daffainfo
/
nuclei-malware
mirror of https://github.com/daffainfo/nuclei-malware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added BinaryAlert and restructure the repo

main
Muhammad Daffa 2023-08-08 00:32:42 +07:00
parent 597ea580a7
commit fbc13aeb4c
126 changed files with 3481 additions and 3074 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
BinaryAlert/basicrat-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: basicrat-malware
info:
name: BasicRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/multi/malware_multi_vesche_basicrat.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "HKCU Run registry key applied"
- "HKCU Run registry key failed"
- "Error, platform unsupported."
- "Persistence successful,"
- "Persistence unsuccessful,"
condition: and

21
BinaryAlert/cerber-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: cerber-malware
info:
name: Cerber Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "38oDr5.vbs"
- "8ivq.dll"
- "jmsctls_progress32"
condition: and

28
BinaryAlert/crunchrat-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: crunchrat-malware
info:
name: CrunchRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "<action>command<action>"
- "<action>upload<action>"
- "<action>download<action>"
- "cmd.exe"
- "application/x-www-form-urlencoded"
- "&action="
- "&secondary="
- "<secondary>"
- "<action>"
condition: and
case-insensitive: true

23
BinaryAlert/hydracrypt-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: ransomware_windows_hydracrypt
info:
name: Hydracrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "oTraining"
- "Stop Training"
- "Play \"sound.wav\""
- "&Start Recording"
- "7About record"
condition: and

38
BinaryAlert/macos-bella-malware.yaml Normal file
View File

@ -0,0 +1,38 @@
id: macos-bella-malware
info:
name: Bella Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "Verified! [2FV Enabled] Account ->"
- "There is no root shell to perform this command. See [rooter] manual entry."
- "Attempt to escalate Bella to root through a variety of attack vectors."
- "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
condition: or
- type: word
part: raw
words:
- "user_pass_phish"
- "bella_info"
- "get_root"
condition: and
- type: word
part: raw
words:
- "Please specify a bella server."
- "What port should Bella connect on [Default is 4545]:"
condition: and

24
BinaryAlert/petya-malware-variant-1.yaml Normal file
View File

@ -0,0 +1,24 @@
id: petya-malware-variant-1
info:
name: Petya Malware (Variant 1) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Ooops, your important files are encrypted."
- "Send your Bitcoin wallet ID and personal installation key to e-mail"
- "wowsmith123456@posteo.net. Your personal installation key:"
- "Send $300 worth of Bitcoin to following address:"
- "have been encrypted. Perhaps you are busy looking for a way to recover your"
- "need to do is submit the payment and purchase the decryption key."
condition: or

20
BinaryAlert/petya-malware-variant-3.yaml Normal file
View File

@ -0,0 +1,20 @@
id: petya-malware-variant-3
info:
name: Petya Malware (Variant 3) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "wevtutil cl Setup & wevtutil cl System"
- "fsutil usn deletejournal /D %c:"
condition: or

18
BinaryAlert/petya-malware-variant-bitcoin.yaml Normal file
View File

@ -0,0 +1,18 @@
id: petya-malware-variant-bitcoin
info:
name: Petya Malware (Variant Bitcoin) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB"

29
BinaryAlert/pony-stealer-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: pony-stealer-malware
info:
name: Windows Pony Stealer Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "signons.sqlite"
- "signons.txt"
- "signons2.txt"
- "signons3.txt"
- "WininetCacheCredentials"
- "moz_logins"
- "encryptedPassword"
- "FlashFXP"
- "BulletProof"
- "CuteFTP"
condition: and
case-insensitive: true

21
BinaryAlert/powerware-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: powerware-malware
info:
name: PowerWare Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ScriptRunner.dll"
- "ScriptRunner.pdb"
- "fixed.ps1"
condition: and

32
BinaryAlert/wannacry-malware.yaml Normal file
View File

@ -0,0 +1,32 @@
id: wannacry-malware
info:
name: WannaCry Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_wannacry.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "msg/m_chinese"
- ".wnry"
- "attrib +h"
condition: and
- type: word
part: raw
words:
- "WNcry@2ol7"
- "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
- "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
- "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
- "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
condition: or

34
BinaryAlert/zrypt-malware.yaml Normal file
View File

@ -0,0 +1,34 @@
id: zrypt-malware
info:
name: Zcrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "How to Buy Bitcoins"
- "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
- "Click Here to Show Bitcoin Address"
- "MyEncrypter2.pdb"
condition: or
- type: word
part: raw
words:
- ".p7b"
- ".p7c"
- ".pdd"
- ".pef"
- ".pem"
- "How to decrypt files.html"
condition: and

259
README.md
View File

@ -1,251 +1,14 @@
# Nuclei Malware
Template to detect some malware using nuclei
Template to detect some malware using nuclei. Creating these nuclei templates based on previously made YARA rules and then converting them into nuclei template format
## Status Malware
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
### List of Repositories
* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
| Malware Yara Rules | Status |
| --- | --- |
| MALW_ATMPot | 🟥 Impossible |
| MALW_ATM_HelloWorld | 🟥 Impossible |
| MALW_AZORULT | 🟥 Impossible |
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort |
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort |
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort |
| MALW_Alina | 🟩 Possible |
| MALW_Andromeda | 🟩 Possible |
| MALW_Arkei | 🟩 Possible |
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
| MALW_Atmos | 🟥 Impossible |
| MALW_BackdoorSSH | 🟥 Impossible |
| MALW_Backoff | 🟩 Possible |
| MALW_Bangat | 🟥 Impossible |
| MALW_Batel | 🟥 Impossible |
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
| MALW_BlackWorm | 🟩 Possible |
| MALW_Boouset | 🟥 Impossible |
| MALW_Bublik | 🟩 Possible |
| MALW_Buzus_Softpulse | 🟥 Impossible |
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
| MALW_Citadel | 🟥 Impossible |
| MALW_Cloaking | 🟥 Impossible |
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
| MALW_Corkow | 🟥 Impossible |
| MALW_Cxpid | 🟩 Possible |
| MALW_Cythosia | 🟩 Possible |
| MALW_DDoSTf | 🟩 Possible |
| MALW_Derkziel | 🟩 Possible |
| MALW_Dexter | 🟩 Possible |
| MALW_DiamondFox | 🟩 Possible |
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
| MALW_Eicar | 🟩 Possible |
| MALW_Elex | 🟥 Impossible |
| MALW_Elknot | 🟥 Impossible |
| MALW_Emotet | 🟥 Impossible |
| MALW_Empire | 🟥 Impossible |
| MALW_Enfal | 🟥 Impossible |
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
| MALW_Ezcob | 🟩 Possible |
| MALW_F0xy | 🟥 Impossible |
| MALW_FALLCHILL | 🟥 Impossible |
| MALW_FUDCrypt | 🟩 Possible |
| MALW_FakeM | 🟥 Impossible |
| MALW_Fareit | 🟥 Impossible |
| MALW_Favorite | 🟥 Impossible |
| MALW_Furtim | 🟥 Impossible |
| MALW_Gafgyt | 🟩 Possible |
| MALW_Genome | 🟩 Possible |
| MALW_Glasses | 🟩 Possible |
| MALW_Gozi | 🟩 Possible |
| MALW_Grozlex | 🟩 Possible |
| MALW_Hajime | 🟥 Impossible |
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
| MALW_Httpsd_ELF | 🟥 Impossible |
| MALW_IMuler | 🟥 Impossible |
| MALW_IcedID | 🟥 Impossible |
| MALW_Iexpl0ree | 🟥 Impossible |
| MALW_Install11 | 🟩 Possible |
| MALW_Intel_Virtualization | 🟩 Possible |
| MALW_IotReaper | 🟩 Possible |
| MALW_Jolob_Backdoor | 🟩 Possible |
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
| MALW_Kelihos | 🟩 Possible |
| MALW_KeyBase | 🟥 Impossible |
| MALW_Korlia | 🟥 Impossible |
| MALW_Korplug | 🟥 Impossible |
| MALW_Kovter | 🟩 Possible |
| MALW_Kraken | 🟥 Impossible |
| MALW_Kwampirs | 🟩 Possible |
| MALW_LURK0 | 🟥 Impossible |
| MALW_Lateral_Movement | 🟩 Possible |
| MALW_Lenovo_Superfish | 🟥 Impossible |
| MALW_LinuxBew | 🟩 Possible |
| MALW_LinuxHelios | 🟩 Possible |
| MALW_LinuxMoose | 🟥 Impossible |
| MALW_LostDoor | 🟩 Possible |
| MALW_LuaBot | 🟩 Possible |
| MALW_LuckyCat | 🟥 Impossible |
| MALW_MSILStealer | 🟩 Possible |
| MALW_MacControl | 🟥 Impossible |
| MALW_MacGyver | 🟩 Possible |
| MALW_Madness | 🟩 Possible |
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_suspicious | 🟥 Impossible |
| MALW_Mailers | 🟥 Impossible |
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
| MALW_Miancha | 🟥 Impossible |
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
| MALW_Mirai | 🟥 Impossible |
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
| MALW_Miscelanea | 🟥 Impossible |
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
| MALW_Monero_Miner_installer | 🟩 Possible |
| MALW_NSFree | 🟩 Possible |
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
| MALW_NionSpy | 🟥 Impossible |
| MALW_Notepad | 🟩 Possible |
| MALW_OSX_Leverage | 🟩 Possible |
| MALW_Odinaff | 🟥 Impossible |
| MALW_Olyx | 🟩 Possible |
| MALW_PE_sections | 🟥 Impossible |
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
| MALW_PolishBankRat | 🟥 Impossible |
| MALW_Ponmocup | 🟥 Impossible |
| MALW_Pony | 🟩 Possible |
| MALW_Predator | 🟥 Impossible |
| MALW_PubSab | 🟩 Possible |
| MALW_PurpleWave | 🟥 Impossible |
| MALW_PyPI | 🟩 Possible |
| MALW_Pyinstaller | 🟥 Impossible |
| MALW_Pyinstaller_OSX | 🟩 Possible |
| MALW_Quarian | 🟥 Impossible |
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
| MALW_Regsubdat | 🟥 Impossible |
| MALW_Rockloader | 🟥 Impossible |
| MALW_Rooter | 🟥 Impossible |
| MALW_Rovnix | 🟥 Impossible |
| MALW_Safenet | 🟩 Possible |
| MALW_Sakurel | 🟩 Possible |
| MALW_Sayad | 🟩 Possible |
| MALW_Scarhikn | 🟥 Impossible |
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
| MALW_Shamoon | 🟥 Impossible |
| MALW_Shifu | 🟥 Impossible |
| MALW_Skeleton | 🟥 Impossible |
| MALW_Spora | 🟩 Possible |
| MALW_Sqlite | 🟩 Possible |
| MALW_Stealer | 🟩 Possible |
| MALW_Surtr | 🟥 Impossible |
| MALW_T5000 | 🟩 Possible |
| MALW_TRITON_HATMAN | 🟥 Impossible |
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
| MALW_Tedroo | 🟩 Possible |
| MALW_Tinba | 🟥 Impossible |
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
| MALW_Torte_ELF | 🟥 Impossible |
| MALW_TreasureHunt | 🟩 Possible |
| MALW_TrickBot | 🟩 Possible |
| MALW_Trumpbot | 🟩 Possible |
| MALW_Upatre | 🟥 Impossible |
| MALW_Urausy | 🟩 Possible |
| MALW_Vidgrab | 🟥 Impossible |
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
| MALW_Volgmer | 🟥 Impossible |
| MALW_Wabot | 🟩 Possible |
| MALW_Warp | 🟩 Possible |
| MALW_Wimmie | 🟥 Impossible |
| MALW_XHide | 🟩 Possible |
| MALW_XMRIG_Miner | 🟩 Possible |
| MALW_XOR_DDos | 🟩 Possible |
| MALW_Yayih | 🟩 Possible |
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
| MALW_Zegost | 🟩 Possible |
| MALW_Zeus | 🟥 Impossible |
| MALW_adwind_RAT | 🟥 Impossible |
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
| MALW_kirbi_mimikatz | 🟥 Impossible |
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
| MALW_marap | 🟨 Still possible but requires a lot of effort |
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible |
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
| RANSOM_777.yar | 🟩 Possible |
| RANSOM_Alpha.yar | 🟩 Possible |
| RANSOM_BadRabbit.yar | 🟥 Impossible |
| RANSOM_Cerber.yar | 🟥 Impossible |
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_Crypren.yar | 🟥 Impossible |
| RANSOM_CryptoNar.yar | 🟥 Impossible |
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_DMALocker.yar | 🟩 Possible |
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
| RANSOM_Erebus.yar | 🟩 Possible |
| RANSOM_GPGQwerty.yar | 🟩 Possible |
| RANSOM_GoldenEye.yar | 🟥 Impossible |
| RANSOM_Locky.yar | 🟩 Possible |
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
| RANSOM_Maze.yar | 🟥 Impossible |
| RANSOM_PetrWrap.yar | 🟥 Impossible |
| RANSOM_Petya.yar | 🟥 Impossible |
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
| RANSOM_Pico.yar | 🟥 Impossible |
| RANSOM_Revix.yar | 🟥 Impossible |
| RANSOM_SamSam.yar | 🟥 Impossible |
| RANSOM_Satana.yar | 🟩 Possible |
| RANSOM_Shiva.yar | 🟥 Impossible |
| RANSOM_Sigma.yar | 🟩 Possible |
| RANSOM_Snake.yar | 🟩 Possible |
| RANSOM_Stampado.yar | 🟥 Impossible |
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
| RANSOM_Tox.yar | 🟩 Possible |
| RANSOM_acroware.yar | 🟥 Impossible |
| RANSOM_jeff_dev.yar | 🟥 Impossible |
| RANSOM_locdoor.yar | 🟥 Impossible |
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
| RANSOM_shrug2.yar | 🟥 Impossible |
| RANSOM_termite.yar | 🟥 Impossible |
| RAT_Adwind.yar | 🟥 Impossible |
| RAT_Adzok.yar | 🟩 Possible |
| RAT_Asyncrat.yar | 🟥 Impossible |
| RAT_BlackShades.yar | 🟥 Impossible |
| RAT_Bolonyokte.yar | 🟥 Impossible |
| RAT_Bozok.yar | 🟩 Possible |
| RAT_Cerberus.yar | 🟩 Possible |
| RAT_Crimson.yar | 🟩 Possible |
| RAT_CrossRAT.yar | 🟥 Impossible |
| RAT_CyberGate.yar | 🟩 Possible |
| RAT_DarkComet.yar | 🟥 Impossible |
| RAT_FlyingKitten.yar | 🟥 Impossible |
| RAT_Gh0st.yar | 🟥 Impossible |
| RAT_Gholee.yar | 🟩 Possible |
| RAT_Glass.yar | 🟩 Possible |
| RAT_Havex.yar | 🟥 Impossible |
| RAT_Hizor.yar | 🟥 Impossible |
| RAT_Indetectables.yar | 🟥 Impossible |
| RAT_Inocnation.yar | 🟥 Impossible |
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
| RAT_Nanocore.yar | 🟥 Impossible |
| RAT_NetwiredRC.yar | 🟥 Impossible |
| RAT_Njrat.yar | 🟥 Impossible |
| RAT_Orcus.yar | 🟥 Impossible |
| RAT_PlugX.yar | 🟥 Impossible |
| RAT_PoetRATDoc.yar | 🟩 Possible |
| RAT_PoetRATPython.yar | 🟥 Impossible |
| RAT_PoisonIvy.yar | 🟥 Impossible |
| RAT_Ratdecoders.yar | 🟩 Possible |
| RAT_Sakula.yar | 🟥 Impossible |
| RAT_ShadowTech.yar | 🟩 Possible |
| RAT_Shim.yar | 🟩 Possible |
| RAT_Terminator.yar | 🟩 Possible |
| RAT_Xtreme.yar | 🟥 Impossible |
| RAT_ZoxPNG.yar | 🟩 Possible |
| RAT_jRAT.yar | 🟩 Possible |
| RAT_xRAT.yar | 🟩 Possible |
| RAT_xRAT20.yar | 🟥 Impossible |
### To-Do
- [ ] Create a GitHub Actions workflow to detect the total number of templates in this repository
- [ ] Gives the status of whether the template is already in the nuclei-templates repo or not (In `STATUS.md`)
- [ ] Create more nuclei templates using these repository
- [x] https://github.com/airbnb/binaryalert/tree/master/rules/public
- [ ] https://github.com/reversinglabs/reversinglabs-yara-rules
- [ ] etc.

279
STATUS.md Normal file
View File

@ -0,0 +1,279 @@
# List
* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
| Yara Rules | Status |
| --- | --- |
| MALW_ATMPot | 🟥 Impossible |
| MALW_ATM_HelloWorld | 🟥 Impossible |
| MALW_AZORULT | 🟥 Impossible |
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort |
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort |
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort |
| MALW_Alina | 🟩 Possible |
| MALW_Andromeda | 🟩 Possible |
| MALW_Arkei | 🟩 Possible |
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
| MALW_Atmos | 🟥 Impossible |
| MALW_BackdoorSSH | 🟥 Impossible |
| MALW_Backoff | 🟩 Possible |
| MALW_Bangat | 🟥 Impossible |
| MALW_Batel | 🟥 Impossible |
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
| MALW_BlackWorm | 🟩 Possible |
| MALW_Boouset | 🟥 Impossible |
| MALW_Bublik | 🟩 Possible |
| MALW_Buzus_Softpulse | 🟥 Impossible |
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
| MALW_Citadel | 🟥 Impossible |
| MALW_Cloaking | 🟥 Impossible |
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
| MALW_Corkow | 🟥 Impossible |
| MALW_Cxpid | 🟩 Possible |
| MALW_Cythosia | 🟩 Possible |
| MALW_DDoSTf | 🟩 Possible |
| MALW_Derkziel | 🟩 Possible |
| MALW_Dexter | 🟩 Possible |
| MALW_DiamondFox | 🟩 Possible |
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
| MALW_Eicar | 🟩 Possible |
| MALW_Elex | 🟥 Impossible |
| MALW_Elknot | 🟥 Impossible |
| MALW_Emotet | 🟥 Impossible |
| MALW_Empire | 🟥 Impossible |
| MALW_Enfal | 🟥 Impossible |
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
| MALW_Ezcob | 🟩 Possible |
| MALW_F0xy | 🟥 Impossible |
| MALW_FALLCHILL | 🟥 Impossible |
| MALW_FUDCrypt | 🟩 Possible |
| MALW_FakeM | 🟥 Impossible |
| MALW_Fareit | 🟥 Impossible |
| MALW_Favorite | 🟥 Impossible |
| MALW_Furtim | 🟥 Impossible |
| MALW_Gafgyt | 🟩 Possible |
| MALW_Genome | 🟩 Possible |
| MALW_Glasses | 🟩 Possible |
| MALW_Gozi | 🟩 Possible |
| MALW_Grozlex | 🟩 Possible |
| MALW_Hajime | 🟥 Impossible |
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
| MALW_Httpsd_ELF | 🟥 Impossible |
| MALW_IMuler | 🟥 Impossible |
| MALW_IcedID | 🟥 Impossible |
| MALW_Iexpl0ree | 🟥 Impossible |
| MALW_Install11 | 🟩 Possible |
| MALW_Intel_Virtualization | 🟩 Possible |
| MALW_IotReaper | 🟩 Possible |
| MALW_Jolob_Backdoor | 🟩 Possible |
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
| MALW_Kelihos | 🟩 Possible |
| MALW_KeyBase | 🟥 Impossible |
| MALW_Korlia | 🟥 Impossible |
| MALW_Korplug | 🟥 Impossible |
| MALW_Kovter | 🟩 Possible |
| MALW_Kraken | 🟥 Impossible |
| MALW_Kwampirs | 🟩 Possible |
| MALW_LURK0 | 🟥 Impossible |
| MALW_Lateral_Movement | 🟩 Possible |
| MALW_Lenovo_Superfish | 🟥 Impossible |
| MALW_LinuxBew | 🟩 Possible |
| MALW_LinuxHelios | 🟩 Possible |
| MALW_LinuxMoose | 🟥 Impossible |
| MALW_LostDoor | 🟩 Possible |
| MALW_LuaBot | 🟩 Possible |
| MALW_LuckyCat | 🟥 Impossible |
| MALW_MSILStealer | 🟩 Possible |
| MALW_MacControl | 🟥 Impossible |
| MALW_MacGyver | 🟩 Possible |
| MALW_Madness | 🟩 Possible |
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_suspicious | 🟥 Impossible |
| MALW_Mailers | 🟥 Impossible |
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
| MALW_Miancha | 🟥 Impossible |
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
| MALW_Mirai | 🟥 Impossible |
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
| MALW_Miscelanea | 🟥 Impossible |
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
| MALW_Monero_Miner_installer | 🟩 Possible |
| MALW_NSFree | 🟩 Possible |
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
| MALW_NionSpy | 🟥 Impossible |
| MALW_Notepad | 🟩 Possible |
| MALW_OSX_Leverage | 🟩 Possible |
| MALW_Odinaff | 🟥 Impossible |
| MALW_Olyx | 🟩 Possible |
| MALW_PE_sections | 🟥 Impossible |
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
| MALW_PolishBankRat | 🟥 Impossible |
| MALW_Ponmocup | 🟥 Impossible |
| MALW_Pony | 🟩 Possible |
| MALW_Predator | 🟥 Impossible |
| MALW_PubSab | 🟩 Possible |
| MALW_PurpleWave | 🟥 Impossible |
| MALW_PyPI | 🟩 Possible |
| MALW_Pyinstaller | 🟥 Impossible |
| MALW_Pyinstaller_OSX | 🟩 Possible |
| MALW_Quarian | 🟥 Impossible |
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
| MALW_Regsubdat | 🟥 Impossible |
| MALW_Rockloader | 🟥 Impossible |
| MALW_Rooter | 🟥 Impossible |
| MALW_Rovnix | 🟥 Impossible |
| MALW_Safenet | 🟩 Possible |
| MALW_Sakurel | 🟩 Possible |
| MALW_Sayad | 🟩 Possible |
| MALW_Scarhikn | 🟥 Impossible |
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
| MALW_Shamoon | 🟥 Impossible |
| MALW_Shifu | 🟥 Impossible |
| MALW_Skeleton | 🟥 Impossible |
| MALW_Spora | 🟩 Possible |
| MALW_Sqlite | 🟩 Possible |
| MALW_Stealer | 🟩 Possible |
| MALW_Surtr | 🟥 Impossible |
| MALW_T5000 | 🟩 Possible |
| MALW_TRITON_HATMAN | 🟥 Impossible |
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
| MALW_Tedroo | 🟩 Possible |
| MALW_Tinba | 🟥 Impossible |
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
| MALW_Torte_ELF | 🟥 Impossible |
| MALW_TreasureHunt | 🟩 Possible |
| MALW_TrickBot | 🟩 Possible |
| MALW_Trumpbot | 🟩 Possible |
| MALW_Upatre | 🟥 Impossible |
| MALW_Urausy | 🟩 Possible |
| MALW_Vidgrab | 🟥 Impossible |
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
| MALW_Volgmer | 🟥 Impossible |
| MALW_Wabot | 🟩 Possible |
| MALW_Warp | 🟩 Possible |
| MALW_Wimmie | 🟥 Impossible |
| MALW_XHide | 🟩 Possible |
| MALW_XMRIG_Miner | 🟩 Possible |
| MALW_XOR_DDos | 🟩 Possible |
| MALW_Yayih | 🟩 Possible |
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
| MALW_Zegost | 🟩 Possible |
| MALW_Zeus | 🟥 Impossible |
| MALW_adwind_RAT | 🟥 Impossible |
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
| MALW_kirbi_mimikatz | 🟥 Impossible |
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
| MALW_marap | 🟨 Still possible but requires a lot of effort |
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible |
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
| RANSOM_777.yar | 🟩 Possible |
| RANSOM_Alpha.yar | 🟩 Possible |
| RANSOM_BadRabbit.yar | 🟥 Impossible |
| RANSOM_Cerber.yar | 🟥 Impossible |
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_Crypren.yar | 🟥 Impossible |
| RANSOM_CryptoNar.yar | 🟥 Impossible |
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_DMALocker.yar | 🟩 Possible |
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
| RANSOM_Erebus.yar | 🟩 Possible |
| RANSOM_GPGQwerty.yar | 🟩 Possible |
| RANSOM_GoldenEye.yar | 🟥 Impossible |
| RANSOM_Locky.yar | 🟩 Possible |
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
| RANSOM_Maze.yar | 🟥 Impossible |
| RANSOM_PetrWrap.yar | 🟥 Impossible |
| RANSOM_Petya.yar | 🟥 Impossible |
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
| RANSOM_Pico.yar | 🟥 Impossible |
| RANSOM_Revix.yar | 🟥 Impossible |
| RANSOM_SamSam.yar | 🟥 Impossible |
| RANSOM_Satana.yar | 🟩 Possible |
| RANSOM_Shiva.yar | 🟥 Impossible |
| RANSOM_Sigma.yar | 🟩 Possible |
| RANSOM_Snake.yar | 🟩 Possible |
| RANSOM_Stampado.yar | 🟥 Impossible |
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
| RANSOM_Tox.yar | 🟩 Possible |
| RANSOM_acroware.yar | 🟥 Impossible |
| RANSOM_jeff_dev.yar | 🟥 Impossible |
| RANSOM_locdoor.yar | 🟥 Impossible |
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
| RANSOM_shrug2.yar | 🟥 Impossible |
| RANSOM_termite.yar | 🟥 Impossible |
| RAT_Adwind.yar | 🟥 Impossible |
| RAT_Adzok.yar | 🟩 Possible |
| RAT_Asyncrat.yar | 🟥 Impossible |
| RAT_BlackShades.yar | 🟥 Impossible |
| RAT_Bolonyokte.yar | 🟥 Impossible |
| RAT_Bozok.yar | 🟩 Possible |
| RAT_Cerberus.yar | 🟩 Possible |
| RAT_Crimson.yar | 🟩 Possible |
| RAT_CrossRAT.yar | 🟥 Impossible |
| RAT_CyberGate.yar | 🟩 Possible |
| RAT_DarkComet.yar | 🟥 Impossible |
| RAT_FlyingKitten.yar | 🟥 Impossible |
| RAT_Gh0st.yar | 🟥 Impossible |
| RAT_Gholee.yar | 🟩 Possible |
| RAT_Glass.yar | 🟩 Possible |
| RAT_Havex.yar | 🟥 Impossible |
| RAT_Hizor.yar | 🟥 Impossible |
| RAT_Indetectables.yar | 🟥 Impossible |
| RAT_Inocnation.yar | 🟥 Impossible |
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
| RAT_Nanocore.yar | 🟥 Impossible |
| RAT_NetwiredRC.yar | 🟥 Impossible |
| RAT_Njrat.yar | 🟥 Impossible |
| RAT_Orcus.yar | 🟥 Impossible |
| RAT_PlugX.yar | 🟥 Impossible |
| RAT_PoetRATDoc.yar | 🟩 Possible |
| RAT_PoetRATPython.yar | 🟥 Impossible |
| RAT_PoisonIvy.yar | 🟥 Impossible |
| RAT_Ratdecoders.yar | 🟩 Possible |
| RAT_Sakula.yar | 🟥 Impossible |
| RAT_ShadowTech.yar | 🟩 Possible |
| RAT_Shim.yar | 🟩 Possible |
| RAT_Terminator.yar | 🟩 Possible |
| RAT_Xtreme.yar | 🟥 Impossible |
| RAT_ZoxPNG.yar | 🟩 Possible |
| RAT_jRAT.yar | 🟩 Possible |
| RAT_xRAT.yar | 🟩 Possible |
| RAT_xRAT20.yar | 🟥 Impossible |
* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
| Yara Rules | Status |
| --- | --- |
| malware_macos_apt_sofacy_xagent.yara | 🟥 Impossible |
| malware_macos_bella.yara | 🟩 Possible |
| malware_macos_macspy.yara | 🟥 Impossible |
| malware_macos_marten4n6_evilosx.yara | 🟨 Still possible but requires a lot of effort |
| malware_macos_neoneggplant_eggshell.yara | 🟨 Still possible but requires a lot of effort |
| malware_macos_proton_rat_generic.yara | 🟥 Impossible |
| malware_multi_pupy_rat.yara | 🟨 Still possible but requires a lot of effort |
| malware_multi_vesche_basicrat.yara | 🟩 Possible |
| malware_windows_apt_red_leaves_generic.yara | 🟨 Still possible but requires a lot of effort |
| malware_windows_pony_stealer.yara | 🟩 Possible |
| malware_windows_remcos_rat.yara | 🟨 Still possible but requires a lot of effort |
| malware_windows_t3ntman_crunchrat.yara | 🟩 Possible |
| malware_windows_xrat_quasarrat.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_HDDCryptorA.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_cerber_evasion.yara | 🟩 Possible |
| ransomware_windows_cryptolocker.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_hydracrypt.yara | 🟩 Possible |
| ransomware_windows_lazarus_wannacry.yara | 🟥 Impossible |
| ransomware_windows_petya_variant_1.yara | 🟩 Possible |
| ransomware_windows_petya_variant_2.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_petya_variant_3.yara | 🟩 Possible |
| ransomware_windows_petya_variant_bitcoin.yara | 🟩 Possible |
| ransomware_windows_powerware_locky.yara | 🟩 Possible |
| ransomware_windows_wannacry.yara | 🟩 Possible |
| ransomware_windows_zcrypt.yara | 🟩 Possible |

8
malware_aar.yaml → Yara-Rules/aar-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_aar
id: aar-malware
info:
name: AAR Malware Detector
name: AAR Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "Hashtable"
- "get_IsDisposed"

14
malware_adzok.yaml → Yara-Rules/adzok-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_adzok
id: adzok-malware
info:
name: Adzok Malware Detector
name: Adzok Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "key.classPK"
- "svd$1.classPK"
@ -25,6 +26,7 @@ file:
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "svd$1.classPK"
@ -36,6 +38,7 @@ file:
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
@ -47,6 +50,7 @@ file:
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
@ -58,6 +62,7 @@ file:
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
@ -69,6 +74,7 @@ file:
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
@ -80,6 +86,7 @@ file:
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
@ -91,6 +98,7 @@ file:
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"

7
malware_alfa.yaml → Yara-Rules/alfa-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_alfa
id: alfa-malware
info:
name: Alfa Malware Detector
name: Alfa Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
@ -11,7 +11,6 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:

8
malware_alienspy.yaml → Yara-Rules/alienspy-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_alienspy
id: alienspy-malware
info:
name: AlienSpy Malware Detector
name: AlienSpy Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "META-INF/MANIFEST.MF"
- "ePK"

8
malware_alina.yaml → Yara-Rules/alina-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_alina
id: alina-malware
info:
name: Alina Malware Detector
name: Alina Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'Alina v1.0'
- 'POST'

6
malware_alpha.yaml → Yara-Rules/alpha-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_alpha
id: alpha-malware
info:
name: Alpha Malware Detector
name: Alpha Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file

7
malware_andromeda.yaml → Yara-Rules/andromeda-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_andromeda
id: andromeda-malware
info:
name: Andromeda Malware Detector
name: Andromeda Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'

8
malware_ap0calypse.yaml → Yara-Rules/ap0calypse-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_ap0calypse
id: ap0calypse-malware
info:
name: Ap0calypse Malware Detector
name: Ap0calypse Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "Ap0calypse"
- "Sifre"

7
malware_arcom.yaml → Yara-Rules/arcom-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_arcom
id: arcom-malware
info:
name: Arcom Malware Detector
name: Arcom Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "CVu3388fnek3W(3ij3fkp0930di"
- "ZINGAWI2"

8
malware_arkei.yaml → Yara-Rules/arkei-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_arkei
id: arkei-malware
info:
name: Arkei Malware Detector
name: Arkei Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'Arkei'
- '/server/gate'

8
malware_backoff.yaml → Yara-Rules/backoff-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_backoff
id: backoff-malware
info:
name: Backoff Malware Detector
name: Backoff Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
- '%s @ %s'

8
malware_bandook.yaml → Yara-Rules/bandook-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_bandook
id: bandook-malware
info:
name: Bandook Malware Detector
name: Bandook Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "aaaaaa1|"
- "aaaaaa2|"

8
malware_blacknix.yaml → Yara-Rules/blacknix-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_blacknix
id: blacknix-malware
info:
name: BlackNix Malware Detector
name: BlackNix Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "SETTINGS"
- "Mark Adler"

8
malware_blackworm.yaml → Yara-Rules/blackworm-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_blackworm
id: blackworm-malware
info:
name: Blackworm Malware Detector
name: Blackworm Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'm_ComputerObjectProvider'
- 'MyWebServices'

8
malware_bluebanana.yaml → Yara-Rules/bluebanana-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_bluebanana
id: bluebanana-malware
info:
name: BlueBanana Malware Detector
name: BlueBanana Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "META-INF"
- "config.txt"

8
malware_bozok.yaml → Yara-Rules/bozok-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_bozok
id: bozok-malware
info:
name: Bozok Malware Detector
name: Bozok Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "getVer"
- "StartVNC"

5
malware_bublik.yaml → Yara-Rules/bublik-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_bublik
id: bublik-malware
info:
name: Bublik Malware Detector
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
tags: malware,file
@ -11,7 +11,6 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:

9
malware_cap_hookexkeylogger.yaml → Yara-Rules/cap-hookexkeylogger-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_cap_hookexkeylogger
id: cap-hookexkeylogger-malware
info:
name: CAP HookExKeylogger Malware Detector
name: CAP HookExKeylogger Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD_LL"
@ -21,6 +22,7 @@ file:
case-insensitive: true
- type: word
part: raw
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD"
@ -28,6 +30,7 @@ file:
case-insensitive: true
- type: word
part: raw
words:
- "WH_KEYBOARD"
- "WH_KEYBOARD_LL"

8
malware_cerberus.yaml → Yara-Rules/cerberus-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_cerberus
id: cerberus-malware
info:
name: Cerberus Malware Detector
name: Cerberus Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "Ypmw1Syv023QZD"
- "wZ2pla"
@ -21,6 +22,7 @@ file:
condition: or
- type: word
part: raw
words:
- "cerberus"
case-insensitive: true

7
malware_clientmesh.yaml → Yara-Rules/clientmesh-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_clientmesh
id: clientmesh-malware
info:
name: ClientMesh Malware Detector
name: ClientMesh Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "machinedetails"
- "MySettings"

8
malware_crimson.yaml → Yara-Rules/crimson-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_crimson
id: crimson-malware
info:
name: Crimson Malware Detector
name: Crimson Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "com/crimson/PK"
- "com/crimson/bootstrapJar/PK"

9
malware_cryptxxx_dropper.yaml → Yara-Rules/cryptxxx-dropper-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_cryptxxx_dropper
id: cryptxxx-dropper-malware
info:
name: CryptXXX Dropper Malware Detector
name: CryptXXX Dropper Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
@ -11,9 +11,8 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary #Dropper
- type: binary
binary:
- "50653157584346765962486F35"
- "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"

7
malware_cryptxxx.yaml → Yara-Rules/cryptxxx-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_cryptxxx
id: cryptxxx-malware
info:
name: CryptXXX Malware Detector
name: CryptXXX Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
@ -11,7 +11,6 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:

11
malware_cxpid.yaml → Yara-Rules/cxpid-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_cxpid
id: cxpid-malware
info:
name: Cxpid Malware Detector
name: Cxpid Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
tags: malware,file
@ -13,7 +13,8 @@ file:
matchers-condition: or
matchers:
- type: word #cxpidStrings
- type: word
part: raw
words:
- '/cxpid/submit.php?SessionID='
- '/cxgid/'
@ -21,6 +22,6 @@ file:
- 'E21BC52BEA39E435C40CD8'
- ' -,L-,O+,Q-,R-,Y-,S-'
- type: binary #cxpidCode
- type: binary
binary:
- "558BECB9380400006A006A004975F9"

8
malware_cythosia.yaml → Yara-Rules/cythosia-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_cythosia
id: cythosia-malware
info:
name: Cythosia Malware Detector
name: Cythosia Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
tags: malware,file
@ -11,8 +11,8 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'HarvesterSocksBot.Properties.Resources'

8
malware_darkrat.yaml → Yara-Rules/darkrat-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_darkrat
id: darkrat-malware
info:
name: DarkRAT Malware Detector
name: DarkRAT Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "@1906dark1996coder@"
- "SHEmptyRecycleBinA"

11
malware_ddostf.yaml → Yara-Rules/ddostf-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_ddostf
id: ddostf-malware
info:
name: DDoSTf Malware Detector
name: DDoSTf Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
@ -16,6 +16,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'ddos.tf'
- 'Accept-Language: zh'
@ -24,6 +25,6 @@ file:
- type: binary
binary:
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00'
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00'
condition: and

8
malware_derkziel.yaml → Yara-Rules/derkziel-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_derkziel
id: derkziel-malware
info:
name: Derkziel Malware Detector
name: Derkziel Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://bhf.su/threads/137898/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- '{!}DRZ{!}'
- 'User-Agent: Uploador'

8
malware_dexter.yaml → Yara-Rules/dexter-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_dexter
id: dexter-malware
info:
name: Dexter Malware Detector
name: Dexter Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
- http://goo.gl/oBvy8b
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'Java Security Plugin'
- '%s\\%s\\%s.exe'

8
malware_diamondfox.yaml → Yara-Rules/diamondfox-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_diamondfox
id: diamondfox-malware
info:
name: DiamondFox Malware Detector
name: DiamondFox Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'UPDATE_B'
- 'UNISTALL_B'

9
malware_dmalocker.yaml → Yara-Rules/dmalocker-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_dmalocker
id: dmalocker-malware
info:
name: DMA Locker Malware Detector
name: DMA Locker Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
tags: malware,file
@ -18,4 +18,5 @@ file:
- "21444d414c4f434b"
- "21444d414c4f434b332e30"
- "3F520000FFFFFFFF06000000524C4141"
- "21444d414c4f434b342e30" #v4
- "21444d414c4f434b342e30"
condition: or

11
malware_doublepulsar.yaml → Yara-Rules/doublepulsar-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_doublepulsar
id: doublepulsar-malware
info:
name: DoublePulsar Malware Detector
name: DoublePulsar Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
tags: malware,file
@ -14,5 +14,6 @@ file:
matchers:
- type: binary
binary:
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE"
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741"
condition: or

7
malware_eicar.yaml → Yara-Rules/eicar-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_eicar
id: eicar-malware
info:
name: Eicar Malware Detector
name: Eicar Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
tags: malware,file
@ -13,5 +13,6 @@ file:
matchers:
- type: word
part: raw
words:
- "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

8
malware_erebus.yaml → Yara-Rules/erebus-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_erebus
id: erebus-malware
info:
name: Erebus Malware Detector
name: Erebus Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
- "EREBUS IS BEST."

8
malware_ezcob.yaml → Yara-Rules/ezcob-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_ezcob
id: ezcob-malware
info:
name: Ezcob Malware Detector
name: Ezcob Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
tags: malware,file
@ -13,9 +13,11 @@ file:
matchers:
- type: word
part: raw
words:
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
- 'Ezcob'
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
- '20110113144935'
condition: or

7
malware_fudcrypt.yaml → Yara-Rules/fudcrypt-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_fudcrypt
id: fudcrypt-malware
info:
name: FUDCrypt Malware Detector
name: FUDCrypt Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/gigajew/FudCrypt/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
@ -15,6 +15,7 @@ file:
matchers:
- type: word
part: raw
words:
- 'OcYjzPUtJkNbLOABqYvNbvhZf'
- 'gwiXxyIDDtoYzgMSRGMckRbJi'

8
malware_gafgyt_bash.yaml → Yara-Rules/gafgyt-bash-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gafgyt_bash
id: gafgyt-bash-malware
info:
name: Gafgyt Malware Detector
name: Gafgyt Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'PONG!'
- 'GETLOCALIP'

8
malware_gafgyt_generic.yaml → Yara-Rules/gafgyt-generic-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gafgyt_generic
id: gafgyt-generic-malware
info:
name: Gafgyt Malware Detector
name: Gafgyt Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "/bin/busybox;echo -e 'gayfgt'"
- '/proc/net/route'

8
malware_gafgyt_hihi.yaml → Yara-Rules/gafgyt-hihi-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gafgyt_hihi
id: gafgyt-hihi-malware
info:
name: Gafgyt Malware Detector
name: Gafgyt Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PONG'

8
malware_gafgyt_hoho.yaml → Yara-Rules/gafgyt-hoho-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gafgyt_hoho
id: gafgyt-hoho-malware
info:
name: Gafgyt Malware Detector
name: Gafgyt Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PRIVMSG'

8
malware_gafgyt_jackmy.yaml → Yara-Rules/gafgyt-jackmy-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gafgyt_jackmy
id: gafgyt-jackmy-malware
info:
name: Gafgyt Malware Detector
name: Gafgyt Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PONG'

8
malware_gafgyt_oh.yaml → Yara-Rules/gafgyt-oh-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gafgyt_oh
id: gafgyt-oh-malware
info:
name: Gafgyt Malware Detector
name: Gafgyt Oh Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'busyboxterrorist'
- 'BOGOMIPS'

8
malware_genome.yaml → Yara-Rules/genome-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_genome
id: genome-malware
info:
name: Genome Malware Detector
name: Genome Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'Attempting to create more than one keyboard::Monitor instance'
- '{Right windows}'

8
malware_glass.yaml → Yara-Rules/glass-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_glass
id: glass-malware
info:
name: Glass Malware Detector
name: Glass Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "PostQuitMessage"
- "pwlfnn10,gzg"

11
malware_glasses.yaml → Yara-Rules/glasses-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_glasses
id: glasses-malware
info:
name: Glasses Malware Detector
name: Glasses Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
@ -15,14 +15,15 @@ file:
matchers-condition: and
matchers:
- type: word #GlassesStrings
- type: word
part: raw
words:
- 'thequickbrownfxjmpsvalzydg'
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
- '" target="NewRef"></a>'
condition: and
- type: binary #GlassesCode
- type: binary
binary:
- "B8ABAAAAAAF7E1D1EA8D04522BC8"
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"

6
malware_gozi.yaml → Yara-Rules/gozi-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gozi
id: gozi-malware
info:
name: Gozi Malware Detector
name: Gozi Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar

8
malware_gpgqwerty.yaml → Yara-Rules/gpgqwerty-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_gpgqwerty
id: gpgqwerty-malware
info:
name: GPGQwerty Malware Detector
name: GPGQwerty Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "gpg.exe recipient qwerty -o"
- "%s%s.%d.qwerty"

7
malware_greame.yaml → Yara-Rules/greame-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_greame
id: greame-malware
info:
name: Greame Malware Detector
name: Greame Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "EditSvr"
- "TLoader"

6
malware_grozlex.yaml → Yara-Rules/grozlex-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_grozlex
id: grozlex-malware
info:
name: Grozlex Malware Detector
name: Grozlex Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar

8
malware_hawkeye.yaml → Yara-Rules/hawkeye-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_hawkeye
id: hawkeye-malware
info:
name: HawkEye Malware Detector
name: HawkEye Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "HawkEyeKeylogger"
- "099u787978786"

8
malware_imminent.yaml → Yara-Rules/imminent-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_imminent
id: imminent-malware
info:
name: Imminent Malware Detector
name: Imminent Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "DecodeProductKey"
- "StartHTTPFlood"
@ -25,6 +26,7 @@ file:
condition: and
- type: word
part: raw
words:
- "<URL>k__BackingField"
- "<RunHidden>k__BackingField"

8
malware_infinity.yaml → Yara-Rules/infinity-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_infinity
id: infinity-malware
info:
name: Infinity Malware Detector
name: Infinity Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "CRYPTPROTECT_PROMPTSTRUCT"
- "discomouse"

7
malware_insta11.yaml → Yara-Rules/insta11-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_insta11
id: insta11-malware
info:
name: Insta11 Malware Detector
name: Insta11 Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- 'XTALKER7'
- 'Insta11 Microsoft'

8
malware_intel_virtualization.yaml → Yara-Rules/intel-virtualization-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_intel_virtualization
id: intel-virtualization-malware
info:
name: Intel Virtualization Malware Detector
name: Intel Virtualization Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
tags: malware,file
@ -22,7 +22,7 @@ file:
- '6863637574696C732E444C4C'
condition: and
- type: binary # Dynamic dll (malicious)
- type: binary
binary:
- '483A5C466173745C506C756728686B636D64295C'
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462'

7
malware_iotreaper.yaml → Yara-Rules/iotreaper-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_iotreaper
id: iotreaper-malware
info:
name: IotReaper Malware Detector
name: IotReaper Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- 'XTALKER7'
- 'Insta11 Microsoft'

9
malware_linux_aesddos.yaml → Yara-Rules/linux-aesddos-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_linux_aesddos
id: linux-aesddos-malware
info:
name: Linux AESDDOS Malware Detector
name: Linux AESDDOS Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -16,18 +16,21 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "3AES"
- "Hacker"
condition: and
- type: word
part: raw
words:
- "3AES"
- "VERSONEX"
condition: and
- type: word
part: raw
words:
- "VERSONEX"
- "Hacker"

8
malware_linux_billgates.yaml → Yara-Rules/linux-billgates-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_linux_billgates
id: linux-billgates-malware
info:
name: Linux BillGates Malware Detector
name: Linux BillGates Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "12CUpdateGates"
- "11CUpdateBill"

8
malware_linux_elknot.yaml → Yara-Rules/linux-elknot-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_linux_elknot
id: linux-elknot-malware
info:
name: Linux Elknot Malware Detector
name: Linux Elknot Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "ZN8CUtility7DeCryptEPciPKci"
- "ZN13CThreadAttack5StartEP11CCmdMessage"

8
malware_linux_mrblack.yaml → Yara-Rules/linux-mrblack-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_linux_mrblack
id: linux-mrblack-malware
info:
name: Linux MrBlack Malware Detector
name: Linux MrBlack Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "Mr.Black"
- "VERS0NEX:%s|%d|%d|%s"

7
malware_linux_tsunami.yaml → Yara-Rules/linux-tsunami-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_linux_tsunami
id: linux-tsunami-malware
info:
name: Linux Tsunami Malware Detector
name: Linux Tsunami Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -15,6 +15,7 @@ file:
matchers:
- type: word
part: raw
words:
- "PRIVMSG %s :[STD]Hitting %s"
- "NOTICE %s :TSUNAMI <target> <secs>"

6
malware_locky.yaml → Yara-Rules/locky-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_locky
id: locky-malware
info:
name: Locky Malware Detector
name: Locky Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
tags: malware,file

7
malware_lostdoor.yaml → Yara-Rules/lostdoor-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_lostdoor
id: lostdoor-malware
info:
name: LostDoor Malware Detector
name: LostDoor Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "*mlt* = %"
- "*ip* = %"

8
malware_luminositylink.yaml → Yara-Rules/luminositylink-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_luminositylink
id: luminositylink-malware
info:
name: LuminosityLink Malware Detector
name: LuminosityLink Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "SMARTLOGS"
- "RUNPE"

8
malware_luxnet.yaml → Yara-Rules/luxnet-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_luxnet
id: luxnet-malware
info:
name: LuxNet Malware Detector
name: LuxNet Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "GetHashCode"
- "Activator"

8
malware_macgyver_installer.yaml → Yara-Rules/macgyver-installer-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_macgyver_installer
id: macgyver-installer-malware
info:
name: MacGyver.cap Installer Malware Detector
name: MacGyver.cap Installer Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "delete -AID 315041592e5359532e4444463031"
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"

8
malware_macgyver.yaml → Yara-Rules/macgyver-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_macgyver
id: macgyver-malware
info:
name: MacGyver.cap Malware Detector
name: MacGyver.cap Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "src/MacGyver/javacard/Header.cap"
- "src/MacGyver/javacard/Directory.cap"

8
malware_madness.yaml → Yara-Rules/madness-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_madness
id: madness-malware
info:
name: Madness DDOS Malware Detector
name: Madness DDOS Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- https://github.com/arbor/yara/blob/master/madness.yara
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="

7
malware_miner.yaml → Yara-Rules/miner--malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_miner
id: miner-malware
info:
name: Miner Malware Detector
name: Miner Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
tags: malware,file
@ -13,6 +13,7 @@ file:
matchers:
- type: word
part: raw
words:
- "stratum+tcp"
- "stratum+udp"

11
malware_miniasp3.yaml → Yara-Rules/miniasp3-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_miniasp3
id: miniasp3-malware
info:
name: MiniASP3 Malware Detector
name: MiniASP3 Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
@ -22,6 +23,7 @@ file:
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
@ -30,6 +32,7 @@ file:
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
@ -38,6 +41,7 @@ file:
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
@ -46,6 +50,7 @@ file:
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"

7
malware_naikon.yaml → Yara-Rules/naikon-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_naikon
id: naikon-malware
info:
name: Naikon Malware Detector
name: Naikon Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
tags: malware,file
@ -21,6 +21,7 @@ file:
condition: and
- type: word
part: raw
words:
- "NOKIAN95/WEB"
- "/tag=info&id=15"

7
malware_naspyupdate.yaml → Yara-Rules/naspyupdate-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_naspyupdate
id: naspyupdate-malware
info:
name: nAspyUpdate Malware Detector
name: nAspyUpdate Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
tags: malware,file
@ -18,6 +18,7 @@ file:
- "8A5424148A0132C202C28801414E75F4"
- type: word
part: raw
words:
- "\\httpclient.txt"
- "password <=14"

7
malware_notepad.yaml → Yara-Rules/notepad-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_notepad
id: notepad-malware
info:
name: Notepad v1.1 Malware Detector
name: Notepad v1.1 Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
tags: malware,file
@ -13,6 +13,7 @@ file:
matchers:
- type: word
part: raw
words:
- "75BAA77C842BE168B0F66C42C7885997"
- "B523F63566F407F3834BCC54AAA32524"

7
malware_olyx.yaml → Yara-Rules/olyx-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_olyx
id: olyx-malware
info:
name: Olyx Malware Detector
name: Olyx Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "/Applications/Automator.app/Contents/MacOS/DockLight"
condition: or

8
malware_osx_leverage.yaml → Yara-Rules/osx-leverage-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_osx_leverage
id: osx-leverage-malware
info:
name: OSX Leverage Malware Detector
name: OSX Leverage Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"

8
malware_paradox.yaml → Yara-Rules/paradox-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_paradox
id: paradox-malware
info:
name: Paradox Malware Detector
name: Paradox Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "ParadoxRAT"
- "Form1"

8
malware_plasma.yaml → Yara-Rules/plasma-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_plasma
id: plasma-malware
info:
name: Plasma Malware Detector
name: Plasma Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "Miner: Failed to Inject."
- "Started GPU Mining on:"

7
malware_poetrat.yaml → Yara-Rules/poetrat-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_poetrat
id: poetrat-malware
info:
name: PoetRat Malware Detector
name: PoetRat Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "launcher.py"
- "smile.zip"

8
malware_pony.yaml → Yara-Rules/pony-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_pony
id: pony-malware
info:
name: Pony Malware Detector
name: Pony Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"

7
malware_pubsab.yaml → Yara-Rules/pubsab-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_pubsab
id: pubsab-malware
info:
name: PubSab Malware Detector
name: PubSab Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "_deamon_init"
- "com.apple.PubSabAgent"

7
malware_punisher.yaml → Yara-Rules/punisher-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_punisher
id: punisher-malware
info:
name: Punisher Malware Detector
name: Punisher Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "abccba"
- "SpyTheSpy"

8
malware_pypi.yaml → Yara-Rules/pypi-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_pypi
id: pypi-malware
info:
name: Fake PyPI Malware Detector
name: Fake PyPI Malware - Detect
author: daffainfo
severity: critical
severity: info
reference:
- http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
@ -13,9 +13,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "# Welcome Here! :)"
- "# just toy, no harm :)"

8
malware_pythorat.yaml → Yara-Rules/pythorat-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_pythorat
id: pythorat-malware
info:
name: PythoRAT Malware Detector
name: PythoRAT Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -11,9 +11,9 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "TKeylogger"
- "uFileTransfer"

9
malware_qrat.yaml → Yara-Rules/qrat-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_qrat
id: qrat-malware
info:
name: QRat Malware Detector
name: QRat Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "quaverse/crypter"
- "Qrypt.class"
@ -22,6 +23,7 @@ file:
condition: and
- type: word
part: raw
words:
- "e-data"
- "Qrypt.class"
@ -38,6 +40,7 @@ file:
condition: and
- type: word
part: raw
words:
- "e-data"
- "quaverse/crypter"

9
malware_satana_dropper.yaml → Yara-Rules/satana-dropper-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_satana_dropper
id: satana-dropper-malware
info:
name: Satana Dropper Malware Detector
name: Satana Dropper Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
tags: malware,file
@ -11,9 +11,8 @@ file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary #Dropper
- type: binary
binary:
- "25732D547279457863657074"
- "643A5C6C626574776D77795C75696A657571706C667775622E706462"

6
malware_satana.yaml → Yara-Rules/satana-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_satana
id: satana-malware
info:
name: Satana Malware Detector
name: Satana Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file

9
malware_shimrat.yaml → Yara-Rules/shimrat-malware.yaml
View File

@ -1,9 +1,9 @@
id: malware_shimrat
id: shimrat-malware
info:
name: ShimRat Malware Detector
name: ShimRat Malware - Detect
author: daffainfo
severity: critical
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
tags: malware,file
@ -14,6 +14,7 @@ file:
matchers-condition: or
matchers:
- type: word
part: raw
words:
- ".dll"
- ".dat"
@ -22,12 +23,14 @@ file:
condition: and
- type: word
part: raw
words:
- "Data$$00"
- "Data$$01%c%sData"
condition: and
- type: word
part: raw
words:
- "ping localhost -n 9 /c %s > nul"
- "Demo"

Some files were not shown because too many files have changed in this diff Show More