc*)))
}
rule MALWARE_Win_HoudiniConfig {
meta:
author = "ditekshen"
description = "Detects Houdini Trojan configurations"
reference = "https://github.com/ditekshen/back-in-2017"
strings:
$s1 = "install_name="
$s2 = "nick_name="
$s3 = "install_folder="
$s4 = "reg_startup="
$s5 = "startup_folder_startup="
$s6 = "task_startup="
$s7 = "injection="
$s8 = "injection_process"
condition: (uint16(0) == 0x5a4d and 5 of them) or (all of them)
}
rule MALWARE_Win_Houdini {
meta:
author = "ditekshen"
description = "Detects the raw binary of the Houdini Trojan Delphi variant"
reference = "https://github.com/ditekshen/back-in-2017"
strings:
$hc = "houdiniclient" ascii wide nocase
// module keylogger
$mk1 = "keylogger_thread" fullword ascii
$mk2 = "keyloger_host" fullword ascii
$mk3 = "keylogger_port" fullword ascii
$mk4 = "keylogger_thread" fullword ascii
$mk5 = "keylogger_init" fullword wide
$mk6 = "keylogger_stop" fullword wide
$mk7 = "keylogger_offline" fullword wide
$mk8 = "silence_keylogger" fullword wide
// module screenshot
$ms1 = "screenshot_thread" fullword ascii
$ms2 = "screen_host" fullword ascii
$ms3 = "screen_port" fullword ascii
$ms4 = "screenshot_init" fullword wide
$ms5 = "screenshot_start" fullword wide
$ms6 = "screenshot_stop" fullword wide
$ms7 = "screen_thumb" fullword wide
$ms8 = "silence_screenshot" fullword wide
// module file
$mf1 = "file_manager_init" fullword wide
$mf2 = "file_manager_root" fullword wide
$mf3 = "file_manager_faf" fullword wide
$mf4 = "file_manager_download" fullword wide
$mf5 = "file_manager_upload" fullword wide
$mf6 = "file_manager_stop" fullword wide
$mf7 = "file_manager_delete_folder" fullword wide
$mf8 = "file_manager_rename_folder" fullword wide
$mf9 = "file_manager_rename_file" fullword wide
$mf10 = "file_manager_delete_file" fullword wide
$mf11 = "file_manager_execute_file" fullword wide
$mf12 = "file_manager_thumb" fullword wide
$mf13 = "file_manager_upload_http" fullword wide
$mf14 = "file_manager_upload_tcp" fullword wide
$mf15 = "upload_file_tcp" fullword wide
$mf16 = "download_file_tcp" fullword wide
$mf17 = "upload_file_http" fullword wide
$mf18 = "filemanager_host" fullword ascii
$mf19 = "filemanager_port" fullword ascii
$mf20 = "filemanager_thread" fullword ascii
// module password
$mp1 = "password_value" fullword wide
$mp2 = "password_init" fullword wide
$mp3 = "password_stop" fullword wide
$mp4 = "password_firefox" fullword wide
$mp5 = "password_chrome" fullword wide
$mp6 = "password_all" fullword wide
$mp7 = "password_host" fullword ascii
$mp8 = "password_port" fullword ascii
$mp9 = "password_thread" fullword ascii
// module miscellaneous
$mm1 = "misc_init" fullword wide
$mm2 = "misc_stop" fullword wide
$mm3 = "misc_process_list" fullword wide
$mm4 = "misc_module_list" fullword wide
$mm5 = "misc_process_terminate" fullword wide
$mm6 = "misc_host" fullword ascii
$mm7 = "misc_port" fullword ascii
$mm8 = "misc_thread" fullword ascii
// plugins
$pl1 = "plugin_file_init" fullword wide
$pl2 = "plugin_url_init" fullword wide
$pl3 = "plugin_stop" fullword wide
condition: uint16(0) == 0x5a4d and 4 of them
}
rule MALWARE_Win_LightHand {
meta:
author = "ditekshen"
description = "Detects LightHand"
strings:
$x1 = "27.102." ascii
$x2 = "109.248.150.179" fullword ascii
$s1 = /Hello (Client|Server)/ fullword ascii
$s2 = "%s|%s|%s|%s|%s|%s|" fullword wide
$s3 = "%s\\cmd.exe" fullword wide
$s4 = "Remote PC" fullword wide
$s5 = { 2e 62 61 74 [3-4] 3a 4c 31 0d 0a 64 65 6c
20 2f 46 20 22 25 73 22 0d 0a 69 66 20 65 78 69
73 74 20 22 25 73 22 20 67 6f 74 6f 20 4c 31 0d
0a 64 65 6c 20 2f 46 20 22 25 73 22 0d 0a 00 00
6f 70 65 6e }
$s6 = { 25 00 2e 00 32 00 66 00 47 00 42 00 00 00 00 00
25 00 73 00 7c 00 25 00 73 00 7c 00 25 00 73 00
0a 00 00 00 00 00 00 00 5c 00 2a 00 2e 00 2a 00
00 00 00 00 0a 00 00 00 2e 00 00 00 2e 00 2e 00
00 00 00 00 00 00 00 00 46 00 6f 00 6c 00 64 00
65 00 72 00 00 00 00 00 25 00 73 00 5c 00 25 00
73 00 00 00 00 00 00 00 25 00 64 00 42 00 00 00
25 00 2e 00 31 00 66 00 4b 00 42 00 00 00 00 00
25 00 2e 00 31 00 66 00 4d 00 42 }
condition: uint16(0) == 0x5a4d and ((5 of ($s*)) or (1 of ($x*) and 3 of ($s*)))
}
rule MALWARE_Win_ValidAlpha {
meta:
author = "ditekshen"
description = "Detects ValidApha / BlackRAT"
strings:
$x1 = "RAT/Black/" ascii
$x2 = "RAT/Black/Client_Go/" ascii
$s1 = "main.RunTask" fullword ascii
$s2 = "main.CmdShell" fullword ascii
$s3 = "main.SelfDelete" fullword ascii
$s4 = "main.RecvPacket" fullword ascii
$s5 = "main.FileDownload" fullword ascii
$s6 = "main.CaptureScreen" fullword ascii
$s7 = "main.PeekNamedPipe" fullword ascii
condition: uint16(0) == 0x5a4d and ((1 of ($x*) and 2 of ($s*)) or (6 of ($s*)))
}
rule MALWARE_Win_TigerRAT {
meta:
author = "ditekshen"
description = "Detects TigerRAT"
strings:
$m0 = ".?AVCryptorRC4@@" fullword ascii
$m1 = ".?AVModuleShell@@" fullword ascii
$m2 = ".?AVModuleKeyLogger@@" fullword ascii
$m3 = ".?AVModuleSocksTunnel@@" fullword ascii
$m4 = ".?AVModuleScreenCapture@@" fullword ascii
$m5 = ".?AVModulePortForwarder@@" fullword ascii
$s1 = "\\x9891-009942-xnopcopie.dat" fullword wide
$s2 = "(%02d : %02d-%02d %02d:%02d:%02d)--- %s[Clipboard]" fullword ascii
$s3 = "[%02d : %02d-%02d %02d:%02d:%02d]--- %s[Title]" fullword ascii
$s4 = "~KPTEMP" fullword wide
$s5 = "del \"%s\"%s \"%s\" goto " ascii
condition: uint16(0) == 0x5a4d and ((all of ($s*)) or (5 of ($m*)) or (3 of ($m*) and 2 of ($s*)) or (5 of them))
}
rule MALWARE_Win_KTLVdoor {
meta:
author = "ditekshen"
description = "Detects KTLVdoor"
strings:
$s1 = "/cmd/acc/agent_acc" ascii
$s2 = "main.DLLWMain" ascii
$s3 = "main.checkSilent" ascii
$h1 = ".handleInteractiveShell" ascii
$h2 = ".handleNetstat" ascii
$h3 = ".handleProcess" ascii
$h4 = ".handleRefreshHostInfo" ascii
$h5 = ".handleTimestomp" ascii
$h6 = ".handleSoInject" ascii
$h7 = ".HandleRegInfo" ascii
$h8 = ".handlePortscan" ascii
$h9 = ".handleReflectDllInject" ascii
$h10 = ".handleFileDownload" ascii
$f1 = ".RdpWithNTLM." ascii
$f2 = ".FingerPrintOs." ascii
$f3 = ".ScanWMI." ascii
$f4 = ".ScanWinRM." ascii
$f5 = ".ScanWeb." ascii
$f6 = ".ScanSmb2." ascii
$f7 = ".ScanRDP." ascii
$f8 = ".ScanPing." ascii
$f9 = ".ScanOxid." ascii
$f10 = ".ScanMssql." ascii
$f11 = ".ScanBanner." ascii
$fr1 = /\.proxy[CS]2[CS](TC|UD)P/ ascii
$fr2 = /\.Scan(WMI|WinRM|Web|Smb2|RDP|Ping|Oxid|Mssql|Banner)\./ ascii
condition: (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and ((6 of ($h*)) or (12 of ($f*)) or (2 of ($h*) and 4 of ($f*)) or (1 of ($s*) and (4 of ($h*) or 4 of ($f*))) or (13 of them))
}
rule MALWARE_Win_FakeCaptcha_Downloader {
meta:
author = "ditekshen"
description = "Detects downloader executables dropped by fake captcha"
strings:
$s1 = "</script>MZ" ascii
$s2 = "window.close();" ascii
$s3 = "eval(" ascii
condition: uint16(0) == 0x5a4d and all of them
}
rule MALWARE_Win_XenoRAT {
meta:
author = "ditekshen"
description = "Detects Blacksuit"
strings:
$x1 = "xeno rat client" wide
$x2 = "xeno_rat_client." ascii
$x3 = "xeno rat client" ascii
$s1 = "+<AddToStartupNonAdmin>" ascii
$s2 = "+<ConnectAndSetupAsync>" ascii
$s3 = "+<SendUpdateInfo>" ascii
$s4 = "+<RecvAllAsync_ddos_" ascii
$s5 = "Plugin.Chromium+<Get" ascii
condition:
uint16(0) == 0x5a4d and ((1 of ($x*) and 2 of ($s*)) or (4 of ($s*)) or (2 of ($x*)))
}
rule MALWARE_Multi_POOLRAT {
meta:
author = "ditekshen"
description = "Detects POOLRAT"
clamav1 = "MALWARE.Osx.Trojan.POOLRAT"
clamav2 = "MALWARE.Linux.Trojan.POOLRAT"
strings:
$s1 = "MSG_CmdP" ascii
$s2 = "MSG_WriteConfigP" ascii
$s3 = "MSG_SecureDelP" ascii
$s4 = "ConnectToProxyP" ascii
$s5 = "MSG_KeepConP" ascii
$s6 = "MSG_SleepP" ascii
$s7 = "MSG_TestP" ascii
$s8 = "MSG_SetPathP" ascii
condition:
(uint16(0) == 0x457f or uint16(0) == 0xfacf or uint16(0) == 0xfeca) and 7 of them
}
rule MALWARE_Multi_PondRAT {
meta:
author = "ditekshen"
description = "Detects PondRAT"
clamav1 = "MALWARE.Osx.Trojan.PondRAT"
clamav2 = "MALWARE.Linux.Trojan.PondRAT"
strings:
$s1 = "MsgDown" ascii
$s2 = "MsgUp" ascii
$s3 = "MsgRun" ascii
$s4 = "MsgCmd" ascii
$s5 = "CryptPayload" ascii
$s6 = "RecvPayload" ascii
$s7 = "csleepi" ascii
$s8 = "FConnectProxy" ascii
condition:
(uint16(0) == 0x457f or uint16(0) == 0xfacf or uint16(0) == 0xfeca) and 7 of them
}
rule MALWARE_Win_Cicada3301 {
meta:
author = "ditekshen"
description = "Detects Cicada3301"
clamav1 = "MALWARE.Win.Ransomware.Cicada3301"
strings:
$s1 = "cmd/Cchcp 65001 >nulnet view \\\\"
$s2 = "create_file_recovery"
$s3 = "ecnrypted_files_full"
$s4 = "get_excluded_directories"
$s5 = "collect_files_except"
$s6 = ".exe4d5a" ascii
$s7 = "-accepteula -s -d \"\" --" ascii
$s8 = "[*.exe*.EXE*.DLL*.ini*.inf*.pol*.cmd*.ps1*.vbs*.bat*.pagefile.sys*.hiberfil.sys*.drv" ascii
$s9 = "memtasveeamsvc$backupsqlvssmsexchangesql$mysqlmysql$sophosMSExchange" ascii
$s10 = "-DATA.txt" ascii
$s11 = /--no_(local|net|impl)/ fullword ascii
$c1 = "fsutil" ascii
$c2 = "iisreset" ascii
$c3 = "vssadmin" ascii
$c4 = "wmic" ascii
$c5 = "bcdedit" ascii
$c6 = "wevtutil" ascii
condition:
uint16(0) == 0x5a4d and (6 of ($s*) or (4 of ($c*) and 4 of ($s*)) or (all of ($c*) and 2 of ($s*)) or 9 of them)
}
rule MALWARE_Win_FPSpy {
meta:
author = "ditekshen"
description = "FPSpy"
clamav1 = "MALWARE.Win.Trojan.FPSpy"
strings:
$f1 = "[Analys_Spy]" wide
$f2 = "[DeletePoorDll]" wide
$f3 = "[DownloadProc]" wide
$f4 = "[DragWarp]" wide
$f5 = "[GetCoolDir]" wide
$f6 = "[JackSleep]" wide
$f7 = "[KillCmdExe]" wide
$f8 = "[PsDownProc]" wide
$f9 = "[PsUpProc]" wide
$f10 = "[ReadFileFromPacket]" wide
$f11 = "[RemoteDropExec]" wide
$f12 = "[RemoteExec]" wide
$f13 = "[RemoteInject]" wide
$f14 = "[SendHttpForUpload]" wide
$s1 = "MazeFunc" fullword ascii
$s2 = /(Exit|Update|Drop)_EVT/ fullword ascii
$s3 = "Key.dat" fullword ascii
$s4 = "%sSysInfo_%02d_%02d_%02d.txt" fullword ascii
$s5 = "cmd /c systeminfo >> %s" fullword ascii
$s6 = "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"" fullword ascii
$s7 = "FPSpy" fullword wide
condition:
uint16(0) == 0x5a4d and ((pe.exports("MazeFunc") and 2 of ($f*) and 1 of ($s*)) or (6 of ($f*) and 1 of ($s*)) or (5 of ($s*) and 1 of ($f*)) or (8 of ($f*)))
}
rule MALWARE_Win_KLogExe {
meta:
author = "ditekshen"
description = "Detects KLogExe"
clamav1 = "MALWARE.Win.Trojan.KLogExe"
strings:
$s1 = "[clip_s]: %s" ascii
$s2 = "------ %d/%d/%d : %d/%d ------" ascii
$s3 = "[RWin+]" ascii
$s4 = "[Too many clip_tail]" ascii
$s5 = "name=\"userfile\"; filename=\"%s\"" ascii
$s6 = "Origin: http://" wide
$s7 = "%s_%d_%d_%d_%d" wide
$s8 = "/wp-content/include.php?_sys_" wide
$s9 = "\\desktops.ini" wide
$s10 = "KLogExe" wide nocase
$s11 = "dynamic_import.cpp [resolve_call] can`nt" wide
condition:
uint16(0) == 0x5a4d and 6 of them
}
rule MALWARE_Win_BabyLockerKZ {
meta:
author = "ditekshen"
description = "Detects BabyLockerKZ"
strings:
$s1 = ":\\locker\\bin\\stub_win_x64_encrypter.pdb" ascii
$s2 = "taskkill /f /im explorer.exe" fullword wide
$s3 = "\\SysWOW64\\cmd.exe /c %windir%\\" wide
$s4 = "[!] Failed to RunNonElevated: %s, error 0x%X" fullword wide
$s5 = "[!] Failed to run sync command: %s, error 0x%X" fullword wide
$s6 = "[-] RunNonElevated: %s" fullword wide
$s7 = "[!][Encrypt] Not" fullword
$s8 = "[-] sALLUSERSPROFILE: %s" fullword wide
$s9 = "[!] WNetGetConnection failed 0x%X" fullword wide
$s10 = "[!][Scan] " wide
$s11 = "[-] Start encrypt" wide
condition:
uint16(0) == 0x5a4d and 4 of them
}
Reference in a new issue View git blame Copy permalink