daffainfo
/
nuclei-malware
mirror of https://github.com/daffainfo/nuclei-malware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added BinaryAlert and restructure the repo

main
Muhammad Daffa 2023-08-08 00:32:42 +07:00
parent 597ea580a7
commit fbc13aeb4c
126 changed files with 3481 additions and 3074 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
BinaryAlert/basicrat-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: basicrat-malware
info:
name: BasicRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/multi/malware_multi_vesche_basicrat.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "HKCU Run registry key applied"
- "HKCU Run registry key failed"
- "Error, platform unsupported."
- "Persistence successful,"
- "Persistence unsuccessful,"
condition: and

21
BinaryAlert/cerber-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: cerber-malware
info:
name: Cerber Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "38oDr5.vbs"
- "8ivq.dll"
- "jmsctls_progress32"
condition: and

28
BinaryAlert/crunchrat-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: crunchrat-malware
info:
name: CrunchRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "<action>command<action>"
- "<action>upload<action>"
- "<action>download<action>"
- "cmd.exe"
- "application/x-www-form-urlencoded"
- "&action="
- "&secondary="
- "<secondary>"
- "<action>"
condition: and
case-insensitive: true

23
BinaryAlert/hydracrypt-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: ransomware_windows_hydracrypt
info:
name: Hydracrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "oTraining"
- "Stop Training"
- "Play \"sound.wav\""
- "&Start Recording"
- "7About record"
condition: and

38
BinaryAlert/macos-bella-malware.yaml Normal file
View File

@ -0,0 +1,38 @@
id: macos-bella-malware
info:
name: Bella Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "Verified! [2FV Enabled] Account ->"
- "There is no root shell to perform this command. See [rooter] manual entry."
- "Attempt to escalate Bella to root through a variety of attack vectors."
- "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
condition: or
- type: word
part: raw
words:
- "user_pass_phish"
- "bella_info"
- "get_root"
condition: and
- type: word
part: raw
words:
- "Please specify a bella server."
- "What port should Bella connect on [Default is 4545]:"
condition: and

24
BinaryAlert/petya-malware-variant-1.yaml Normal file
View File

@ -0,0 +1,24 @@
id: petya-malware-variant-1
info:
name: Petya Malware (Variant 1) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Ooops, your important files are encrypted."
- "Send your Bitcoin wallet ID and personal installation key to e-mail"
- "wowsmith123456@posteo.net. Your personal installation key:"
- "Send $300 worth of Bitcoin to following address:"
- "have been encrypted. Perhaps you are busy looking for a way to recover your"
- "need to do is submit the payment and purchase the decryption key."
condition: or

20
BinaryAlert/petya-malware-variant-3.yaml Normal file
View File

@ -0,0 +1,20 @@
id: petya-malware-variant-3
info:
name: Petya Malware (Variant 3) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "wevtutil cl Setup & wevtutil cl System"
- "fsutil usn deletejournal /D %c:"
condition: or

18
BinaryAlert/petya-malware-variant-bitcoin.yaml Normal file
View File

@ -0,0 +1,18 @@
id: petya-malware-variant-bitcoin
info:
name: Petya Malware (Variant Bitcoin) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB"

29
BinaryAlert/pony-stealer-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: pony-stealer-malware
info:
name: Windows Pony Stealer Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "signons.sqlite"
- "signons.txt"
- "signons2.txt"
- "signons3.txt"
- "WininetCacheCredentials"
- "moz_logins"
- "encryptedPassword"
- "FlashFXP"
- "BulletProof"
- "CuteFTP"
condition: and
case-insensitive: true

21
BinaryAlert/powerware-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: powerware-malware
info:
name: PowerWare Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ScriptRunner.dll"
- "ScriptRunner.pdb"
- "fixed.ps1"
condition: and

32
BinaryAlert/wannacry-malware.yaml Normal file
View File

@ -0,0 +1,32 @@
id: wannacry-malware
info:
name: WannaCry Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_wannacry.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "msg/m_chinese"
- ".wnry"
- "attrib +h"
condition: and
- type: word
part: raw
words:
- "WNcry@2ol7"
- "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
- "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
- "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
- "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
condition: or

34
BinaryAlert/zrypt-malware.yaml Normal file
View File

@ -0,0 +1,34 @@
id: zrypt-malware
info:
name: Zcrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "How to Buy Bitcoins"
- "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
- "Click Here to Show Bitcoin Address"
- "MyEncrypter2.pdb"
condition: or
- type: word
part: raw
words:
- ".p7b"
- ".p7c"
- ".pdd"
- ".pef"
- ".pem"
- "How to decrypt files.html"
condition: and

42
LICENSE
View File

@ -1,21 +1,21 @@
MIT License MIT License
Copyright (c) 2023 Muhammad Daffa Copyright (c) 2023 Muhammad Daffa
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions: furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software. copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. SOFTWARE.

265
README.md
View File

@ -1,251 +1,14 @@
# Nuclei Malware # Nuclei Malware
Template to detect some malware using nuclei Template to detect some malware using nuclei. Creating these nuclei templates based on previously made YARA rules and then converting them into nuclei template format
## Status Malware ### List of Repositories
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not * [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
| Malware Yara Rules | Status |
| --- | --- | ### To-Do
| MALW_ATMPot | 🟥 Impossible | - [ ] Create a GitHub Actions workflow to detect the total number of templates in this repository
| MALW_ATM_HelloWorld | 🟥 Impossible | - [ ] Gives the status of whether the template is already in the nuclei-templates repo or not (In `STATUS.md`)
| MALW_AZORULT | 🟥 Impossible | - [ ] Create more nuclei templates using these repository
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort | - [x] https://github.com/airbnb/binaryalert/tree/master/rules/public
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort | - [ ] https://github.com/reversinglabs/reversinglabs-yara-rules
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort | - [ ] etc.
| MALW_Alina | 🟩 Possible |
| MALW_Andromeda | 🟩 Possible |
| MALW_Arkei | 🟩 Possible |
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
| MALW_Atmos | 🟥 Impossible |
| MALW_BackdoorSSH | 🟥 Impossible |
| MALW_Backoff | 🟩 Possible |
| MALW_Bangat | 🟥 Impossible |
| MALW_Batel | 🟥 Impossible |
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
| MALW_BlackWorm | 🟩 Possible |
| MALW_Boouset | 🟥 Impossible |
| MALW_Bublik | 🟩 Possible |
| MALW_Buzus_Softpulse | 🟥 Impossible |
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
| MALW_Citadel | 🟥 Impossible |
| MALW_Cloaking | 🟥 Impossible |
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
| MALW_Corkow | 🟥 Impossible |
| MALW_Cxpid | 🟩 Possible |
| MALW_Cythosia | 🟩 Possible |
| MALW_DDoSTf | 🟩 Possible |
| MALW_Derkziel | 🟩 Possible |
| MALW_Dexter | 🟩 Possible |
| MALW_DiamondFox | 🟩 Possible |
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
| MALW_Eicar | 🟩 Possible |
| MALW_Elex | 🟥 Impossible |
| MALW_Elknot | 🟥 Impossible |
| MALW_Emotet | 🟥 Impossible |
| MALW_Empire | 🟥 Impossible |
| MALW_Enfal | 🟥 Impossible |
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
| MALW_Ezcob | 🟩 Possible |
| MALW_F0xy | 🟥 Impossible |
| MALW_FALLCHILL | 🟥 Impossible |
| MALW_FUDCrypt | 🟩 Possible |
| MALW_FakeM | 🟥 Impossible |
| MALW_Fareit | 🟥 Impossible |
| MALW_Favorite | 🟥 Impossible |
| MALW_Furtim | 🟥 Impossible |
| MALW_Gafgyt | 🟩 Possible |
| MALW_Genome | 🟩 Possible |
| MALW_Glasses | 🟩 Possible |
| MALW_Gozi | 🟩 Possible |
| MALW_Grozlex | 🟩 Possible |
| MALW_Hajime | 🟥 Impossible |
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
| MALW_Httpsd_ELF | 🟥 Impossible |
| MALW_IMuler | 🟥 Impossible |
| MALW_IcedID | 🟥 Impossible |
| MALW_Iexpl0ree | 🟥 Impossible |
| MALW_Install11 | 🟩 Possible |
| MALW_Intel_Virtualization | 🟩 Possible |
| MALW_IotReaper | 🟩 Possible |
| MALW_Jolob_Backdoor | 🟩 Possible |
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
| MALW_Kelihos | 🟩 Possible |
| MALW_KeyBase | 🟥 Impossible |
| MALW_Korlia | 🟥 Impossible |
| MALW_Korplug | 🟥 Impossible |
| MALW_Kovter | 🟩 Possible |
| MALW_Kraken | 🟥 Impossible |
| MALW_Kwampirs | 🟩 Possible |
| MALW_LURK0 | 🟥 Impossible |
| MALW_Lateral_Movement | 🟩 Possible |
| MALW_Lenovo_Superfish | 🟥 Impossible |
| MALW_LinuxBew | 🟩 Possible |
| MALW_LinuxHelios | 🟩 Possible |
| MALW_LinuxMoose | 🟥 Impossible |
| MALW_LostDoor | 🟩 Possible |
| MALW_LuaBot | 🟩 Possible |
| MALW_LuckyCat | 🟥 Impossible |
| MALW_MSILStealer | 🟩 Possible |
| MALW_MacControl | 🟥 Impossible |
| MALW_MacGyver | 🟩 Possible |
| MALW_Madness | 🟩 Possible |
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_suspicious | 🟥 Impossible |
| MALW_Mailers | 🟥 Impossible |
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
| MALW_Miancha | 🟥 Impossible |
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
| MALW_Mirai | 🟥 Impossible |
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
| MALW_Miscelanea | 🟥 Impossible |
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
| MALW_Monero_Miner_installer | 🟩 Possible |
| MALW_NSFree | 🟩 Possible |
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
| MALW_NionSpy | 🟥 Impossible |
| MALW_Notepad | 🟩 Possible |
| MALW_OSX_Leverage | 🟩 Possible |
| MALW_Odinaff | 🟥 Impossible |
| MALW_Olyx | 🟩 Possible |
| MALW_PE_sections | 🟥 Impossible |
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
| MALW_PolishBankRat | 🟥 Impossible |
| MALW_Ponmocup | 🟥 Impossible |
| MALW_Pony | 🟩 Possible |
| MALW_Predator | 🟥 Impossible |
| MALW_PubSab | 🟩 Possible |
| MALW_PurpleWave | 🟥 Impossible |
| MALW_PyPI | 🟩 Possible |
| MALW_Pyinstaller | 🟥 Impossible |
| MALW_Pyinstaller_OSX | 🟩 Possible |
| MALW_Quarian | 🟥 Impossible |
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
| MALW_Regsubdat | 🟥 Impossible |
| MALW_Rockloader | 🟥 Impossible |
| MALW_Rooter | 🟥 Impossible |
| MALW_Rovnix | 🟥 Impossible |
| MALW_Safenet | 🟩 Possible |
| MALW_Sakurel | 🟩 Possible |
| MALW_Sayad | 🟩 Possible |
| MALW_Scarhikn | 🟥 Impossible |
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
| MALW_Shamoon | 🟥 Impossible |
| MALW_Shifu | 🟥 Impossible |
| MALW_Skeleton | 🟥 Impossible |
| MALW_Spora | 🟩 Possible |
| MALW_Sqlite | 🟩 Possible |
| MALW_Stealer | 🟩 Possible |
| MALW_Surtr | 🟥 Impossible |
| MALW_T5000 | 🟩 Possible |
| MALW_TRITON_HATMAN | 🟥 Impossible |
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
| MALW_Tedroo | 🟩 Possible |
| MALW_Tinba | 🟥 Impossible |
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
| MALW_Torte_ELF | 🟥 Impossible |
| MALW_TreasureHunt | 🟩 Possible |
| MALW_TrickBot | 🟩 Possible |
| MALW_Trumpbot | 🟩 Possible |
| MALW_Upatre | 🟥 Impossible |
| MALW_Urausy | 🟩 Possible |
| MALW_Vidgrab | 🟥 Impossible |
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
| MALW_Volgmer | 🟥 Impossible |
| MALW_Wabot | 🟩 Possible |
| MALW_Warp | 🟩 Possible |
| MALW_Wimmie | 🟥 Impossible |
| MALW_XHide | 🟩 Possible |
| MALW_XMRIG_Miner | 🟩 Possible |
| MALW_XOR_DDos | 🟩 Possible |
| MALW_Yayih | 🟩 Possible |
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
| MALW_Zegost | 🟩 Possible |
| MALW_Zeus | 🟥 Impossible |
| MALW_adwind_RAT | 🟥 Impossible |
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
| MALW_kirbi_mimikatz | 🟥 Impossible |
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
| MALW_marap | 🟨 Still possible but requires a lot of effort |
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible |
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
| RANSOM_777.yar | 🟩 Possible |
| RANSOM_Alpha.yar | 🟩 Possible |
| RANSOM_BadRabbit.yar | 🟥 Impossible |
| RANSOM_Cerber.yar | 🟥 Impossible |
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_Crypren.yar | 🟥 Impossible |
| RANSOM_CryptoNar.yar | 🟥 Impossible |
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_DMALocker.yar | 🟩 Possible |
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
| RANSOM_Erebus.yar | 🟩 Possible |
| RANSOM_GPGQwerty.yar | 🟩 Possible |
| RANSOM_GoldenEye.yar | 🟥 Impossible |
| RANSOM_Locky.yar | 🟩 Possible |
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
| RANSOM_Maze.yar | 🟥 Impossible |
| RANSOM_PetrWrap.yar | 🟥 Impossible |
| RANSOM_Petya.yar | 🟥 Impossible |
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
| RANSOM_Pico.yar | 🟥 Impossible |
| RANSOM_Revix.yar | 🟥 Impossible |
| RANSOM_SamSam.yar | 🟥 Impossible |
| RANSOM_Satana.yar | 🟩 Possible |
| RANSOM_Shiva.yar | 🟥 Impossible |
| RANSOM_Sigma.yar | 🟩 Possible |
| RANSOM_Snake.yar | 🟩 Possible |
| RANSOM_Stampado.yar | 🟥 Impossible |
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
| RANSOM_Tox.yar | 🟩 Possible |
| RANSOM_acroware.yar | 🟥 Impossible |
| RANSOM_jeff_dev.yar | 🟥 Impossible |
| RANSOM_locdoor.yar | 🟥 Impossible |
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
| RANSOM_shrug2.yar | 🟥 Impossible |
| RANSOM_termite.yar | 🟥 Impossible |
| RAT_Adwind.yar | 🟥 Impossible |
| RAT_Adzok.yar | 🟩 Possible |
| RAT_Asyncrat.yar | 🟥 Impossible |
| RAT_BlackShades.yar | 🟥 Impossible |
| RAT_Bolonyokte.yar | 🟥 Impossible |
| RAT_Bozok.yar | 🟩 Possible |
| RAT_Cerberus.yar | 🟩 Possible |
| RAT_Crimson.yar | 🟩 Possible |
| RAT_CrossRAT.yar | 🟥 Impossible |
| RAT_CyberGate.yar | 🟩 Possible |
| RAT_DarkComet.yar | 🟥 Impossible |
| RAT_FlyingKitten.yar | 🟥 Impossible |
| RAT_Gh0st.yar | 🟥 Impossible |
| RAT_Gholee.yar | 🟩 Possible |
| RAT_Glass.yar | 🟩 Possible |
| RAT_Havex.yar | 🟥 Impossible |
| RAT_Hizor.yar | 🟥 Impossible |
| RAT_Indetectables.yar | 🟥 Impossible |
| RAT_Inocnation.yar | 🟥 Impossible |
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
| RAT_Nanocore.yar | 🟥 Impossible |
| RAT_NetwiredRC.yar | 🟥 Impossible |
| RAT_Njrat.yar | 🟥 Impossible |
| RAT_Orcus.yar | 🟥 Impossible |
| RAT_PlugX.yar | 🟥 Impossible |
| RAT_PoetRATDoc.yar | 🟩 Possible |
| RAT_PoetRATPython.yar | 🟥 Impossible |
| RAT_PoisonIvy.yar | 🟥 Impossible |
| RAT_Ratdecoders.yar | 🟩 Possible |
| RAT_Sakula.yar | 🟥 Impossible |
| RAT_ShadowTech.yar | 🟩 Possible |
| RAT_Shim.yar | 🟩 Possible |
| RAT_Terminator.yar | 🟩 Possible |
| RAT_Xtreme.yar | 🟥 Impossible |
| RAT_ZoxPNG.yar | 🟩 Possible |
| RAT_jRAT.yar | 🟩 Possible |
| RAT_xRAT.yar | 🟩 Possible |
| RAT_xRAT20.yar | 🟥 Impossible |

279
STATUS.md Normal file
View File

@ -0,0 +1,279 @@
# List
* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
| Yara Rules | Status |
| --- | --- |
| MALW_ATMPot | 🟥 Impossible |
| MALW_ATM_HelloWorld | 🟥 Impossible |
| MALW_AZORULT | 🟥 Impossible |
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort |
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort |
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort |
| MALW_Alina | 🟩 Possible |
| MALW_Andromeda | 🟩 Possible |
| MALW_Arkei | 🟩 Possible |
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
| MALW_Atmos | 🟥 Impossible |
| MALW_BackdoorSSH | 🟥 Impossible |
| MALW_Backoff | 🟩 Possible |
| MALW_Bangat | 🟥 Impossible |
| MALW_Batel | 🟥 Impossible |
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
| MALW_BlackWorm | 🟩 Possible |
| MALW_Boouset | 🟥 Impossible |
| MALW_Bublik | 🟩 Possible |
| MALW_Buzus_Softpulse | 🟥 Impossible |
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
| MALW_Citadel | 🟥 Impossible |
| MALW_Cloaking | 🟥 Impossible |
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
| MALW_Corkow | 🟥 Impossible |
| MALW_Cxpid | 🟩 Possible |
| MALW_Cythosia | 🟩 Possible |
| MALW_DDoSTf | 🟩 Possible |
| MALW_Derkziel | 🟩 Possible |
| MALW_Dexter | 🟩 Possible |
| MALW_DiamondFox | 🟩 Possible |
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
| MALW_Eicar | 🟩 Possible |
| MALW_Elex | 🟥 Impossible |
| MALW_Elknot | 🟥 Impossible |
| MALW_Emotet | 🟥 Impossible |
| MALW_Empire | 🟥 Impossible |
| MALW_Enfal | 🟥 Impossible |
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
| MALW_Ezcob | 🟩 Possible |
| MALW_F0xy | 🟥 Impossible |
| MALW_FALLCHILL | 🟥 Impossible |
| MALW_FUDCrypt | 🟩 Possible |
| MALW_FakeM | 🟥 Impossible |
| MALW_Fareit | 🟥 Impossible |
| MALW_Favorite | 🟥 Impossible |
| MALW_Furtim | 🟥 Impossible |
| MALW_Gafgyt | 🟩 Possible |
| MALW_Genome | 🟩 Possible |
| MALW_Glasses | 🟩 Possible |
| MALW_Gozi | 🟩 Possible |
| MALW_Grozlex | 🟩 Possible |
| MALW_Hajime | 🟥 Impossible |
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
| MALW_Httpsd_ELF | 🟥 Impossible |
| MALW_IMuler | 🟥 Impossible |
| MALW_IcedID | 🟥 Impossible |
| MALW_Iexpl0ree | 🟥 Impossible |
| MALW_Install11 | 🟩 Possible |
| MALW_Intel_Virtualization | 🟩 Possible |
| MALW_IotReaper | 🟩 Possible |
| MALW_Jolob_Backdoor | 🟩 Possible |
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
| MALW_Kelihos | 🟩 Possible |
| MALW_KeyBase | 🟥 Impossible |
| MALW_Korlia | 🟥 Impossible |
| MALW_Korplug | 🟥 Impossible |
| MALW_Kovter | 🟩 Possible |
| MALW_Kraken | 🟥 Impossible |
| MALW_Kwampirs | 🟩 Possible |
| MALW_LURK0 | 🟥 Impossible |
| MALW_Lateral_Movement | 🟩 Possible |
| MALW_Lenovo_Superfish | 🟥 Impossible |
| MALW_LinuxBew | 🟩 Possible |
| MALW_LinuxHelios | 🟩 Possible |
| MALW_LinuxMoose | 🟥 Impossible |
| MALW_LostDoor | 🟩 Possible |
| MALW_LuaBot | 🟩 Possible |
| MALW_LuckyCat | 🟥 Impossible |
| MALW_MSILStealer | 🟩 Possible |
| MALW_MacControl | 🟥 Impossible |
| MALW_MacGyver | 🟩 Possible |
| MALW_Madness | 🟩 Possible |
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_suspicious | 🟥 Impossible |
| MALW_Mailers | 🟥 Impossible |
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
| MALW_Miancha | 🟥 Impossible |
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
| MALW_Mirai | 🟥 Impossible |
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
| MALW_Miscelanea | 🟥 Impossible |
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
| MALW_Monero_Miner_installer | 🟩 Possible |
| MALW_NSFree | 🟩 Possible |
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
| MALW_NionSpy | 🟥 Impossible |
| MALW_Notepad | 🟩 Possible |
| MALW_OSX_Leverage | 🟩 Possible |
| MALW_Odinaff | 🟥 Impossible |
| MALW_Olyx | 🟩 Possible |
| MALW_PE_sections | 🟥 Impossible |
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
| MALW_PolishBankRat | 🟥 Impossible |
| MALW_Ponmocup | 🟥 Impossible |
| MALW_Pony | 🟩 Possible |
| MALW_Predator | 🟥 Impossible |
| MALW_PubSab | 🟩 Possible |
| MALW_PurpleWave | 🟥 Impossible |
| MALW_PyPI | 🟩 Possible |
| MALW_Pyinstaller | 🟥 Impossible |
| MALW_Pyinstaller_OSX | 🟩 Possible |
| MALW_Quarian | 🟥 Impossible |
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
| MALW_Regsubdat | 🟥 Impossible |
| MALW_Rockloader | 🟥 Impossible |
| MALW_Rooter | 🟥 Impossible |
| MALW_Rovnix | 🟥 Impossible |
| MALW_Safenet | 🟩 Possible |
| MALW_Sakurel | 🟩 Possible |
| MALW_Sayad | 🟩 Possible |
| MALW_Scarhikn | 🟥 Impossible |
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
| MALW_Shamoon | 🟥 Impossible |
| MALW_Shifu | 🟥 Impossible |
| MALW_Skeleton | 🟥 Impossible |
| MALW_Spora | 🟩 Possible |
| MALW_Sqlite | 🟩 Possible |
| MALW_Stealer | 🟩 Possible |
| MALW_Surtr | 🟥 Impossible |
| MALW_T5000 | 🟩 Possible |
| MALW_TRITON_HATMAN | 🟥 Impossible |
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
| MALW_Tedroo | 🟩 Possible |
| MALW_Tinba | 🟥 Impossible |
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
| MALW_Torte_ELF | 🟥 Impossible |
| MALW_TreasureHunt | 🟩 Possible |
| MALW_TrickBot | 🟩 Possible |
| MALW_Trumpbot | 🟩 Possible |
| MALW_Upatre | 🟥 Impossible |
| MALW_Urausy | 🟩 Possible |
| MALW_Vidgrab | 🟥 Impossible |
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
| MALW_Volgmer | 🟥 Impossible |
| MALW_Wabot | 🟩 Possible |
| MALW_Warp | 🟩 Possible |
| MALW_Wimmie | 🟥 Impossible |
| MALW_XHide | 🟩 Possible |
| MALW_XMRIG_Miner | 🟩 Possible |
| MALW_XOR_DDos | 🟩 Possible |
| MALW_Yayih | 🟩 Possible |
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
| MALW_Zegost | 🟩 Possible |
| MALW_Zeus | 🟥 Impossible |
| MALW_adwind_RAT | 🟥 Impossible |
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
| MALW_kirbi_mimikatz | 🟥 Impossible |
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
| MALW_marap | 🟨 Still possible but requires a lot of effort |
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible |
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
| RANSOM_777.yar | 🟩 Possible |
| RANSOM_Alpha.yar | 🟩 Possible |
| RANSOM_BadRabbit.yar | 🟥 Impossible |
| RANSOM_Cerber.yar | 🟥 Impossible |
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_Crypren.yar | 🟥 Impossible |
| RANSOM_CryptoNar.yar | 🟥 Impossible |
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_DMALocker.yar | 🟩 Possible |
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
| RANSOM_Erebus.yar | 🟩 Possible |
| RANSOM_GPGQwerty.yar | 🟩 Possible |
| RANSOM_GoldenEye.yar | 🟥 Impossible |
| RANSOM_Locky.yar | 🟩 Possible |
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
| RANSOM_Maze.yar | 🟥 Impossible |
| RANSOM_PetrWrap.yar | 🟥 Impossible |
| RANSOM_Petya.yar | 🟥 Impossible |
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
| RANSOM_Pico.yar | 🟥 Impossible |
| RANSOM_Revix.yar | 🟥 Impossible |
| RANSOM_SamSam.yar | 🟥 Impossible |
| RANSOM_Satana.yar | 🟩 Possible |
| RANSOM_Shiva.yar | 🟥 Impossible |
| RANSOM_Sigma.yar | 🟩 Possible |
| RANSOM_Snake.yar | 🟩 Possible |
| RANSOM_Stampado.yar | 🟥 Impossible |
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
| RANSOM_Tox.yar | 🟩 Possible |
| RANSOM_acroware.yar | 🟥 Impossible |
| RANSOM_jeff_dev.yar | 🟥 Impossible |
| RANSOM_locdoor.yar | 🟥 Impossible |
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
| RANSOM_shrug2.yar | 🟥 Impossible |
| RANSOM_termite.yar | 🟥 Impossible |
| RAT_Adwind.yar | 🟥 Impossible |
| RAT_Adzok.yar | 🟩 Possible |
| RAT_Asyncrat.yar | 🟥 Impossible |
| RAT_BlackShades.yar | 🟥 Impossible |
| RAT_Bolonyokte.yar | 🟥 Impossible |
| RAT_Bozok.yar | 🟩 Possible |
| RAT_Cerberus.yar | 🟩 Possible |
| RAT_Crimson.yar | 🟩 Possible |
| RAT_CrossRAT.yar | 🟥 Impossible |
| RAT_CyberGate.yar | 🟩 Possible |
| RAT_DarkComet.yar | 🟥 Impossible |
| RAT_FlyingKitten.yar | 🟥 Impossible |
| RAT_Gh0st.yar | 🟥 Impossible |
| RAT_Gholee.yar | 🟩 Possible |
| RAT_Glass.yar | 🟩 Possible |
| RAT_Havex.yar | 🟥 Impossible |
| RAT_Hizor.yar | 🟥 Impossible |
| RAT_Indetectables.yar | 🟥 Impossible |
| RAT_Inocnation.yar | 🟥 Impossible |
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
| RAT_Nanocore.yar | 🟥 Impossible |
| RAT_NetwiredRC.yar | 🟥 Impossible |
| RAT_Njrat.yar | 🟥 Impossible |
| RAT_Orcus.yar | 🟥 Impossible |
| RAT_PlugX.yar | 🟥 Impossible |
| RAT_PoetRATDoc.yar | 🟩 Possible |
| RAT_PoetRATPython.yar | 🟥 Impossible |
| RAT_PoisonIvy.yar | 🟥 Impossible |
| RAT_Ratdecoders.yar | 🟩 Possible |
| RAT_Sakula.yar | 🟥 Impossible |
| RAT_ShadowTech.yar | 🟩 Possible |
| RAT_Shim.yar | 🟩 Possible |
| RAT_Terminator.yar | 🟩 Possible |
| RAT_Xtreme.yar | 🟥 Impossible |
| RAT_ZoxPNG.yar | 🟩 Possible |
| RAT_jRAT.yar | 🟩 Possible |
| RAT_xRAT.yar | 🟩 Possible |
| RAT_xRAT20.yar | 🟥 Impossible |
* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
| Yara Rules | Status |
| --- | --- |
| malware_macos_apt_sofacy_xagent.yara | 🟥 Impossible |
| malware_macos_bella.yara | 🟩 Possible |
| malware_macos_macspy.yara | 🟥 Impossible |
| malware_macos_marten4n6_evilosx.yara | 🟨 Still possible but requires a lot of effort |
| malware_macos_neoneggplant_eggshell.yara | 🟨 Still possible but requires a lot of effort |
| malware_macos_proton_rat_generic.yara | 🟥 Impossible |
| malware_multi_pupy_rat.yara | 🟨 Still possible but requires a lot of effort |
| malware_multi_vesche_basicrat.yara | 🟩 Possible |
| malware_windows_apt_red_leaves_generic.yara | 🟨 Still possible but requires a lot of effort |
| malware_windows_pony_stealer.yara | 🟩 Possible |
| malware_windows_remcos_rat.yara | 🟨 Still possible but requires a lot of effort |
| malware_windows_t3ntman_crunchrat.yara | 🟩 Possible |
| malware_windows_xrat_quasarrat.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_HDDCryptorA.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_cerber_evasion.yara | 🟩 Possible |
| ransomware_windows_cryptolocker.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_hydracrypt.yara | 🟩 Possible |
| ransomware_windows_lazarus_wannacry.yara | 🟥 Impossible |
| ransomware_windows_petya_variant_1.yara | 🟩 Possible |
| ransomware_windows_petya_variant_2.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_petya_variant_3.yara | 🟩 Possible |
| ransomware_windows_petya_variant_bitcoin.yara | 🟩 Possible |
| ransomware_windows_powerware_locky.yara | 🟩 Possible |
| ransomware_windows_wannacry.yara | 🟩 Possible |
| ransomware_windows_zcrypt.yara | 🟩 Possible |

48
malware_aar.yaml → Yara-Rules/aar-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_aar id: aar-malware
info: info:
name: AAR Malware Detector name: AAR Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "Hashtable" - "Hashtable"
- "get_IsDisposed" - "get_IsDisposed"
- "TripleDES" - "TripleDES"
- "testmemory.FRMMain.resources" - "testmemory.FRMMain.resources"
- "$this.Icon" - "$this.Icon"
- "{11111-22222-20001-00001}" - "{11111-22222-20001-00001}"
- "@@@@@" - "@@@@@"
condition: and condition: and

210
malware_adzok.yaml → Yara-Rules/adzok-malware.yaml
View File

@ -1,102 +1,110 @@
id: malware_adzok id: adzok-malware
info: info:
name: Adzok Malware Detector name: Adzok Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "key.classPK" words:
- "svd$1.classPK" - "key.classPK"
- "svd$2.classPK" - "svd$1.classPK"
- "Mensaje.classPK" - "svd$2.classPK"
- "inic$ShutdownHook.class" - "Mensaje.classPK"
- "Uninstall.jarPK" - "inic$ShutdownHook.class"
- "resources/icono.pngPK" - "Uninstall.jarPK"
condition: and - "resources/icono.pngPK"
condition: and
- type: word
words: - type: word
- "config.xmlPK" part: raw
- "svd$1.classPK" words:
- "svd$2.classPK" - "config.xmlPK"
- "Mensaje.classPK" - "svd$1.classPK"
- "inic$ShutdownHook.class" - "svd$2.classPK"
- "Uninstall.jarPK" - "Mensaje.classPK"
- "resources/icono.pngPK" - "inic$ShutdownHook.class"
condition: and - "Uninstall.jarPK"
- "resources/icono.pngPK"
- type: word condition: and
words:
- "config.xmlPK" - type: word
- "key.classPK" part: raw
- "svd$1.classPK" words:
- "Mensaje.classPK" - "config.xmlPK"
- "inic$ShutdownHook.class" - "key.classPK"
- "Uninstall.jarPK" - "svd$1.classPK"
- "resources/icono.pngPK" - "Mensaje.classPK"
condition: and - "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- type: word - "resources/icono.pngPK"
words: condition: and
- "config.xmlPK"
- "key.classPK" - type: word
- "svd$2.classPK" part: raw
- "Mensaje.classPK" words:
- "inic$ShutdownHook.class" - "config.xmlPK"
- "Uninstall.jarPK" - "key.classPK"
- "resources/icono.pngPK" - "svd$2.classPK"
condition: and - "Mensaje.classPK"
- "inic$ShutdownHook.class"
- type: word - "Uninstall.jarPK"
words: - "resources/icono.pngPK"
- "config.xmlPK" condition: and
- "key.classPK"
- "svd$1.classPK" - type: word
- "svd$2.classPK" part: raw
- "inic$ShutdownHook.class" words:
- "Uninstall.jarPK" - "config.xmlPK"
- "resources/icono.pngPK" - "key.classPK"
condition: and - "svd$1.classPK"
- "svd$2.classPK"
- type: word - "inic$ShutdownHook.class"
words: - "Uninstall.jarPK"
- "config.xmlPK" - "resources/icono.pngPK"
- "key.classPK" condition: and
- "svd$1.classPK"
- "svd$2.classPK" - type: word
- "Mensaje.classPK" part: raw
- "Uninstall.jarPK" words:
- "resources/icono.pngPK" - "config.xmlPK"
condition: and - "key.classPK"
- "svd$1.classPK"
- type: word - "svd$2.classPK"
words: - "Mensaje.classPK"
- "config.xmlPK" - "Uninstall.jarPK"
- "key.classPK" - "resources/icono.pngPK"
- "svd$1.classPK" condition: and
- "svd$2.classPK"
- "Mensaje.classPK" - type: word
- "inic$ShutdownHook.class" part: raw
- "Uninstall.jarPK" words:
condition: and - "config.xmlPK"
- "key.classPK"
- type: word - "svd$1.classPK"
words: - "svd$2.classPK"
- "config.xmlPK" - "Mensaje.classPK"
- "key.classPK" - "inic$ShutdownHook.class"
- "svd$1.classPK" - "Uninstall.jarPK"
- "svd$2.classPK" condition: and
- "Mensaje.classPK"
- "inic$ShutdownHook.class" - type: word
- "resources/icono.pngPK" part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "resources/icono.pngPK"
condition: and condition: and

39
malware_alfa.yaml → Yara-Rules/alfa-malware.yaml
View File

@ -1,20 +1,19 @@
id: malware_alfa id: alfa-malware
info: info:
name: Alfa Malware Detector name: Alfa Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: binary
- type: binary binary:
binary: - "8B0C9781E1FFFF000081F919040000740F81F9"
- "8B0C9781E1FFFF000081F919040000740F81F9" - "220400007407423BD07CE2EB02"
- "220400007407423BD07CE2EB02" condition: and
condition: and

48
malware_alienspy.yaml → Yara-Rules/alienspy-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_alienspy id: alienspy-malware
info: info:
name: AlienSpy Malware Detector name: AlienSpy Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "META-INF/MANIFEST.MF" - "META-INF/MANIFEST.MF"
- "ePK" - "ePK"
- "kPK" - "kPK"
- "config.ini" - "config.ini"
- "password.ini" - "password.ini"
- "stub/stub.dll" - "stub/stub.dll"
- "c.dat" - "c.dat"
condition: and condition: and

40
malware_alina.yaml → Yara-Rules/alina-malware.yaml
View File

@ -1,21 +1,21 @@
id: malware_alina id: alina-malware
info: info:
name: Alina Malware Detector name: Alina Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'Alina v1.0' - 'Alina v1.0'
- 'POST' - 'POST'
- '1[0-2])[0-9]' - '1[0-2])[0-9]'
condition: and condition: and

34
malware_alpha.yaml → Yara-Rules/alpha-malware.yaml
View File

@ -1,17 +1,17 @@
id: malware_alpha id: alpha-malware
info: info:
name: Alpha Malware Detector name: Alpha Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "520065006100640020004D0065002000280048006F00770020004400650063" - "520065006100640020004D0065002000280048006F00770020004400650063"

43
malware_andromeda.yaml → Yara-Rules/andromeda-malware.yaml
View File

@ -1,22 +1,23 @@
id: malware_andromeda id: andromeda-malware
info: info:
name: Andromeda Malware Detector name: Andromeda Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst' words:
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
- type: binary
binary: - type: binary
binary:
- "1C1C1D03494746" - "1C1C1D03494746"

46
malware_ap0calypse.yaml → Yara-Rules/ap0calypse-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_ap0calypse id: ap0calypse-malware
info: info:
name: Ap0calypse Malware Detector name: Ap0calypse Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "Ap0calypse" - "Ap0calypse"
- "Sifre" - "Sifre"
- "MsgGoster" - "MsgGoster"
- "Baslik" - "Baslik"
- "Dosyalars" - "Dosyalars"
- "Injecsiyon" - "Injecsiyon"
condition: and condition: and

53
malware_arcom.yaml → Yara-Rules/arcom-malware.yaml
View File

@ -1,27 +1,28 @@
id: malware_arcom id: arcom-malware
info: info:
name: Arcom Malware Detector name: Arcom Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- "CVu3388fnek3W(3ij3fkp0930di" words:
- "ZINGAWI2" - "CVu3388fnek3W(3ij3fkp0930di"
- "clWebLightGoldenrodYellow" - "ZINGAWI2"
- "Ancestor for '%s' not found" - "clWebLightGoldenrodYellow"
- "Control-C hit" - "Ancestor for '%s' not found"
condition: and - "Control-C hit"
condition: and
- type: binary
binary: - type: binary
binary:
- "A3242521" - "A3242521"

44
malware_arkei.yaml → Yara-Rules/arkei-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_arkei id: arkei-malware
info: info:
name: Arkei Malware Detector name: Arkei Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'Arkei' - 'Arkei'
- '/server/gate' - '/server/gate'
- '/server/grubConfig' - '/server/grubConfig'
- '\\files\\' - '\\files\\'
- 'SQLite' - 'SQLite'
condition: and condition: and

40
malware_backoff.yaml → Yara-Rules/backoff-malware.yaml
View File

@ -1,21 +1,21 @@
id: malware_backoff id: backoff-malware
info: info:
name: Backoff Malware Detector name: Backoff Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s' - '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
- '%s @ %s' - '%s @ %s'
- 'Upload KeyLogs' - 'Upload KeyLogs'
condition: and condition: and

56
malware_bandook.yaml → Yara-Rules/bandook-malware.yaml
View File

@ -1,28 +1,28 @@
id: malware_bandook id: bandook-malware
info: info:
name: Bandook Malware Detector name: Bandook Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "aaaaaa1|" - "aaaaaa1|"
- "aaaaaa2|" - "aaaaaa2|"
- "aaaaaa3|" - "aaaaaa3|"
- "aaaaaa4|" - "aaaaaa4|"
- "aaaaaa5|" - "aaaaaa5|"
- "%s%d.exe" - "%s%d.exe"
- "astalavista" - "astalavista"
- "givemecache" - "givemecache"
- "%s\\system32\\drivers\\blogs\\*" - "%s\\system32\\drivers\\blogs\\*"
- "bndk13me" - "bndk13me"
condition: and condition: and

46
malware_blacknix.yaml → Yara-Rules/blacknix-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_blacknix id: blacknix-malware
info: info:
name: BlackNix Malware Detector name: BlackNix Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "SETTINGS" - "SETTINGS"
- "Mark Adler" - "Mark Adler"
- "Random-Number-Here" - "Random-Number-Here"
- "RemoteShell" - "RemoteShell"
- "SystemInfo" - "SystemInfo"
condition: and condition: and

56
malware_blackworm.yaml → Yara-Rules/blackworm-malware.yaml
View File

@ -1,29 +1,29 @@
id: malware_blackworm id: blackworm-malware
info: info:
name: Blackworm Malware Detector name: Blackworm Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'm_ComputerObjectProvider' - 'm_ComputerObjectProvider'
- 'MyWebServices' - 'MyWebServices'
- 'get_ExecutablePath' - 'get_ExecutablePath'
- 'get_WebServices' - 'get_WebServices'
- 'My.WebServices' - 'My.WebServices'
- 'My.User' - 'My.User'
- 'm_UserObjectProvider' - 'm_UserObjectProvider'
- 'DelegateCallback' - 'DelegateCallback'
- 'TargetMethod' - 'TargetMethod'
- '000004b0' - '000004b0'
- 'Microsoft Corporation' - 'Microsoft Corporation'
condition: and condition: and

48
malware_bluebanana.yaml → Yara-Rules/bluebanana-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_bluebanana id: bluebanana-malware
info: info:
name: BlueBanana Malware Detector name: BlueBanana Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "META-INF" - "META-INF"
- "config.txt" - "config.txt"
- "a/a/a/a/f.class" - "a/a/a/a/f.class"
- "a/a/a/a/l.class" - "a/a/a/a/l.class"
- "a/a/a/b/q.class" - "a/a/a/b/q.class"
- "a/a/a/b/v.class" - "a/a/a/b/v.class"
condition: and condition: and

46
malware_bozok.yaml → Yara-Rules/bozok-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_bozok id: bozok-malware
info: info:
name: Bozok Malware Detector name: Bozok Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "getVer" - "getVer"
- "StartVNC" - "StartVNC"
- "SendCamList" - "SendCamList"
- "untPlugin" - "untPlugin"
- "gethostbyname" - "gethostbyname"
condition: and condition: and
case-insensitive: true case-insensitive: true

37
malware_bublik.yaml → Yara-Rules/bublik-malware.yaml
View File

@ -1,20 +1,19 @@
id: malware_bublik id: bublik-malware
info: info:
name: Bublik Malware Detector name: Bublik Malware Detector
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: binary
- type: binary binary:
binary: - '636F6E736F6C6173'
- '636F6E736F6C6173' - '636C556E00696E666F2E696E69'
- '636C556E00696E666F2E696E69'
condition: and condition: and

71
malware_cap_hookexkeylogger.yaml → Yara-Rules/cap-hookexkeylogger-malware.yaml
View File

@ -1,35 +1,38 @@
id: malware_cap_hookexkeylogger id: cap-hookexkeylogger-malware
info: info:
name: CAP HookExKeylogger Malware Detector name: CAP HookExKeylogger Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "SetWindowsHookEx" words:
- "WH_KEYBOARD_LL" - "SetWindowsHookEx"
condition: and - "WH_KEYBOARD_LL"
case-insensitive: true condition: and
case-insensitive: true
- type: word
words: - type: word
- "SetWindowsHookEx" part: raw
- "WH_KEYBOARD" words:
condition: and - "SetWindowsHookEx"
case-insensitive: true - "WH_KEYBOARD"
condition: and
- type: word case-insensitive: true
words:
- "WH_KEYBOARD" - type: word
- "WH_KEYBOARD_LL" part: raw
condition: and words:
- "WH_KEYBOARD"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true case-insensitive: true

54
malware_cerberus.yaml → Yara-Rules/cerberus-malware.yaml
View File

@ -1,26 +1,28 @@
id: malware_cerberus id: cerberus-malware
info: info:
name: Cerberus Malware Detector name: Cerberus Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "Ypmw1Syv023QZD" words:
- "wZ2pla" - "Ypmw1Syv023QZD"
- "wBmpf3Pb7RJe" - "wZ2pla"
condition: or - "wBmpf3Pb7RJe"
condition: or
- type: word
words: - type: word
- "cerberus" part: raw
case-insensitive: true words:
- "cerberus"
case-insensitive: true

55
malware_clientmesh.yaml → Yara-Rules/clientmesh-malware.yaml
View File

@ -1,28 +1,29 @@
id: malware_clientmesh id: clientmesh-malware
info: info:
name: ClientMesh Malware Detector name: ClientMesh Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- "machinedetails" words:
- "MySettings" - "machinedetails"
- "sendftppasswords" - "MySettings"
- "sendbrowserpasswords" - "sendftppasswords"
- "arma2keyMass" - "sendbrowserpasswords"
- "keylogger" - "arma2keyMass"
condition: and - "keylogger"
condition: and
- type: binary
binary: - type: binary
binary:
- "0000000000000000007E" - "0000000000000000007E"

46
malware_crimson.yaml → Yara-Rules/crimson-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_crimson id: crimson-malware
info: info:
name: Crimson Malware Detector name: Crimson Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "com/crimson/PK" - "com/crimson/PK"
- "com/crimson/bootstrapJar/PK" - "com/crimson/bootstrapJar/PK"
- "com/crimson/permaJarMulti/PermaJarReporter$1.classPK" - "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
- "com/crimson/universal/containers/KeyloggerLog.classPK" - "com/crimson/universal/containers/KeyloggerLog.classPK"
- "com/crimson/universal/UploadTransfer.classPK" - "com/crimson/universal/UploadTransfer.classPK"
condition: and condition: and

37
malware_cryptxxx_dropper.yaml → Yara-Rules/cryptxxx-dropper-malware.yaml
View File

@ -1,20 +1,19 @@
id: malware_cryptxxx_dropper id: cryptxxx-dropper-malware
info: info:
name: CryptXXX Dropper Malware Detector name: CryptXXX Dropper Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: binary
- type: binary #Dropper binary:
binary: - "50653157584346765962486F35"
- "50653157584346765962486F35" - "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
- "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
condition: and condition: and

83
malware_cryptxxx.yaml → Yara-Rules/cryptxxx-malware.yaml
View File

@ -1,43 +1,42 @@
id: malware_cryptxxx id: cryptxxx-malware
info: info:
name: CryptXXX Malware Detector name: CryptXXX Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: binary
- type: binary binary:
binary: - "525947404A41595D52000000FFFFFFFF"
- "525947404A41595D52000000FFFFFFFF" - "0600000052594740405A0000FFFFFFFF"
- "0600000052594740405A0000FFFFFFFF" - "0A000000525C4B4D574D424B5C520000"
- "0A000000525C4B4D574D424B5C520000" - "FFFFFFFF0A000000525D575D5A4B4370"
- "FFFFFFFF0A000000525D575D5A4B4370" - "3F520000FFFFFFFF06000000524C4141"
- "3F520000FFFFFFFF06000000524C4141" - "5A520000FFFFFFFF0A000000525C4B4D"
- "5A520000FFFFFFFF0A000000525C4B4D" - "41584B5C57520000FFFFFFFF0E000000"
- "41584B5C57520000FFFFFFFF0E000000" - "522A5C4B4D574D424B204C4740520000"
- "522A5C4B4D574D424B204C4740520000" - "FFFFFFFF0A000000525E4B5C48424149"
- "FFFFFFFF0A000000525E4B5C48424149" - "5D520000FFFFFFFF05000000524B4847"
- "5D520000FFFFFFFF05000000524B4847" - "52000000FFFFFFFF0C000000524D4140"
- "52000000FFFFFFFF0C000000524D4140" - "48474920435D475200000000FFFFFFFF"
- "48474920435D475200000000FFFFFFFF" - "0A000000525E5C41495C4F703F520000"
- "0A000000525E5C41495C4F703F520000" - "FFFFFFFF0A000000525E5C41495C4F70"
- "FFFFFFFF0A000000525E5C41495C4F70" - "3C520000FFFFFFFF0800000052494141"
- "3C520000FFFFFFFF0800000052494141" - "49424B5200000000FFFFFFFF06000000"
- "49424B5200000000FFFFFFFF06000000" - "525A4B435E520000FFFFFFFF08000000"
- "525A4B435E520000FFFFFFFF08000000" - "52483A4C4D703F5200000000FFFFFFFF"
- "52483A4C4D703F5200000000FFFFFFFF" - "0A000000524F42425B5D4B703F520000"
- "0A000000524F42425B5D4B703F520000" - "FFFFFFFF0A000000525E5C41495C4F70"
- "FFFFFFFF0A000000525E5C41495C4F70" - "3F520000FFFFFFFF0A000000525E5C41"
- "3F520000FFFFFFFF0A000000525E5C41" - "495C4F703C520000FFFFFFFF09000000"
- "495C4F703C520000FFFFFFFF09000000" - "524F5E5E4A4F5A4F52000000FFFFFFFF"
- "524F5E5E4A4F5A4F52000000FFFFFFFF" - "0A000000525E5C41495C4F703D520000"
- "0A000000525E5C41495C4F703D520000" - "FFFFFFFF08000000525E5B4C42474D52"
- "FFFFFFFF08000000525E5B4C42474D52"
condition: and condition: and

51
malware_cxpid.yaml → Yara-Rules/cxpid-malware.yaml
View File

@ -1,26 +1,27 @@
id: malware_cxpid id: cxpid-malware
info: info:
name: Cxpid Malware Detector name: Cxpid Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word #cxpidStrings - type: word
words: part: raw
- '/cxpid/submit.php?SessionID=' words:
- '/cxgid/' - '/cxpid/submit.php?SessionID='
- 'E21BC52BEA2FEF26D005CF' - '/cxgid/'
- 'E21BC52BEA39E435C40CD8' - 'E21BC52BEA2FEF26D005CF'
- ' -,L-,O+,Q-,R-,Y-,S-' - 'E21BC52BEA39E435C40CD8'
- ' -,L-,O+,Q-,R-,Y-,S-'
- type: binary #cxpidCode
binary: - type: binary
binary:
- "558BECB9380400006A006A004975F9" - "558BECB9380400006A006A004975F9"

34
malware_cythosia.yaml → Yara-Rules/cythosia-malware.yaml
View File

@ -1,18 +1,18 @@
id: malware_cythosia id: cythosia-malware
info: info:
name: Cythosia Malware Detector name: Cythosia Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'HarvesterSocksBot.Properties.Resources' - 'HarvesterSocksBot.Properties.Resources'

50
malware_darkrat.yaml → Yara-Rules/darkrat-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_darkrat id: darkrat-malware
info: info:
name: DarkRAT Malware Detector name: DarkRAT Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "@1906dark1996coder@" - "@1906dark1996coder@"
- "SHEmptyRecycleBinA" - "SHEmptyRecycleBinA"
- "mciSendStringA" - "mciSendStringA"
- "add_Shutdown" - "add_Shutdown"
- "get_SaveMySettingsOnExit" - "get_SaveMySettingsOnExit"
- "get_SpecialDirectories" - "get_SpecialDirectories"
- "Client.My" - "Client.My"
condition: and condition: and

57
malware_ddostf.yaml → Yara-Rules/ddostf-malware.yaml
View File

@ -1,29 +1,30 @@
id: malware_ddostf id: ddostf-malware
info: info:
name: DDoSTf Malware Detector name: DDoSTf Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html - http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- 'ddos.tf' words:
- 'Accept-Language: zh' - 'ddos.tf'
- '%d Kb/bps|%d%%' - 'Accept-Language: zh'
condition: and - '%d Kb/bps|%d%%'
condition: and
- type: binary
binary: - type: binary
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL binary:
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT - 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00'
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00'
condition: and condition: and

48
malware_derkziel.yaml → Yara-Rules/derkziel-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_derkziel id: derkziel-malware
info: info:
name: Derkziel Malware Detector name: Derkziel Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://bhf.su/threads/137898/ - https://bhf.su/threads/137898/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- '{!}DRZ{!}' - '{!}DRZ{!}'
- 'User-Agent: Uploador' - 'User-Agent: Uploador'
- 'SteamAppData.vdf' - 'SteamAppData.vdf'
- 'loginusers.vdf' - 'loginusers.vdf'
- 'config.vdf' - 'config.vdf'
condition: and condition: and

46
malware_dexter.yaml → Yara-Rules/dexter-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_dexter id: dexter-malware
info: info:
name: Dexter Malware Detector name: Dexter Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
- http://goo.gl/oBvy8b - http://goo.gl/oBvy8b
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'Java Security Plugin' - 'Java Security Plugin'
- '%s\\%s\\%s.exe' - '%s\\%s\\%s.exe'
- 'Sun Java Security Plugin' - 'Sun Java Security Plugin'
- '\\Internet Explorer\\iexplore.exe' - '\\Internet Explorer\\iexplore.exe'
condition: and condition: and

46
malware_diamondfox.yaml → Yara-Rules/diamondfox-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_diamondfox id: diamondfox-malware
info: info:
name: DiamondFox Malware Detector name: DiamondFox Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'UPDATE_B' - 'UPDATE_B'
- 'UNISTALL_B' - 'UNISTALL_B'
- 'S_PROTECT' - 'S_PROTECT'
- 'P_WALLET' - 'P_WALLET'
- 'GR_COMMAND' - 'GR_COMMAND'
- 'FTPUPLOAD' - 'FTPUPLOAD'
condition: and condition: and

43
malware_dmalocker.yaml → Yara-Rules/dmalocker-malware.yaml
View File

@ -1,21 +1,22 @@
id: malware_dmalocker id: dmalocker-malware
info: info:
name: DMA Locker Malware Detector name: DMA Locker Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "41424358595a3131" - "41424358595a3131"
- "21444d414c4f434b" - "21444d414c4f434b"
- "21444d414c4f434b332e30" - "21444d414c4f434b332e30"
- "3F520000FFFFFFFF06000000524C4141" - "3F520000FFFFFFFF06000000524C4141"
- "21444d414c4f434b342e30" #v4 - "21444d414c4f434b342e30"
condition: or

37
malware_doublepulsar.yaml → Yara-Rules/doublepulsar-malware.yaml
View File

@ -1,18 +1,19 @@
id: malware_doublepulsar id: doublepulsar-malware
info: info:
name: DoublePulsar Malware Detector name: DoublePulsar Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor - "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE"
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll - "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741"
condition: or

33
malware_eicar.yaml → Yara-Rules/eicar-malware.yaml
View File

@ -1,17 +1,18 @@
id: malware_eicar id: eicar-malware
info: info:
name: Eicar Malware Detector name: Eicar Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: word - type: word
words: part: raw
words:
- "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" - "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

38
malware_erebus.yaml → Yara-Rules/erebus-malware.yaml
View File

@ -1,20 +1,20 @@
id: malware_erebus id: erebus-malware
info: info:
name: Erebus Malware Detector name: Erebus Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log" - "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
- "EREBUS IS BEST." - "EREBUS IS BEST."
condition: and condition: and

44
malware_ezcob.yaml → Yara-Rules/ezcob-malware.yaml
View File

@ -1,21 +1,23 @@
id: malware_ezcob id: ezcob-malware
info: info:
name: Ezcob Malware Detector name: Ezcob Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: word - type: word
words: part: raw
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12' words:
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12' - '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
- 'Ezcob' - '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126' - 'Ezcob'
- '20110113144935' - 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
- '20110113144935'
condition: or

59
malware_fudcrypt.yaml → Yara-Rules/fudcrypt-malware.yaml
View File

@ -1,30 +1,31 @@
id: malware_fudcrypt id: fudcrypt-malware
info: info:
name: FUDCrypt Malware Detector name: FUDCrypt Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/gigajew/FudCrypt/ - https://github.com/gigajew/FudCrypt/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: word - type: word
words: part: raw
- 'OcYjzPUtJkNbLOABqYvNbvhZf' words:
- 'gwiXxyIDDtoYzgMSRGMckRbJi' - 'OcYjzPUtJkNbLOABqYvNbvhZf'
- 'BclWgISTcaGjnwrzSCIuKruKm' - 'gwiXxyIDDtoYzgMSRGMckRbJi'
- 'CJyUSiUNrIVbgksjxpAMUkAJJ' - 'BclWgISTcaGjnwrzSCIuKruKm'
- 'fAMVdoPUEyHEWdxQIEJPRYbEN' - 'CJyUSiUNrIVbgksjxpAMUkAJJ'
- 'CIGQUctdcUPqUjoucmcoffECY' - 'fAMVdoPUEyHEWdxQIEJPRYbEN'
- 'wcZfHOgetgAExzSoWFJFQdAyO' - 'CIGQUctdcUPqUjoucmcoffECY'
- 'DqYKDnIoLeZDWYlQWoxZnpfPR' - 'wcZfHOgetgAExzSoWFJFQdAyO'
- 'MkhMoOHCbGUMqtnRDJKnBYnOj' - 'DqYKDnIoLeZDWYlQWoxZnpfPR'
- 'sHEqLMGglkBAOIUfcSAgMvZfs' - 'MkhMoOHCbGUMqtnRDJKnBYnOj'
- 'JtZApJhbFAIFxzHLjjyEQvtgd' - 'sHEqLMGglkBAOIUfcSAgMvZfs'
- 'JtZApJhbFAIFxzHLjjyEQvtgd'
- 'IIQrSWZEMmoQIKGuxxwoTwXka' - 'IIQrSWZEMmoQIKGuxxwoTwXka'

42
malware_gafgyt_bash.yaml → Yara-Rules/gafgyt-bash-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_bash id: gafgyt-bash-malware
info: info:
name: Gafgyt Malware Detector name: Gafgyt Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'PONG!' - 'PONG!'
- 'GETLOCALIP' - 'GETLOCALIP'
- 'HTTPFLOOD' - 'HTTPFLOOD'
- 'LUCKYLILDUDE' - 'LUCKYLILDUDE'
condition: and condition: and

42
malware_gafgyt_generic.yaml → Yara-Rules/gafgyt-generic-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_generic id: gafgyt-generic-malware
info: info:
name: Gafgyt Malware Detector name: Gafgyt Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "/bin/busybox;echo -e 'gayfgt'" - "/bin/busybox;echo -e 'gayfgt'"
- '/proc/net/route' - '/proc/net/route'
- 'admin' - 'admin'
- 'root' - 'root'
condition: and condition: and

46
malware_gafgyt_hihi.yaml → Yara-Rules/gafgyt-hihi-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_gafgyt_hihi id: gafgyt-hihi-malware
info: info:
name: Gafgyt Malware Detector name: Gafgyt Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'PING' - 'PING'
- 'PONG' - 'PONG'
- 'TELNET LOGIN CRACKED - %s:%s:%s' - 'TELNET LOGIN CRACKED - %s:%s:%s'
- 'ADVANCEDBOT' - 'ADVANCEDBOT'
- '46.166.185.92' - '46.166.185.92'
- 'LOLNOGTFO' - 'LOLNOGTFO'
condition: and condition: and

42
malware_gafgyt_hoho.yaml → Yara-Rules/gafgyt-hoho-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_hoho id: gafgyt-hoho-malware
info: info:
name: Gafgyt Malware Detector name: Gafgyt Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'PING' - 'PING'
- 'PRIVMSG' - 'PRIVMSG'
- 'Remote IRC Bot' - 'Remote IRC Bot'
- '23.95.43.182' - '23.95.43.182'
condition: and condition: and

42
malware_gafgyt_jackmy.yaml → Yara-Rules/gafgyt-jackmy-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_jackmy id: gafgyt-jackmy-malware
info: info:
name: Gafgyt Malware Detector name: Gafgyt Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'PING' - 'PING'
- 'PONG' - 'PONG'
- 'jackmy' - 'jackmy'
- '203.134.%d.%d' - '203.134.%d.%d'
condition: and condition: and

42
malware_gafgyt_oh.yaml → Yara-Rules/gafgyt-oh-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_oh id: gafgyt-oh-malware
info: info:
name: Gafgyt Malware Detector name: Gafgyt Oh Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'busyboxterrorist' - 'busyboxterrorist'
- 'BOGOMIPS' - 'BOGOMIPS'
- '124.105.97.%d' - '124.105.97.%d'
- 'fucknet' - 'fucknet'
condition: and condition: and

40
malware_genome.yaml → Yara-Rules/genome-malware.yaml
View File

@ -1,21 +1,21 @@
id: malware_genome id: genome-malware
info: info:
name: Genome Malware Detector name: Genome Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- 'Attempting to create more than one keyboard::Monitor instance' - 'Attempting to create more than one keyboard::Monitor instance'
- '{Right windows}' - '{Right windows}'
- 'Access violation - no RTTI data!' - 'Access violation - no RTTI data!'
condition: and condition: and

44
malware_glass.yaml → Yara-Rules/glass-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_glass id: glass-malware
info: info:
name: Glass Malware Detector name: Glass Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "PostQuitMessage" - "PostQuitMessage"
- "pwlfnn10,gzg" - "pwlfnn10,gzg"
- "update.dll" - "update.dll"
- "_winver" - "_winver"
condition: and condition: and

57
malware_glasses.yaml → Yara-Rules/glasses-malware.yaml
View File

@ -1,29 +1,30 @@
id: malware_glasses id: glasses-malware
info: info:
name: Glasses Malware Detector name: Glasses Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/ - https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word #GlassesStrings - type: word
words: part: raw
- 'thequickbrownfxjmpsvalzydg' words:
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)' - 'thequickbrownfxjmpsvalzydg'
- '" target="NewRef"></a>' - 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
condition: and - '" target="NewRef"></a>'
condition: and
- type: binary #GlassesCode
binary: - type: binary
- "B8ABAAAAAAF7E1D1EA8D04522BC8" binary:
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA" - "B8ABAAAAAAF7E1D1EA8D04522BC8"
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
condition: or condition: or

36
malware_gozi.yaml → Yara-Rules/gozi-malware.yaml
View File

@ -1,19 +1,19 @@
id: malware_gozi id: gozi-malware
info: info:
name: Gozi Malware Detector name: Gozi Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500" - "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500"

42
malware_gpgqwerty.yaml → Yara-Rules/gpgqwerty-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gpgqwerty id: gpgqwerty-malware
info: info:
name: GPGQwerty Malware Detector name: GPGQwerty Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "gpg.exe recipient qwerty -o" - "gpg.exe recipient qwerty -o"
- "%s%s.%d.qwerty" - "%s%s.%d.qwerty"
- "del /Q /F /S %s$recycle.bin" - "del /Q /F /S %s$recycle.bin"
- "cryz1@protonmail.com" - "cryz1@protonmail.com"
condition: and condition: and

59
malware_greame.yaml → Yara-Rules/greame-malware.yaml
View File

@ -1,30 +1,31 @@
id: malware_greame id: greame-malware
info: info:
name: Greame Malware Detector name: Greame Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- "EditSvr" words:
- "TLoader" - "EditSvr"
- "Stroks" - "TLoader"
- "Avenger by NhT" - "Stroks"
- "####@####" - "Avenger by NhT"
- "GREAME" - "####@####"
condition: and - "GREAME"
condition: and
- type: binary
binary: - type: binary
- "232323234023232323E8EEE9F9232323234023232323" binary:
- "232323234023232323FAFDF0EFF9232323234023232323" - "232323234023232323E8EEE9F9232323234023232323"
- "232323234023232323FAFDF0EFF9232323234023232323"
condition: and condition: and

36
malware_grozlex.yaml → Yara-Rules/grozlex-malware.yaml
View File

@ -1,19 +1,19 @@
id: malware_grozlex id: grozlex-malware
info: info:
name: Grozlex Malware Detector name: Grozlex Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E" - "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E"

54
malware_hawkeye.yaml → Yara-Rules/hawkeye-malware.yaml
View File

@ -1,27 +1,27 @@
id: malware_hawkeye id: hawkeye-malware
info: info:
name: HawkEye Malware Detector name: HawkEye Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "HawkEyeKeylogger" - "HawkEyeKeylogger"
- "099u787978786" - "099u787978786"
- "HawkEye_Keylogger" - "HawkEye_Keylogger"
- "holdermail.txt" - "holdermail.txt"
- "wallet.dat" - "wallet.dat"
- "Keylog Records" - "Keylog Records"
- "<!-- do not script -->" - "<!-- do not script -->"
- "\\pidloc.txt" - "\\pidloc.txt"
- "BSPLIT" - "BSPLIT"
condition: and condition: and

70
malware_imminent.yaml → Yara-Rules/imminent-malware.yaml
View File

@ -1,35 +1,37 @@
id: malware_imminent id: imminent-malware
info: info:
name: Imminent Malware Detector name: Imminent Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "DecodeProductKey" words:
- "StartHTTPFlood" - "DecodeProductKey"
- "CodeKey" - "StartHTTPFlood"
- "MESSAGEBOX" - "CodeKey"
- "GetFilezillaPasswords" - "MESSAGEBOX"
- "DataIn" - "GetFilezillaPasswords"
- "UDPzSockets" - "DataIn"
condition: and - "UDPzSockets"
condition: and
- type: word
words: - type: word
- "<URL>k__BackingField" part: raw
- "<RunHidden>k__BackingField" words:
- "DownloadAndExecute" - "<URL>k__BackingField"
- "england.png" - "<RunHidden>k__BackingField"
- "-CHECK & PING -n 2 127.0.0.1 & EXIT" - "DownloadAndExecute"
- "Showed Messagebox" - "england.png"
- "-CHECK & PING -n 2 127.0.0.1 & EXIT"
- "Showed Messagebox"
condition: and condition: and

50
malware_infinity.yaml → Yara-Rules/infinity-malware.yaml
View File

@ -1,26 +1,26 @@
id: malware_infinity id: infinity-malware
info: info:
name: Infinity Malware Detector name: Infinity Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "CRYPTPROTECT_PROMPTSTRUCT" - "CRYPTPROTECT_PROMPTSTRUCT"
- "discomouse" - "discomouse"
- "GetDeepInfo" - "GetDeepInfo"
- "AES_Encrypt" - "AES_Encrypt"
- "StartUDPFlood" - "StartUDPFlood"
- "BATScripting" - "BATScripting"
- "FBqINhRdpgnqATxJ.html" - "FBqINhRdpgnqATxJ.html"
- "magic_key" - "magic_key"
condition: and condition: and

53
malware_insta11.yaml → Yara-Rules/insta11-malware.yaml
View File

@ -1,27 +1,28 @@
id: malware_insta11 id: insta11-malware
info: info:
name: Insta11 Malware Detector name: Insta11 Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- 'XTALKER7' words:
- 'Insta11 Microsoft' - 'XTALKER7'
- 'wudMessage' - 'Insta11 Microsoft'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1' - 'wudMessage'
- 'B12AE898-D056-4378-A844-6D393FE37956' - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
condition: or - 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary: - type: binary
binary:
- 'E9000000006823040000' - 'E9000000006823040000'

56
malware_intel_virtualization.yaml → Yara-Rules/intel-virtualization-malware.yaml
View File

@ -1,29 +1,29 @@
id: malware_intel_virtualization id: intel-virtualization-malware
info: info:
name: Intel Virtualization Malware Detector name: Intel Virtualization Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: binary - type: binary
binary: binary:
- '4C6F6164535452494E47' - '4C6F6164535452494E47'
- '496E697469616C697A654B6579486F6F6B' - '496E697469616C697A654B6579486F6F6B'
- '46696E645265736F7572636573' - '46696E645265736F7572636573'
- '4C6F6164535452494E4746726F6D484B4355' - '4C6F6164535452494E4746726F6D484B4355'
- '6863637574696C732E444C4C' - '6863637574696C732E444C4C'
condition: and condition: and
- type: binary # Dynamic dll (malicious) - type: binary
binary: binary:
- '483A5C466173745C506C756728686B636D64295C' - '483A5C466173745C506C756728686B636D64295C'
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462' - '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
condition: and condition: and

53
malware_iotreaper.yaml → Yara-Rules/iotreaper-malware.yaml
View File

@ -1,27 +1,28 @@
id: malware_iotreaper id: iotreaper-malware
info: info:
name: IotReaper Malware Detector name: IotReaper Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- 'XTALKER7' words:
- 'Insta11 Microsoft' - 'XTALKER7'
- 'wudMessage' - 'Insta11 Microsoft'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1' - 'wudMessage'
- 'B12AE898-D056-4378-A844-6D393FE37956' - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
condition: or - 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary: - type: binary
binary:
- 'E9000000006823040000' - 'E9000000006823040000'

71
malware_linux_aesddos.yaml → Yara-Rules/linux-aesddos-malware.yaml
View File

@ -1,34 +1,37 @@
id: malware_linux_aesddos id: linux-aesddos-malware
info: info:
name: Linux AESDDOS Malware Detector name: Linux AESDDOS Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "3AES" words:
- "Hacker" - "3AES"
condition: and - "Hacker"
condition: and
- type: word
words: - type: word
- "3AES" part: raw
- "VERSONEX" words:
condition: and - "3AES"
- "VERSONEX"
- type: word condition: and
words:
- "VERSONEX" - type: word
- "Hacker" part: raw
condition: and words:
- "VERSONEX"
- "Hacker"
condition: and

44
malware_linux_billgates.yaml → Yara-Rules/linux-billgates-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_linux_billgates id: linux-billgates-malware
info: info:
name: Linux BillGates Malware Detector name: Linux BillGates Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429 - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "12CUpdateGates" - "12CUpdateGates"
- "11CUpdateBill" - "11CUpdateBill"
condition: and condition: and

44
malware_linux_elknot.yaml → Yara-Rules/linux-elknot-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_linux_elknot id: linux-elknot-malware
info: info:
name: Linux Elknot Malware Detector name: Linux Elknot Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099 - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "ZN8CUtility7DeCryptEPciPKci" - "ZN8CUtility7DeCryptEPciPKci"
- "ZN13CThreadAttack5StartEP11CCmdMessage" - "ZN13CThreadAttack5StartEP11CCmdMessage"
condition: and condition: and

44
malware_linux_mrblack.yaml → Yara-Rules/linux-mrblack-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_linux_mrblack id: linux-mrblack-malware
info: info:
name: Linux MrBlack Malware Detector name: Linux MrBlack Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "Mr.Black" - "Mr.Black"
- "VERS0NEX:%s|%d|%d|%s" - "VERS0NEX:%s|%d|%d|%s"
condition: and condition: and

43
malware_linux_tsunami.yaml → Yara-Rules/linux-tsunami-malware.yaml
View File

@ -1,21 +1,22 @@
id: malware_linux_tsunami id: linux-tsunami-malware
info: info:
name: Linux Tsunami Malware Detector name: Linux Tsunami Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: word - type: word
words: part: raw
- "PRIVMSG %s :[STD]Hitting %s" words:
- "NOTICE %s :TSUNAMI <target> <secs>" - "PRIVMSG %s :[STD]Hitting %s"
- "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually." - "NOTICE %s :TSUNAMI <target> <secs>"
- "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."

60
malware_locky.yaml → Yara-Rules/locky-malware.yaml
View File

@ -1,31 +1,31 @@
id: malware_locky id: locky-malware
info: info:
name: Locky Malware Detector name: Locky Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "45b899f7f90faf45b88945b8" - "45b899f7f90faf45b88945b8"
- "2b0a0faf4df8894df8c745" - "2b0a0faf4df8894df8c745"
condition: and condition: and
- type: binary - type: binary
binary: binary:
- "2E006C006F0063006B00790000" - "2E006C006F0063006B00790000"
- "005F004C006F0063006B007900" - "005F004C006F0063006B007900"
- "5F007200650063006F00760065" - "5F007200650063006F00760065"
- "0072005F0069006E0073007400" - "0072005F0069006E0073007400"
- "720075006300740069006F006E" - "720075006300740069006F006E"
- "0073002E0074007800740000" - "0073002E0074007800740000"
- "536F6674776172655C4C6F636B7900" - "536F6674776172655C4C6F636B7900"
condition: and condition: and

61
malware_lostdoor.yaml → Yara-Rules/lostdoor-malware.yaml
View File

@ -1,31 +1,32 @@
id: malware_lostdoor id: lostdoor-malware
info: info:
name: LostDoor Malware Detector name: LostDoor Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- "*mlt* = %" words:
- "*ip* = %" - "*mlt* = %"
- "*victimo* = %" - "*ip* = %"
- "*name* = %" - "*victimo* = %"
- "[START]" - "*name* = %"
- "[DATA]" - "[START]"
- "We Control Your Digital World" - "[DATA]"
- "RC4Initialize" - "We Control Your Digital World"
- "RC4Decrypt" - "RC4Initialize"
condition: and - "RC4Decrypt"
condition: and
- type: binary
binary: - type: binary
binary:
- "0D0A2A454449545F5345525645522A0D0A" - "0D0A2A454449545F5345525645522A0D0A"

56
malware_luminositylink.yaml → Yara-Rules/luminositylink-malware.yaml
View File

@ -1,29 +1,29 @@
id: malware_luminositylink id: luminositylink-malware
info: info:
name: LuminosityLink Malware Detector name: LuminosityLink Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "SMARTLOGS" - "SMARTLOGS"
- "RUNPE" - "RUNPE"
- "b.Resources" - "b.Resources"
- "CLIENTINFO*" - "CLIENTINFO*"
- "Invalid Webcam Driver Download URL, or Failed to Download File!" - "Invalid Webcam Driver Download URL, or Failed to Download File!"
- "Proactive Anti-Malware has been manually activated!" - "Proactive Anti-Malware has been manually activated!"
- "REMOVEGUARD" - "REMOVEGUARD"
- "C0n1f8" - "C0n1f8"
- "Luminosity" - "Luminosity"
- "LuminosityCryptoMiner" - "LuminosityCryptoMiner"
- "MANAGER*CLIENTDETAILS*" - "MANAGER*CLIENTDETAILS*"
condition: and condition: and

46
malware_luxnet.yaml → Yara-Rules/luxnet-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_luxnet id: luxnet-malware
info: info:
name: LuxNet Malware Detector name: LuxNet Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "GetHashCode" - "GetHashCode"
- "Activator" - "Activator"
- "WebClient" - "WebClient"
- "op_Equality" - "op_Equality"
- "dickcursor.cur" - "dickcursor.cur"
- "{0}|{1}|{2}" - "{0}|{1}|{2}"
condition: and condition: and

46
malware_macgyver_installer.yaml → Yara-Rules/macgyver-installer-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_macgyver_installer id: macgyver-installer-malware
info: info:
name: MacGyver.cap Installer Malware Detector name: MacGyver.cap Installer Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "delete -AID 315041592e5359532e4444463031" - "delete -AID 315041592e5359532e4444463031"
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4" - "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
- "-mac_key 404142434445464748494a4b4c4d4e4f" - "-mac_key 404142434445464748494a4b4c4d4e4f"
- "-enc_key 404142434445464748494a4b4c4d4e4f" - "-enc_key 404142434445464748494a4b4c4d4e4f"
condition: and condition: and

52
malware_macgyver.yaml → Yara-Rules/macgyver-malware.yaml
View File

@ -1,27 +1,27 @@
id: malware_macgyver id: macgyver-malware
info: info:
name: MacGyver.cap Malware Detector name: MacGyver.cap Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "src/MacGyver/javacard/Header.cap" - "src/MacGyver/javacard/Header.cap"
- "src/MacGyver/javacard/Directory.cap" - "src/MacGyver/javacard/Directory.cap"
- "src/MacGyver/javacard/Applet.cap" - "src/MacGyver/javacard/Applet.cap"
- "src/MacGyver/javacard/Import.cap" - "src/MacGyver/javacard/Import.cap"
- "src/MacGyver/javacard/ConstantPool.cap" - "src/MacGyver/javacard/ConstantPool.cap"
- "src/MacGyver/javacard/Class.cap" - "src/MacGyver/javacard/Class.cap"
- "src/MacGyver/javacard/Method.cap" - "src/MacGyver/javacard/Method.cap"
condition: and condition: and

54
malware_madness.yaml → Yara-Rules/madness-malware.yaml
View File

@ -1,28 +1,28 @@
id: malware_madness id: madness-malware
info: info:
name: Madness DDOS Malware Detector name: Madness DDOS Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- https://github.com/arbor/yara/blob/master/madness.yara - https://github.com/arbor/yara/blob/master/madness.yara
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE" - "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==" - "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
- "document.cookie=" - "document.cookie="
- "[\"cookie\",\"" - "[\"cookie\",\""
- "\"realauth=" - "\"realauth="
- "\"location\"];" - "\"location\"];"
- "d3Rm" - "d3Rm"
- "ZXhl" - "ZXhl"
condition: and condition: and

35
malware_miner.yaml → Yara-Rules/miner--malware.yaml
View File

@ -1,18 +1,19 @@
id: malware_miner id: miner-malware
info: info:
name: Miner Malware Detector name: Miner Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: word - type: word
words: part: raw
- "stratum+tcp" words:
- "stratum+tcp"
- "stratum+udp" - "stratum+udp"

113
malware_miniasp3.yaml → Yara-Rules/miniasp3-malware.yaml
View File

@ -1,54 +1,59 @@
id: malware_miniasp3 id: miniasp3-malware
info: info:
name: MiniASP3 Malware Detector name: MiniASP3 Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "MiniAsp3\\Release\\MiniAsp.pdb" words:
- "http://%s/about.htm" - "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/result_%s.htm" - "http://%s/about.htm"
- "open internet failed…" - "http://%s/result_%s.htm"
condition: and - "open internet failed…"
condition: and
- type: word
words: - type: word
- "MiniAsp3\\Release\\MiniAsp.pdb" part: raw
- "http://%s/about.htm" words:
- "http://%s/result_%s.htm" - "MiniAsp3\\Release\\MiniAsp.pdb"
- "run error!" - "http://%s/about.htm"
condition: and - "http://%s/result_%s.htm"
- "run error!"
- type: word condition: and
words:
- "MiniAsp3\\Release\\MiniAsp.pdb" - type: word
- "http://%s/about.htm" part: raw
- "http://%s/result_%s.htm" words:
- "run ok!" - "MiniAsp3\\Release\\MiniAsp.pdb"
condition: and - "http://%s/about.htm"
- "http://%s/result_%s.htm"
- type: word - "run ok!"
words: condition: and
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm" - type: word
- "http://%s/result_%s.htm" part: raw
- "time out,change to mode 0" words:
condition: and - "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- type: word - "http://%s/result_%s.htm"
words: - "time out,change to mode 0"
- "MiniAsp3\\Release\\MiniAsp.pdb" condition: and
- "http://%s/about.htm"
- "http://%s/result_%s.htm" - type: word
- "command is null!" part: raw
condition: and words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "command is null!"
condition: and

61
malware_naikon.yaml → Yara-Rules/naikon-malware.yaml
View File

@ -1,30 +1,31 @@
id: malware_naikon id: naikon-malware
info: info:
name: Naikon Malware Detector name: Naikon Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "0FAFC1C1E01F" - "0FAFC1C1E01F"
- "355A010000" - "355A010000"
- "81C27F140600" - "81C27F140600"
condition: and condition: and
- type: word - type: word
words: part: raw
- "NOKIAN95/WEB" words:
- "/tag=info&id=15" - "NOKIAN95/WEB"
- "skg(3)=&3.2d_u1" - "/tag=info&id=15"
- "\\Temp\\iExplorer.exe" - "skg(3)=&3.2d_u1"
- "\\Temp\\\"TSG\"" - "\\Temp\\iExplorer.exe"
condition: or - "\\Temp\\\"TSG\""
condition: or

53
malware_naspyupdate.yaml → Yara-Rules/naspyupdate-malware.yaml
View File

@ -1,26 +1,27 @@
id: malware_naspyupdate id: naspyupdate-malware
info: info:
name: nAspyUpdate Malware Detector name: nAspyUpdate Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "8A5424148A0132C202C28801414E75F4" - "8A5424148A0132C202C28801414E75F4"
- type: word - type: word
words: part: raw
- "\\httpclient.txt" words:
- "password <=14" - "\\httpclient.txt"
- "/%ldn.txt" - "password <=14"
- "Kill You\x00" - "/%ldn.txt"
condition: or - "Kill You\x00"
condition: or

35
malware_notepad.yaml → Yara-Rules/notepad-malware.yaml
View File

@ -1,18 +1,19 @@
id: malware_notepad id: notepad-malware
info: info:
name: Notepad v1.1 Malware Detector name: Notepad v1.1 Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers: matchers:
- type: word - type: word
words: part: raw
- "75BAA77C842BE168B0F66C42C7885997" words:
- "75BAA77C842BE168B0F66C42C7885997"
- "B523F63566F407F3834BCC54AAA32524" - "B523F63566F407F3834BCC54AAA32524"

51
malware_olyx.yaml → Yara-Rules/olyx-malware.yaml
View File

@ -1,25 +1,26 @@
id: malware_olyx id: olyx-malware
info: info:
name: Olyx Malware Detector name: Olyx Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "/Applications/Automator.app/Contents/MacOS/DockLight" words:
condition: or - "/Applications/Automator.app/Contents/MacOS/DockLight"
condition: or
- type: binary
binary: - type: binary
- "C7400436363636C7400836363636" binary:
- "C740045C5C5C5CC740085C5C5C5C" - "C7400436363636C7400836363636"
condition: or - "C740045C5C5C5CC740085C5C5C5C"
condition: or

48
malware_osx_leverage.yaml → Yara-Rules/osx-leverage-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_osx_leverage id: osx-leverage-malware
info: info:
name: OSX Leverage Malware Detector name: OSX Leverage Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" - "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:" - "+:Users:Shared:UserEvent.app:Contents:MacOS:"
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" - "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" - "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
- "osascript -e 'tell application \"System Events\" to get the name of every login item'" - "osascript -e 'tell application \"System Events\" to get the name of every login item'"
- "osascript -e 'tell application \"System Events\" to get the path of every login item'" - "osascript -e 'tell application \"System Events\" to get the path of every login item'"
- "serverVisible \x00" - "serverVisible \x00"
condition: and condition: and

48
malware_paradox.yaml → Yara-Rules/paradox-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_paradox id: paradox-malware
info: info:
name: Paradox Malware Detector name: Paradox Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "ParadoxRAT" - "ParadoxRAT"
- "Form1" - "Form1"
- "StartRMCam" - "StartRMCam"
- "Flooders" - "Flooders"
- "SlowLaris" - "SlowLaris"
- "SHITEMID" - "SHITEMID"
- "set_Remote_Chat" - "set_Remote_Chat"
condition: and condition: and

52
malware_plasma.yaml → Yara-Rules/plasma-malware.yaml
View File

@ -1,27 +1,27 @@
id: malware_plasma id: plasma-malware
info: info:
name: Plasma Malware Detector name: Plasma Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "Miner: Failed to Inject." - "Miner: Failed to Inject."
- "Started GPU Mining on:" - "Started GPU Mining on:"
- "BK: Hard Bot Killer Ran Successfully!" - "BK: Hard Bot Killer Ran Successfully!"
- "Uploaded Keylogs Successfully!" - "Uploaded Keylogs Successfully!"
- "No Slowloris Attack is Running!" - "No Slowloris Attack is Running!"
- "An ARME Attack is Already Running on" - "An ARME Attack is Already Running on"
- "Proactive Bot Killer Enabled!" - "Proactive Bot Killer Enabled!"
- "PlasmaRAT" - "PlasmaRAT"
- "AntiEverything" - "AntiEverything"
condition: and condition: and

65
malware_poetrat.yaml → Yara-Rules/poetrat-malware.yaml
View File

@ -1,33 +1,34 @@
id: malware_poetrat id: poetrat-malware
info: info:
name: PoetRat Malware Detector name: PoetRat Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- "launcher.py" words:
- "smile.zip" - "launcher.py"
- "smile_funs.py" - "smile.zip"
- "frown.py" - "smile_funs.py"
- "backer.py" - "frown.py"
- "smile.py" - "backer.py"
- "affine.py" - "smile.py"
- "cmd" - "affine.py"
- ".exe" - "cmd"
condition: and - ".exe"
condition: and
- type: regex
regex: - type: regex
- '(\.py$|\.pyc$|\.pyd$|Python)' regex:
- '\.dll' - '(\.py$|\.pyc$|\.pyd$|Python)'
- '\.dll'
condition: and condition: and

42
malware_pony.yaml → Yara-Rules/pony-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_pony id: pony-malware
info: info:
name: Pony Malware Detector name: Pony Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}" - "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0" - "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
- "POST %s HTTP/1.0" - "POST %s HTTP/1.0"
- "Accept-Encoding: identity, *;q=0" - "Accept-Encoding: identity, *;q=0"
condition: and condition: and

49
malware_pubsab.yaml → Yara-Rules/pubsab-malware.yaml
View File

@ -1,25 +1,26 @@
id: malware_pubsab id: pubsab-malware
info: info:
name: PubSab Malware Detector name: PubSab Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "_deamon_init" words:
- "com.apple.PubSabAgent" - "_deamon_init"
- "/tmp/screen.jpeg" - "com.apple.PubSabAgent"
condition: or - "/tmp/screen.jpeg"
condition: or
- type: binary
binary: - type: binary
binary:
- "6B45E43789CA29C28955E4" - "6B45E43789CA29C28955E4"

57
malware_punisher.yaml → Yara-Rules/punisher-malware.yaml
View File

@ -1,29 +1,30 @@
id: malware_punisher id: punisher-malware
info: info:
name: Punisher Malware Detector name: Punisher Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: part: raw
- "abccba" words:
- "SpyTheSpy" - "abccba"
- "wireshark" - "SpyTheSpy"
- "apateDNS" - "wireshark"
- "abccbaDanabccb" - "apateDNS"
condition: and - "abccbaDanabccb"
condition: and
- type: binary
binary: - type: binary
- "5C006800660068002E007600620073" binary:
- "5C00730063002E007600620073" - "5C006800660068002E007600620073"
- "5C00730063002E007600620073"
condition: and condition: and

44
malware_pypi.yaml → Yara-Rules/pypi-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_pypi id: pypi-malware
info: info:
name: Fake PyPI Malware Detector name: Fake PyPI Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: reference:
- http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/ - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "# Welcome Here! :)" - "# Welcome Here! :)"
- "# just toy, no harm :)" - "# just toy, no harm :)"
- "[0x76,0x21,0xfe,0xcc,0xee]" - "[0x76,0x21,0xfe,0xcc,0xee]"
condition: and condition: and

52
malware_pythorat.yaml → Yara-Rules/pythorat-malware.yaml
View File

@ -1,26 +1,26 @@
id: malware_pythorat id: pythorat-malware
info: info:
name: PythoRAT Malware Detector name: PythoRAT Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: word
- type: word part: raw
words: words:
- "TKeylogger" - "TKeylogger"
- "uFileTransfer" - "uFileTransfer"
- "TTDownload" - "TTDownload"
- "SETTINGS" - "SETTINGS"
- "Unknown" - "Unknown"
- "#@#@#" - "#@#@#"
- "PluginData" - "PluginData"
- "OnPluginMessage" - "OnPluginMessage"
condition: and condition: and

95
malware_qrat.yaml → Yara-Rules/qrat-malware.yaml
View File

@ -1,46 +1,49 @@
id: malware_qrat id: qrat-malware
info: info:
name: QRat Malware Detector name: QRat Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
words: part: raw
- "quaverse/crypter" words:
- "Qrypt.class" - "quaverse/crypter"
- "Jarizer.class" - "Qrypt.class"
- "URLConnection.class" - "Jarizer.class"
condition: and - "URLConnection.class"
condition: and
- type: word
words: - type: word
- "e-data" part: raw
- "Qrypt.class" words:
- "Jarizer.class" - "e-data"
- "URLConnection.class" - "Qrypt.class"
condition: and - "Jarizer.class"
- "URLConnection.class"
- type: word condition: and
words:
- "e-data" - type: word
- "quaverse/crypter" words:
- "Jarizer.class" - "e-data"
- "URLConnection.class" - "quaverse/crypter"
condition: and - "Jarizer.class"
- "URLConnection.class"
- type: word condition: and
words:
- "e-data" - type: word
- "quaverse/crypter" part: raw
- "Qrypt.class" words:
- "URLConnection.class" - "e-data"
condition: and - "quaverse/crypter"
- "Qrypt.class"
- "URLConnection.class"
condition: and

39
malware_satana_dropper.yaml → Yara-Rules/satana-dropper-malware.yaml
View File

@ -1,21 +1,20 @@
id: malware_satana_dropper id: satana-dropper-malware
info: info:
name: Satana Dropper Malware Detector name: Satana Dropper Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers:
matchers: - type: binary
- type: binary #Dropper binary:
binary: - "25732D547279457863657074"
- "25732D547279457863657074" - "643A5C6C626574776D77795C75696A657571706C667775622E706462"
- "643A5C6C626574776D77795C75696A657571706C667775622E706462" - "71666E7476746862"
- "71666E7476746862"
condition: and condition: and

54
malware_satana.yaml → Yara-Rules/satana-malware.yaml
View File

@ -1,28 +1,28 @@
id: malware_satana id: satana-malware
info: info:
name: Satana Malware Detector name: Satana Malware - Detect
author: daffainfo author: daffainfo
severity: critical severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file tags: malware,file
file: file:
- extensions: - extensions:
- all - all
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: binary - type: binary
binary: binary:
- "210073006100740061006E00610021002E0074007800740000" - "210073006100740061006E00610021002E0074007800740000"
- "456E756D4C6F63616C526573" - "456E756D4C6F63616C526573"
- "574E65744F70656E456E756D5700" - "574E65744F70656E456E756D5700"
- "21534154414E4121" - "21534154414E4121"
condition: and condition: and
- type: binary - type: binary
binary: binary:
- "7467777975677771" - "7467777975677771"
- "537776776E6775" - "537776776E6775"
condition: or condition: or

Some files were not shown because too many files have changed in this diff Show More