feat: added 51 templates

main
Muhammad Daffa 2023-03-05 23:52:21 +07:00
parent c0d0cfab82
commit 597ea580a7
52 changed files with 1495 additions and 2 deletions

View File

@ -1,7 +1,7 @@
# Nuclei Malware # Nuclei Malware
Template to detect some malware using nuclei Template to detect some malware using nuclei
## Status ## Status Malware
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
| Malware Yara Rules | Status | | Malware Yara Rules | Status |
@ -174,4 +174,78 @@ I took the reference from [yara rules repository](https://github.com/Yara-Rules/
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort | | MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort | | MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible | | MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible | | MALW_xDedic_marketplace | 🟥 Impossible |
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
| RANSOM_777.yar | 🟩 Possible |
| RANSOM_Alpha.yar | 🟩 Possible |
| RANSOM_BadRabbit.yar | 🟥 Impossible |
| RANSOM_Cerber.yar | 🟥 Impossible |
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_Crypren.yar | 🟥 Impossible |
| RANSOM_CryptoNar.yar | 🟥 Impossible |
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_DMALocker.yar | 🟩 Possible |
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
| RANSOM_Erebus.yar | 🟩 Possible |
| RANSOM_GPGQwerty.yar | 🟩 Possible |
| RANSOM_GoldenEye.yar | 🟥 Impossible |
| RANSOM_Locky.yar | 🟩 Possible |
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
| RANSOM_Maze.yar | 🟥 Impossible |
| RANSOM_PetrWrap.yar | 🟥 Impossible |
| RANSOM_Petya.yar | 🟥 Impossible |
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
| RANSOM_Pico.yar | 🟥 Impossible |
| RANSOM_Revix.yar | 🟥 Impossible |
| RANSOM_SamSam.yar | 🟥 Impossible |
| RANSOM_Satana.yar | 🟩 Possible |
| RANSOM_Shiva.yar | 🟥 Impossible |
| RANSOM_Sigma.yar | 🟩 Possible |
| RANSOM_Snake.yar | 🟩 Possible |
| RANSOM_Stampado.yar | 🟥 Impossible |
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
| RANSOM_Tox.yar | 🟩 Possible |
| RANSOM_acroware.yar | 🟥 Impossible |
| RANSOM_jeff_dev.yar | 🟥 Impossible |
| RANSOM_locdoor.yar | 🟥 Impossible |
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
| RANSOM_shrug2.yar | 🟥 Impossible |
| RANSOM_termite.yar | 🟥 Impossible |
| RAT_Adwind.yar | 🟥 Impossible |
| RAT_Adzok.yar | 🟩 Possible |
| RAT_Asyncrat.yar | 🟥 Impossible |
| RAT_BlackShades.yar | 🟥 Impossible |
| RAT_Bolonyokte.yar | 🟥 Impossible |
| RAT_Bozok.yar | 🟩 Possible |
| RAT_Cerberus.yar | 🟩 Possible |
| RAT_Crimson.yar | 🟩 Possible |
| RAT_CrossRAT.yar | 🟥 Impossible |
| RAT_CyberGate.yar | 🟩 Possible |
| RAT_DarkComet.yar | 🟥 Impossible |
| RAT_FlyingKitten.yar | 🟥 Impossible |
| RAT_Gh0st.yar | 🟥 Impossible |
| RAT_Gholee.yar | 🟩 Possible |
| RAT_Glass.yar | 🟩 Possible |
| RAT_Havex.yar | 🟥 Impossible |
| RAT_Hizor.yar | 🟥 Impossible |
| RAT_Indetectables.yar | 🟥 Impossible |
| RAT_Inocnation.yar | 🟥 Impossible |
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
| RAT_Nanocore.yar | 🟥 Impossible |
| RAT_NetwiredRC.yar | 🟥 Impossible |
| RAT_Njrat.yar | 🟥 Impossible |
| RAT_Orcus.yar | 🟥 Impossible |
| RAT_PlugX.yar | 🟥 Impossible |
| RAT_PoetRATDoc.yar | 🟩 Possible |
| RAT_PoetRATPython.yar | 🟥 Impossible |
| RAT_PoisonIvy.yar | 🟥 Impossible |
| RAT_Ratdecoders.yar | 🟩 Possible |
| RAT_Sakula.yar | 🟥 Impossible |
| RAT_ShadowTech.yar | 🟩 Possible |
| RAT_Shim.yar | 🟩 Possible |
| RAT_Terminator.yar | 🟩 Possible |
| RAT_Xtreme.yar | 🟥 Impossible |
| RAT_ZoxPNG.yar | 🟩 Possible |
| RAT_jRAT.yar | 🟩 Possible |
| RAT_xRAT.yar | 🟩 Possible |
| RAT_xRAT20.yar | 🟥 Impossible |

25
malware_aar.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_aar
info:
name: AAR Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Hashtable"
- "get_IsDisposed"
- "TripleDES"
- "testmemory.FRMMain.resources"
- "$this.Icon"
- "{11111-22222-20001-00001}"
- "@@@@@"
condition: and

102
malware_adzok.yaml Normal file
View File

@ -0,0 +1,102 @@
id: malware_adzok
info:
name: Adzok Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "resources/icono.pngPK"
condition: and

20
malware_alfa.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_alfa
info:
name: Alfa Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "8B0C9781E1FFFF000081F919040000740F81F9"
- "220400007407423BD07CE2EB02"
condition: and

25
malware_alienspy.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_alienspy
info:
name: AlienSpy Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "META-INF/MANIFEST.MF"
- "ePK"
- "kPK"
- "config.ini"
- "password.ini"
- "stub/stub.dll"
- "c.dat"
condition: and

17
malware_alpha.yaml Normal file
View File

@ -0,0 +1,17 @@
id: malware_alpha
info:
name: Alpha Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "520065006100640020004D0065002000280048006F00770020004400650063"

24
malware_ap0calypse.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_ap0calypse
info:
name: Ap0calypse Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Ap0calypse"
- "Sifre"
- "MsgGoster"
- "Baslik"
- "Dosyalars"
- "Injecsiyon"
condition: and

27
malware_arcom.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_arcom
info:
name: Arcom Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "CVu3388fnek3W(3ij3fkp0930di"
- "ZINGAWI2"
- "clWebLightGoldenrodYellow"
- "Ancestor for '%s' not found"
- "Control-C hit"
condition: and
- type: binary
binary:
- "A3242521"

28
malware_bandook.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_bandook
info:
name: Bandook Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "aaaaaa1|"
- "aaaaaa2|"
- "aaaaaa3|"
- "aaaaaa4|"
- "aaaaaa5|"
- "%s%d.exe"
- "astalavista"
- "givemecache"
- "%s\\system32\\drivers\\blogs\\*"
- "bndk13me"
condition: and

23
malware_blacknix.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_blacknix
info:
name: BlackNix Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "SETTINGS"
- "Mark Adler"
- "Random-Number-Here"
- "RemoteShell"
- "SystemInfo"
condition: and

24
malware_bluebanana.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_bluebanana
info:
name: BlueBanana Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "META-INF"
- "config.txt"
- "a/a/a/a/f.class"
- "a/a/a/a/l.class"
- "a/a/a/b/q.class"
- "a/a/a/b/v.class"
condition: and

24
malware_bozok.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_bozok
info:
name: Bozok Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "getVer"
- "StartVNC"
- "SendCamList"
- "untPlugin"
- "gethostbyname"
condition: and
case-insensitive: true

26
malware_cerberus.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_cerberus
info:
name: Cerberus Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "Ypmw1Syv023QZD"
- "wZ2pla"
- "wBmpf3Pb7RJe"
condition: or
- type: word
words:
- "cerberus"
case-insensitive: true

28
malware_clientmesh.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_clientmesh
info:
name: ClientMesh Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "machinedetails"
- "MySettings"
- "sendftppasswords"
- "sendbrowserpasswords"
- "arma2keyMass"
- "keylogger"
condition: and
- type: binary
binary:
- "0000000000000000007E"

23
malware_crimson.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_crimson
info:
name: Crimson Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "com/crimson/PK"
- "com/crimson/bootstrapJar/PK"
- "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
- "com/crimson/universal/containers/KeyloggerLog.classPK"
- "com/crimson/universal/UploadTransfer.classPK"
condition: and

43
malware_cryptxxx.yaml Normal file
View File

@ -0,0 +1,43 @@
id: malware_cryptxxx
info:
name: CryptXXX Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "525947404A41595D52000000FFFFFFFF"
- "0600000052594740405A0000FFFFFFFF"
- "0A000000525C4B4D574D424B5C520000"
- "FFFFFFFF0A000000525D575D5A4B4370"
- "3F520000FFFFFFFF06000000524C4141"
- "5A520000FFFFFFFF0A000000525C4B4D"
- "41584B5C57520000FFFFFFFF0E000000"
- "522A5C4B4D574D424B204C4740520000"
- "FFFFFFFF0A000000525E4B5C48424149"
- "5D520000FFFFFFFF05000000524B4847"
- "52000000FFFFFFFF0C000000524D4140"
- "48474920435D475200000000FFFFFFFF"
- "0A000000525E5C41495C4F703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3C520000FFFFFFFF0800000052494141"
- "49424B5200000000FFFFFFFF06000000"
- "525A4B435E520000FFFFFFFF08000000"
- "52483A4C4D703F5200000000FFFFFFFF"
- "0A000000524F42425B5D4B703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3F520000FFFFFFFF0A000000525E5C41"
- "495C4F703C520000FFFFFFFF09000000"
- "524F5E5E4A4F5A4F52000000FFFFFFFF"
- "0A000000525E5C41495C4F703D520000"
- "FFFFFFFF08000000525E5B4C42474D52"
condition: and

View File

@ -0,0 +1,20 @@
id: malware_cryptxxx_dropper
info:
name: CryptXXX Dropper Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary #Dropper
binary:
- "50653157584346765962486F35"
- "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
condition: and

25
malware_darkrat.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_darkrat
info:
name: DarkRAT Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "@1906dark1996coder@"
- "SHEmptyRecycleBinA"
- "mciSendStringA"
- "add_Shutdown"
- "get_SaveMySettingsOnExit"
- "get_SpecialDirectories"
- "Client.My"
condition: and

21
malware_dmalocker.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_dmalocker
info:
name: DMA Locker Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "41424358595a3131"
- "21444d414c4f434b"
- "21444d414c4f434b332e30"
- "3F520000FFFFFFFF06000000524C4141"
- "21444d414c4f434b342e30" #v4

18
malware_doublepulsar.yaml Normal file
View File

@ -0,0 +1,18 @@
id: malware_doublepulsar
info:
name: DoublePulsar Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll

20
malware_erebus.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_erebus
info:
name: Erebus Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
- "EREBUS IS BEST."
condition: and

22
malware_glass.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_glass
info:
name: Glass Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "PostQuitMessage"
- "pwlfnn10,gzg"
- "update.dll"
- "_winver"
condition: and

22
malware_gpgqwerty.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_gpgqwerty
info:
name: GPGQwerty Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "gpg.exe recipient qwerty -o"
- "%s%s.%d.qwerty"
- "del /Q /F /S %s$recycle.bin"
- "cryz1@protonmail.com"
condition: and

30
malware_greame.yaml Normal file
View File

@ -0,0 +1,30 @@
id: malware_greame
info:
name: Greame Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "EditSvr"
- "TLoader"
- "Stroks"
- "Avenger by NhT"
- "####@####"
- "GREAME"
condition: and
- type: binary
binary:
- "232323234023232323E8EEE9F9232323234023232323"
- "232323234023232323FAFDF0EFF9232323234023232323"
condition: and

27
malware_hawkeye.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_hawkeye
info:
name: HawkEye Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "HawkEyeKeylogger"
- "099u787978786"
- "HawkEye_Keylogger"
- "holdermail.txt"
- "wallet.dat"
- "Keylog Records"
- "<!-- do not script -->"
- "\\pidloc.txt"
- "BSPLIT"
condition: and

35
malware_imminent.yaml Normal file
View File

@ -0,0 +1,35 @@
id: malware_imminent
info:
name: Imminent Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "DecodeProductKey"
- "StartHTTPFlood"
- "CodeKey"
- "MESSAGEBOX"
- "GetFilezillaPasswords"
- "DataIn"
- "UDPzSockets"
condition: and
- type: word
words:
- "<URL>k__BackingField"
- "<RunHidden>k__BackingField"
- "DownloadAndExecute"
- "england.png"
- "-CHECK & PING -n 2 127.0.0.1 & EXIT"
- "Showed Messagebox"
condition: and

26
malware_infinity.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_infinity
info:
name: Infinity Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "CRYPTPROTECT_PROMPTSTRUCT"
- "discomouse"
- "GetDeepInfo"
- "AES_Encrypt"
- "StartUDPFlood"
- "BATScripting"
- "FBqINhRdpgnqATxJ.html"
- "magic_key"
condition: and

31
malware_locky.yaml Normal file
View File

@ -0,0 +1,31 @@
id: malware_locky
info:
name: Locky Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "45b899f7f90faf45b88945b8"
- "2b0a0faf4df8894df8c745"
condition: and
- type: binary
binary:
- "2E006C006F0063006B00790000"
- "005F004C006F0063006B007900"
- "5F007200650063006F00760065"
- "0072005F0069006E0073007400"
- "720075006300740069006F006E"
- "0073002E0074007800740000"
- "536F6674776172655C4C6F636B7900"
condition: and

31
malware_lostdoor.yaml Normal file
View File

@ -0,0 +1,31 @@
id: malware_lostdoor
info:
name: LostDoor Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "*mlt* = %"
- "*ip* = %"
- "*victimo* = %"
- "*name* = %"
- "[START]"
- "[DATA]"
- "We Control Your Digital World"
- "RC4Initialize"
- "RC4Decrypt"
condition: and
- type: binary
binary:
- "0D0A2A454449545F5345525645522A0D0A"

View File

@ -0,0 +1,29 @@
id: malware_luminositylink
info:
name: LuminosityLink Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "SMARTLOGS"
- "RUNPE"
- "b.Resources"
- "CLIENTINFO*"
- "Invalid Webcam Driver Download URL, or Failed to Download File!"
- "Proactive Anti-Malware has been manually activated!"
- "REMOVEGUARD"
- "C0n1f8"
- "Luminosity"
- "LuminosityCryptoMiner"
- "MANAGER*CLIENTDETAILS*"
condition: and

24
malware_luxnet.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_luxnet
info:
name: LuxNet Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "GetHashCode"
- "Activator"
- "WebClient"
- "op_Equality"
- "dickcursor.cur"
- "{0}|{1}|{2}"
condition: and

25
malware_paradox.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_paradox
info:
name: Paradox Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "ParadoxRAT"
- "Form1"
- "StartRMCam"
- "Flooders"
- "SlowLaris"
- "SHITEMID"
- "set_Remote_Chat"
condition: and

27
malware_plasma.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_plasma
info:
name: Plasma Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Miner: Failed to Inject."
- "Started GPU Mining on:"
- "BK: Hard Bot Killer Ran Successfully!"
- "Uploaded Keylogs Successfully!"
- "No Slowloris Attack is Running!"
- "An ARME Attack is Already Running on"
- "Proactive Bot Killer Enabled!"
- "PlasmaRAT"
- "AntiEverything"
condition: and

33
malware_poetrat.yaml Normal file
View File

@ -0,0 +1,33 @@
id: malware_poetrat
info:
name: PoetRat Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "launcher.py"
- "smile.zip"
- "smile_funs.py"
- "frown.py"
- "backer.py"
- "smile.py"
- "affine.py"
- "cmd"
- ".exe"
condition: and
- type: regex
regex:
- '(\.py$|\.pyc$|\.pyd$|Python)'
- '\.dll'
condition: and

29
malware_punisher.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_punisher
info:
name: Punisher Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "abccba"
- "SpyTheSpy"
- "wireshark"
- "apateDNS"
- "abccbaDanabccb"
condition: and
- type: binary
binary:
- "5C006800660068002E007600620073"
- "5C00730063002E007600620073"
condition: and

26
malware_pythorat.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_pythorat
info:
name: PythoRAT Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "TKeylogger"
- "uFileTransfer"
- "TTDownload"
- "SETTINGS"
- "Unknown"
- "#@#@#"
- "PluginData"
- "OnPluginMessage"
condition: and

46
malware_qrat.yaml Normal file
View File

@ -0,0 +1,46 @@
id: malware_qrat
info:
name: QRat Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "quaverse/crypter"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "quaverse/crypter"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "quaverse/crypter"
- "Qrypt.class"
- "URLConnection.class"
condition: and

28
malware_satana.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_satana
info:
name: Satana Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "210073006100740061006E00610021002E0074007800740000"
- "456E756D4C6F63616C526573"
- "574E65744F70656E456E756D5700"
- "21534154414E4121"
condition: and
- type: binary
binary:
- "7467777975677771"
- "537776776E6775"
condition: or

View File

@ -0,0 +1,21 @@
id: malware_satana_dropper
info:
name: Satana Dropper Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary #Dropper
binary:
- "25732D547279457863657074"
- "643A5C6C626574776D77795C75696A657571706C667775622E706462"
- "71666E7476746862"
condition: and

39
malware_shimrat.yaml Normal file
View File

@ -0,0 +1,39 @@
id: malware_shimrat
info:
name: ShimRat Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- ".dll"
- ".dat"
- "QWERTYUIOPLKJHG"
- "MNBVCXZLKJHGFDS"
condition: and
- type: word
words:
- "Data$$00"
- "Data$$01%c%sData"
condition: and
- type: word
words:
- "ping localhost -n 9 /c %s > nul"
- "Demo"
- "Win32App"
- "COMSPEC"
- "ShimMain"
- "NotifyShims"
- "GetHookAPIs"
condition: and

View File

@ -0,0 +1,30 @@
id: malware_shimratreporter
info:
name: ShimRatReporter Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "IP-INFO"
- "Network-INFO"
- "OS-INFO"
- "Process-INFO"
- "Browser-INFO"
- "QueryUser-INFO"
- "Users-INFO"
- "Software-INFO"
- "%02X-%02X-%02X-%02X-%02X-%02X"
- "(from environment) = %s"
- "NetUserEnum"
- "GetNetworkParams"
condition: and

27
malware_sigma.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_sigma
info:
name: Sigma Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- ".php?"
- "uid="
- "&uname="
- "&os="
- "&pcname="
- "&total="
- "&country="
- "&network="
- "&subid="
condition: and

28
malware_smallnet.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_smallnet
info:
name: SmallNet Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "!!<3SAFIA<3!!"
- "!!ElMattadorDz!!"
condition: or
- type: word
words:
- "stub_2.Properties"
- "stub.exe"
- "get_CurrentDomain"
condition: and

24
malware_snake.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_snake
info:
name: Snake Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\""
- type: binary
binary:
- "89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF"
- "648B0D140000008B89000000003B61080F863801000083EC3CE8321AF3FF8D7C242889E6E825EAF0FF8B44242C8B4C242889C2C1E81FC1E01F85C00F84FC000000D1E289CBC1E91F09D189DAD1E3C1EB1F89CDD1E109D989CB81C1807FB1D7C1ED1F81C3807FB1D783D50D89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF31C0EB79894424208B4C24408D14C18B1A895C24248B52048954241CC7042405000000E848FEFFFF8B4424088B4C2404C70424000000008B542424895424048B5C241C895C2408894C240C89442410E8ECDDEFFF8B4424188B4C2414894C24088944240C8B4424248904248B44241C89442404E868BBF3FF8B44242040"
condition: and

31
malware_sub7nation.yaml Normal file
View File

@ -0,0 +1,31 @@
id: malware_sub7nation
info:
name: Sub7Nation Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "EnableLUA /t REG_DWORD /d 0 /f"
- "*A01*"
- "*A02*"
- "*A03*"
- "*A04*"
- "*A05*"
- "*A06*"
- "#@#@#"
- "HostSettings"
- "sevane.tmp"
- "cmd_.bat"
- "a2b7c3d7e4"
- "cmd.dll"
condition: and

20
malware_terminator.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_terminator
info:
name: Terminator Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Accelorator"
- "<html><title>12356</title><body>"
condition: and

17
malware_teslacrypt.yaml Normal file
View File

@ -0,0 +1,17 @@
id: malware_teslacrypt
info:
name: TeslaCrypt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "4E6F7720697427732025493A254D25702E00000076616C2069732025640A0000"

32
malware_tox.yaml Normal file
View File

@ -0,0 +1,32 @@
id: malware_tox
info:
name: Tox Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Tox.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
- "t;<<t;<<t<<<t<<"
condition: and
- type: word
words:
- "t;<<t;<<t<<<t<<"
- ">>><<<"
condition: and
- type: word
words:
- "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
- ">>><<<"
condition: and

23
malware_unrecom.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_unrecom
info:
name: Unrecom Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "META-INF"
- "load/ID"
- "load/JarMain.class"
- "load/MANIFEST.MF"
- "plugins/UnrecomServer.class"
condition: and

26
malware_vertex.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_vertex
info:
name: Vertex Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "DEFPATH"
- "HKNAME"
- "HPORT"
- "INSTALL"
- "IPATH"
- "MUTEX"
- "PANELPATH"
- "ROOTURL"
condition: and

30
malware_virusrat.yaml Normal file
View File

@ -0,0 +1,30 @@
id: malware_virusrat
info:
name: VirusRat Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "virustotal"
- "virusscan"
- "abccba"
- "pronoip"
- "streamWebcam"
- "DOMAIN_PASSWORD"
- "Stub.Form1.resources"
- "ftp://{0}@{1}"
- "SELECT * FROM moz_logins"
- "SELECT * FROM moz_disabledHosts"
- "DynDNS\\Updater\\config.dyndns"
- "|BawaneH|"
condition: and

17
malware_zoxpng.yaml Normal file
View File

@ -0,0 +1,17 @@
id: malware_zoxpng
info:
name: ZoxPNG Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_ZoxPNG.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"