From 49c0820cde52653793405031765789d0589fff79 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa Date: Sun, 5 Mar 2023 23:58:03 +0700 Subject: [PATCH] feat: added 51 templates --- file/malware/malware_aar.yaml | 25 +++++ file/malware/malware_adzok.yaml | 102 +++++++++++++++++++++ file/malware/malware_alfa.yaml | 20 ++++ file/malware/malware_alienspy.yaml | 25 +++++ file/malware/malware_alpha.yaml | 17 ++++ file/malware/malware_ap0calypse.yaml | 24 +++++ file/malware/malware_arcom.yaml | 27 ++++++ file/malware/malware_bandook.yaml | 28 ++++++ file/malware/malware_blacknix.yaml | 23 +++++ file/malware/malware_bluebanana.yaml | 24 +++++ file/malware/malware_bozok.yaml | 24 +++++ file/malware/malware_cerberus.yaml | 26 ++++++ file/malware/malware_clientmesh.yaml | 28 ++++++ file/malware/malware_crimson.yaml | 23 +++++ file/malware/malware_cryptxxx.yaml | 43 +++++++++ file/malware/malware_cryptxxx_dropper.yaml | 20 ++++ file/malware/malware_darkrat.yaml | 25 +++++ file/malware/malware_dmalocker.yaml | 21 +++++ file/malware/malware_doublepulsar.yaml | 18 ++++ file/malware/malware_erebus.yaml | 20 ++++ file/malware/malware_glass.yaml | 22 +++++ file/malware/malware_gpgqwerty.yaml | 22 +++++ file/malware/malware_greame.yaml | 30 ++++++ file/malware/malware_hawkeye.yaml | 27 ++++++ file/malware/malware_imminent.yaml | 35 +++++++ file/malware/malware_infinity.yaml | 26 ++++++ file/malware/malware_locky.yaml | 31 +++++++ file/malware/malware_lostdoor.yaml | 31 +++++++ file/malware/malware_luminositylink.yaml | 29 ++++++ file/malware/malware_luxnet.yaml | 24 +++++ file/malware/malware_paradox.yaml | 25 +++++ file/malware/malware_plasma.yaml | 27 ++++++ file/malware/malware_poetrat.yaml | 33 +++++++ file/malware/malware_punisher.yaml | 29 ++++++ file/malware/malware_pythorat.yaml | 26 ++++++ file/malware/malware_qrat.yaml | 46 ++++++++++ file/malware/malware_satana.yaml | 28 ++++++ file/malware/malware_satana_dropper.yaml | 21 +++++ file/malware/malware_shimrat.yaml | 39 ++++++++ file/malware/malware_shimratreporter.yaml | 30 ++++++ file/malware/malware_sigma.yaml | 27 ++++++ file/malware/malware_smallnet.yaml | 28 ++++++ file/malware/malware_snake.yaml | 24 +++++ file/malware/malware_sub7nation.yaml | 31 +++++++ file/malware/malware_terminator.yaml | 20 ++++ file/malware/malware_teslacrypt.yaml | 17 ++++ file/malware/malware_tox.yaml | 32 +++++++ file/malware/malware_unrecom.yaml | 23 +++++ file/malware/malware_vertex.yaml | 26 ++++++ file/malware/malware_virusrat.yaml | 30 ++++++ file/malware/malware_zoxpng.yaml | 17 ++++ 51 files changed, 1419 insertions(+) create mode 100644 file/malware/malware_aar.yaml create mode 100644 file/malware/malware_adzok.yaml create mode 100644 file/malware/malware_alfa.yaml create mode 100644 file/malware/malware_alienspy.yaml create mode 100644 file/malware/malware_alpha.yaml create mode 100644 file/malware/malware_ap0calypse.yaml create mode 100644 file/malware/malware_arcom.yaml create mode 100644 file/malware/malware_bandook.yaml create mode 100644 file/malware/malware_blacknix.yaml create mode 100644 file/malware/malware_bluebanana.yaml create mode 100644 file/malware/malware_bozok.yaml create mode 100644 file/malware/malware_cerberus.yaml create mode 100644 file/malware/malware_clientmesh.yaml create mode 100644 file/malware/malware_crimson.yaml create mode 100644 file/malware/malware_cryptxxx.yaml create mode 100644 file/malware/malware_cryptxxx_dropper.yaml create mode 100644 file/malware/malware_darkrat.yaml create mode 100644 file/malware/malware_dmalocker.yaml create mode 100644 file/malware/malware_doublepulsar.yaml create mode 100644 file/malware/malware_erebus.yaml create mode 100644 file/malware/malware_glass.yaml create mode 100644 file/malware/malware_gpgqwerty.yaml create mode 100644 file/malware/malware_greame.yaml create mode 100644 file/malware/malware_hawkeye.yaml create mode 100644 file/malware/malware_imminent.yaml create mode 100644 file/malware/malware_infinity.yaml create mode 100644 file/malware/malware_locky.yaml create mode 100644 file/malware/malware_lostdoor.yaml create mode 100644 file/malware/malware_luminositylink.yaml create mode 100644 file/malware/malware_luxnet.yaml create mode 100644 file/malware/malware_paradox.yaml create mode 100644 file/malware/malware_plasma.yaml create mode 100644 file/malware/malware_poetrat.yaml create mode 100644 file/malware/malware_punisher.yaml create mode 100644 file/malware/malware_pythorat.yaml create mode 100644 file/malware/malware_qrat.yaml create mode 100644 file/malware/malware_satana.yaml create mode 100644 file/malware/malware_satana_dropper.yaml create mode 100644 file/malware/malware_shimrat.yaml create mode 100644 file/malware/malware_shimratreporter.yaml create mode 100644 file/malware/malware_sigma.yaml create mode 100644 file/malware/malware_smallnet.yaml create mode 100644 file/malware/malware_snake.yaml create mode 100644 file/malware/malware_sub7nation.yaml create mode 100644 file/malware/malware_terminator.yaml create mode 100644 file/malware/malware_teslacrypt.yaml create mode 100644 file/malware/malware_tox.yaml create mode 100644 file/malware/malware_unrecom.yaml create mode 100644 file/malware/malware_vertex.yaml create mode 100644 file/malware/malware_virusrat.yaml create mode 100644 file/malware/malware_zoxpng.yaml diff --git a/file/malware/malware_aar.yaml b/file/malware/malware_aar.yaml new file mode 100644 index 0000000000..8705fe0287 --- /dev/null +++ b/file/malware/malware_aar.yaml @@ -0,0 +1,25 @@ +id: malware_aar + +info: + name: AAR Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "Hashtable" + - "get_IsDisposed" + - "TripleDES" + - "testmemory.FRMMain.resources" + - "$this.Icon" + - "{11111-22222-20001-00001}" + - "@@@@@" + condition: and \ No newline at end of file diff --git a/file/malware/malware_adzok.yaml b/file/malware/malware_adzok.yaml new file mode 100644 index 0000000000..38b78eda10 --- /dev/null +++ b/file/malware/malware_adzok.yaml @@ -0,0 +1,102 @@ +id: malware_adzok + +info: + name: Adzok Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + words: + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + words: + - "config.xmlPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + words: + - "config.xmlPK" + - "key.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + condition: and + + - type: word + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "resources/icono.pngPK" + condition: and \ No newline at end of file diff --git a/file/malware/malware_alfa.yaml b/file/malware/malware_alfa.yaml new file mode 100644 index 0000000000..873196d17e --- /dev/null +++ b/file/malware/malware_alfa.yaml @@ -0,0 +1,20 @@ +id: malware_alfa + +info: + name: Alfa Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: binary + binary: + - "8B0C9781E1FFFF000081F919040000740F81F9" + - "220400007407423BD07CE2EB02" + condition: and diff --git a/file/malware/malware_alienspy.yaml b/file/malware/malware_alienspy.yaml new file mode 100644 index 0000000000..aaa64624e6 --- /dev/null +++ b/file/malware/malware_alienspy.yaml @@ -0,0 +1,25 @@ +id: malware_alienspy + +info: + name: AlienSpy Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "META-INF/MANIFEST.MF" + - "ePK" + - "kPK" + - "config.ini" + - "password.ini" + - "stub/stub.dll" + - "c.dat" + condition: and \ No newline at end of file diff --git a/file/malware/malware_alpha.yaml b/file/malware/malware_alpha.yaml new file mode 100644 index 0000000000..dd2082a69a --- /dev/null +++ b/file/malware/malware_alpha.yaml @@ -0,0 +1,17 @@ +id: malware_alpha + +info: + name: Alpha Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "520065006100640020004D0065002000280048006F00770020004400650063" diff --git a/file/malware/malware_ap0calypse.yaml b/file/malware/malware_ap0calypse.yaml new file mode 100644 index 0000000000..855ea9fb5c --- /dev/null +++ b/file/malware/malware_ap0calypse.yaml @@ -0,0 +1,24 @@ +id: malware_ap0calypse + +info: + name: Ap0calypse Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "Ap0calypse" + - "Sifre" + - "MsgGoster" + - "Baslik" + - "Dosyalars" + - "Injecsiyon" + condition: and \ No newline at end of file diff --git a/file/malware/malware_arcom.yaml b/file/malware/malware_arcom.yaml new file mode 100644 index 0000000000..de8159dc2e --- /dev/null +++ b/file/malware/malware_arcom.yaml @@ -0,0 +1,27 @@ +id: malware_arcom + +info: + name: Arcom Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "CVu3388fnek3W(3ij3fkp0930di" + - "ZINGAWI2" + - "clWebLightGoldenrodYellow" + - "Ancestor for '%s' not found" + - "Control-C hit" + condition: and + + - type: binary + binary: + - "A3242521" \ No newline at end of file diff --git a/file/malware/malware_bandook.yaml b/file/malware/malware_bandook.yaml new file mode 100644 index 0000000000..fcdc999f26 --- /dev/null +++ b/file/malware/malware_bandook.yaml @@ -0,0 +1,28 @@ +id: malware_bandook + +info: + name: Bandook Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "aaaaaa1|" + - "aaaaaa2|" + - "aaaaaa3|" + - "aaaaaa4|" + - "aaaaaa5|" + - "%s%d.exe" + - "astalavista" + - "givemecache" + - "%s\\system32\\drivers\\blogs\\*" + - "bndk13me" + condition: and diff --git a/file/malware/malware_blacknix.yaml b/file/malware/malware_blacknix.yaml new file mode 100644 index 0000000000..d5429008c4 --- /dev/null +++ b/file/malware/malware_blacknix.yaml @@ -0,0 +1,23 @@ +id: malware_blacknix + +info: + name: BlackNix Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "SETTINGS" + - "Mark Adler" + - "Random-Number-Here" + - "RemoteShell" + - "SystemInfo" + condition: and diff --git a/file/malware/malware_bluebanana.yaml b/file/malware/malware_bluebanana.yaml new file mode 100644 index 0000000000..4b673842be --- /dev/null +++ b/file/malware/malware_bluebanana.yaml @@ -0,0 +1,24 @@ +id: malware_bluebanana + +info: + name: BlueBanana Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "META-INF" + - "config.txt" + - "a/a/a/a/f.class" + - "a/a/a/a/l.class" + - "a/a/a/b/q.class" + - "a/a/a/b/v.class" + condition: and diff --git a/file/malware/malware_bozok.yaml b/file/malware/malware_bozok.yaml new file mode 100644 index 0000000000..78434104e9 --- /dev/null +++ b/file/malware/malware_bozok.yaml @@ -0,0 +1,24 @@ +id: malware_bozok + +info: + name: Bozok Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "getVer" + - "StartVNC" + - "SendCamList" + - "untPlugin" + - "gethostbyname" + condition: and + case-insensitive: true \ No newline at end of file diff --git a/file/malware/malware_cerberus.yaml b/file/malware/malware_cerberus.yaml new file mode 100644 index 0000000000..0bc53ba196 --- /dev/null +++ b/file/malware/malware_cerberus.yaml @@ -0,0 +1,26 @@ +id: malware_cerberus + +info: + name: Cerberus Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + words: + - "Ypmw1Syv023QZD" + - "wZ2pla" + - "wBmpf3Pb7RJe" + condition: or + + - type: word + words: + - "cerberus" + case-insensitive: true diff --git a/file/malware/malware_clientmesh.yaml b/file/malware/malware_clientmesh.yaml new file mode 100644 index 0000000000..7fdc288441 --- /dev/null +++ b/file/malware/malware_clientmesh.yaml @@ -0,0 +1,28 @@ +id: malware_clientmesh + +info: + name: ClientMesh Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "machinedetails" + - "MySettings" + - "sendftppasswords" + - "sendbrowserpasswords" + - "arma2keyMass" + - "keylogger" + condition: and + + - type: binary + binary: + - "0000000000000000007E" \ No newline at end of file diff --git a/file/malware/malware_crimson.yaml b/file/malware/malware_crimson.yaml new file mode 100644 index 0000000000..12dc37b680 --- /dev/null +++ b/file/malware/malware_crimson.yaml @@ -0,0 +1,23 @@ +id: malware_crimson + +info: + name: Crimson Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "com/crimson/PK" + - "com/crimson/bootstrapJar/PK" + - "com/crimson/permaJarMulti/PermaJarReporter$1.classPK" + - "com/crimson/universal/containers/KeyloggerLog.classPK" + - "com/crimson/universal/UploadTransfer.classPK" + condition: and diff --git a/file/malware/malware_cryptxxx.yaml b/file/malware/malware_cryptxxx.yaml new file mode 100644 index 0000000000..c2582ca604 --- /dev/null +++ b/file/malware/malware_cryptxxx.yaml @@ -0,0 +1,43 @@ +id: malware_cryptxxx + +info: + name: CryptXXX Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: binary + binary: + - "525947404A41595D52000000FFFFFFFF" + - "0600000052594740405A0000FFFFFFFF" + - "0A000000525C4B4D574D424B5C520000" + - "FFFFFFFF0A000000525D575D5A4B4370" + - "3F520000FFFFFFFF06000000524C4141" + - "5A520000FFFFFFFF0A000000525C4B4D" + - "41584B5C57520000FFFFFFFF0E000000" + - "522A5C4B4D574D424B204C4740520000" + - "FFFFFFFF0A000000525E4B5C48424149" + - "5D520000FFFFFFFF05000000524B4847" + - "52000000FFFFFFFF0C000000524D4140" + - "48474920435D475200000000FFFFFFFF" + - "0A000000525E5C41495C4F703F520000" + - "FFFFFFFF0A000000525E5C41495C4F70" + - "3C520000FFFFFFFF0800000052494141" + - "49424B5200000000FFFFFFFF06000000" + - "525A4B435E520000FFFFFFFF08000000" + - "52483A4C4D703F5200000000FFFFFFFF" + - "0A000000524F42425B5D4B703F520000" + - "FFFFFFFF0A000000525E5C41495C4F70" + - "3F520000FFFFFFFF0A000000525E5C41" + - "495C4F703C520000FFFFFFFF09000000" + - "524F5E5E4A4F5A4F52000000FFFFFFFF" + - "0A000000525E5C41495C4F703D520000" + - "FFFFFFFF08000000525E5B4C42474D52" + condition: and \ No newline at end of file diff --git a/file/malware/malware_cryptxxx_dropper.yaml b/file/malware/malware_cryptxxx_dropper.yaml new file mode 100644 index 0000000000..8df56a8dc2 --- /dev/null +++ b/file/malware/malware_cryptxxx_dropper.yaml @@ -0,0 +1,20 @@ +id: malware_cryptxxx_dropper + +info: + name: CryptXXX Dropper Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: binary #Dropper + binary: + - "50653157584346765962486F35" + - "43003A005C0042004900450052005C0051006D006B004E0052004C00460000" + condition: and \ No newline at end of file diff --git a/file/malware/malware_darkrat.yaml b/file/malware/malware_darkrat.yaml new file mode 100644 index 0000000000..9c54600d3c --- /dev/null +++ b/file/malware/malware_darkrat.yaml @@ -0,0 +1,25 @@ +id: malware_darkrat + +info: + name: DarkRAT Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "@1906dark1996coder@" + - "SHEmptyRecycleBinA" + - "mciSendStringA" + - "add_Shutdown" + - "get_SaveMySettingsOnExit" + - "get_SpecialDirectories" + - "Client.My" + condition: and diff --git a/file/malware/malware_dmalocker.yaml b/file/malware/malware_dmalocker.yaml new file mode 100644 index 0000000000..5333a53ad8 --- /dev/null +++ b/file/malware/malware_dmalocker.yaml @@ -0,0 +1,21 @@ +id: malware_dmalocker + +info: + name: DMA Locker Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "41424358595a3131" + - "21444d414c4f434b" + - "21444d414c4f434b332e30" + - "3F520000FFFFFFFF06000000524C4141" + - "21444d414c4f434b342e30" #v4 diff --git a/file/malware/malware_doublepulsar.yaml b/file/malware/malware_doublepulsar.yaml new file mode 100644 index 0000000000..cdeb7e8c44 --- /dev/null +++ b/file/malware/malware_doublepulsar.yaml @@ -0,0 +1,18 @@ +id: malware_doublepulsar + +info: + name: DoublePulsar Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor + - "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll diff --git a/file/malware/malware_erebus.yaml b/file/malware/malware_erebus.yaml new file mode 100644 index 0000000000..b6b66c79f3 --- /dev/null +++ b/file/malware/malware_erebus.yaml @@ -0,0 +1,20 @@ +id: malware_erebus + +info: + name: Erebus Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log" + - "EREBUS IS BEST." + condition: and \ No newline at end of file diff --git a/file/malware/malware_glass.yaml b/file/malware/malware_glass.yaml new file mode 100644 index 0000000000..3deb3f7c93 --- /dev/null +++ b/file/malware/malware_glass.yaml @@ -0,0 +1,22 @@ +id: malware_glass + +info: + name: Glass Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "PostQuitMessage" + - "pwlfnn10,gzg" + - "update.dll" + - "_winver" + condition: and diff --git a/file/malware/malware_gpgqwerty.yaml b/file/malware/malware_gpgqwerty.yaml new file mode 100644 index 0000000000..ad16fe63b3 --- /dev/null +++ b/file/malware/malware_gpgqwerty.yaml @@ -0,0 +1,22 @@ +id: malware_gpgqwerty + +info: + name: GPGQwerty Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "gpg.exe –recipient qwerty -o" + - "%s%s.%d.qwerty" + - "del /Q /F /S %s$recycle.bin" + - "cryz1@protonmail.com" + condition: and \ No newline at end of file diff --git a/file/malware/malware_greame.yaml b/file/malware/malware_greame.yaml new file mode 100644 index 0000000000..c3001257ae --- /dev/null +++ b/file/malware/malware_greame.yaml @@ -0,0 +1,30 @@ +id: malware_greame + +info: + name: Greame Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "EditSvr" + - "TLoader" + - "Stroks" + - "Avenger by NhT" + - "####@####" + - "GREAME" + condition: and + + - type: binary + binary: + - "232323234023232323E8EEE9F9232323234023232323" + - "232323234023232323FAFDF0EFF9232323234023232323" + condition: and \ No newline at end of file diff --git a/file/malware/malware_hawkeye.yaml b/file/malware/malware_hawkeye.yaml new file mode 100644 index 0000000000..71a0643efd --- /dev/null +++ b/file/malware/malware_hawkeye.yaml @@ -0,0 +1,27 @@ +id: malware_hawkeye + +info: + name: HawkEye Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "HawkEyeKeylogger" + - "099u787978786" + - "HawkEye_Keylogger" + - "holdermail.txt" + - "wallet.dat" + - "Keylog Records" + - "" + - "\\pidloc.txt" + - "BSPLIT" + condition: and diff --git a/file/malware/malware_imminent.yaml b/file/malware/malware_imminent.yaml new file mode 100644 index 0000000000..e5b1958390 --- /dev/null +++ b/file/malware/malware_imminent.yaml @@ -0,0 +1,35 @@ +id: malware_imminent + +info: + name: Imminent Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + words: + - "DecodeProductKey" + - "StartHTTPFlood" + - "CodeKey" + - "MESSAGEBOX" + - "GetFilezillaPasswords" + - "DataIn" + - "UDPzSockets" + condition: and + + - type: word + words: + - "k__BackingField" + - "k__BackingField" + - "DownloadAndExecute" + - "england.png" + - "-CHECK & PING -n 2 127.0.0.1 & EXIT" + - "Showed Messagebox" + condition: and \ No newline at end of file diff --git a/file/malware/malware_infinity.yaml b/file/malware/malware_infinity.yaml new file mode 100644 index 0000000000..9cedade83c --- /dev/null +++ b/file/malware/malware_infinity.yaml @@ -0,0 +1,26 @@ +id: malware_infinity + +info: + name: Infinity Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "CRYPTPROTECT_PROMPTSTRUCT" + - "discomouse" + - "GetDeepInfo" + - "AES_Encrypt" + - "StartUDPFlood" + - "BATScripting" + - "FBqINhRdpgnqATxJ.html" + - "magic_key" + condition: and \ No newline at end of file diff --git a/file/malware/malware_locky.yaml b/file/malware/malware_locky.yaml new file mode 100644 index 0000000000..8f04e1057c --- /dev/null +++ b/file/malware/malware_locky.yaml @@ -0,0 +1,31 @@ +id: malware_locky + +info: + name: Locky Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: binary + binary: + - "45b899f7f90faf45b88945b8" + - "2b0a0faf4df8894df8c745" + condition: and + + - type: binary + binary: + - "2E006C006F0063006B00790000" + - "005F004C006F0063006B007900" + - "5F007200650063006F00760065" + - "0072005F0069006E0073007400" + - "720075006300740069006F006E" + - "0073002E0074007800740000" + - "536F6674776172655C4C6F636B7900" + condition: and \ No newline at end of file diff --git a/file/malware/malware_lostdoor.yaml b/file/malware/malware_lostdoor.yaml new file mode 100644 index 0000000000..9aee6abb6f --- /dev/null +++ b/file/malware/malware_lostdoor.yaml @@ -0,0 +1,31 @@ +id: malware_lostdoor + +info: + name: LostDoor Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "*mlt* = %" + - "*ip* = %" + - "*victimo* = %" + - "*name* = %" + - "[START]" + - "[DATA]" + - "We Control Your Digital World" + - "RC4Initialize" + - "RC4Decrypt" + condition: and + + - type: binary + binary: + - "0D0A2A454449545F5345525645522A0D0A" \ No newline at end of file diff --git a/file/malware/malware_luminositylink.yaml b/file/malware/malware_luminositylink.yaml new file mode 100644 index 0000000000..11e88a4f2d --- /dev/null +++ b/file/malware/malware_luminositylink.yaml @@ -0,0 +1,29 @@ +id: malware_luminositylink + +info: + name: LuminosityLink Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "SMARTLOGS" + - "RUNPE" + - "b.Resources" + - "CLIENTINFO*" + - "Invalid Webcam Driver Download URL, or Failed to Download File!" + - "Proactive Anti-Malware has been manually activated!" + - "REMOVEGUARD" + - "C0n1f8" + - "Luminosity" + - "LuminosityCryptoMiner" + - "MANAGER*CLIENTDETAILS*" + condition: and \ No newline at end of file diff --git a/file/malware/malware_luxnet.yaml b/file/malware/malware_luxnet.yaml new file mode 100644 index 0000000000..71320c03fa --- /dev/null +++ b/file/malware/malware_luxnet.yaml @@ -0,0 +1,24 @@ +id: malware_luxnet + +info: + name: LuxNet Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "GetHashCode" + - "Activator" + - "WebClient" + - "op_Equality" + - "dickcursor.cur" + - "{0}|{1}|{2}" + condition: and \ No newline at end of file diff --git a/file/malware/malware_paradox.yaml b/file/malware/malware_paradox.yaml new file mode 100644 index 0000000000..bc6af0ef4f --- /dev/null +++ b/file/malware/malware_paradox.yaml @@ -0,0 +1,25 @@ +id: malware_paradox + +info: + name: Paradox Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "ParadoxRAT" + - "Form1" + - "StartRMCam" + - "Flooders" + - "SlowLaris" + - "SHITEMID" + - "set_Remote_Chat" + condition: and \ No newline at end of file diff --git a/file/malware/malware_plasma.yaml b/file/malware/malware_plasma.yaml new file mode 100644 index 0000000000..78105aebbc --- /dev/null +++ b/file/malware/malware_plasma.yaml @@ -0,0 +1,27 @@ +id: malware_plasma + +info: + name: Plasma Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "Miner: Failed to Inject." + - "Started GPU Mining on:" + - "BK: Hard Bot Killer Ran Successfully!" + - "Uploaded Keylogs Successfully!" + - "No Slowloris Attack is Running!" + - "An ARME Attack is Already Running on" + - "Proactive Bot Killer Enabled!" + - "PlasmaRAT" + - "AntiEverything" + condition: and \ No newline at end of file diff --git a/file/malware/malware_poetrat.yaml b/file/malware/malware_poetrat.yaml new file mode 100644 index 0000000000..4807a1abe9 --- /dev/null +++ b/file/malware/malware_poetrat.yaml @@ -0,0 +1,33 @@ +id: malware_poetrat + +info: + name: PoetRat Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "launcher.py" + - "smile.zip" + - "smile_funs.py" + - "frown.py" + - "backer.py" + - "smile.py" + - "affine.py" + - "cmd" + - ".exe" + condition: and + + - type: regex + regex: + - '(\.py$|\.pyc$|\.pyd$|Python)' + - '\.dll' + condition: and \ No newline at end of file diff --git a/file/malware/malware_punisher.yaml b/file/malware/malware_punisher.yaml new file mode 100644 index 0000000000..c1e6ac3505 --- /dev/null +++ b/file/malware/malware_punisher.yaml @@ -0,0 +1,29 @@ +id: malware_punisher + +info: + name: Punisher Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "abccba" + - "SpyTheSpy" + - "wireshark" + - "apateDNS" + - "abccbaDanabccb" + condition: and + + - type: binary + binary: + - "5C006800660068002E007600620073" + - "5C00730063002E007600620073" + condition: and \ No newline at end of file diff --git a/file/malware/malware_pythorat.yaml b/file/malware/malware_pythorat.yaml new file mode 100644 index 0000000000..531ec4644d --- /dev/null +++ b/file/malware/malware_pythorat.yaml @@ -0,0 +1,26 @@ +id: malware_pythorat + +info: + name: PythoRAT Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "TKeylogger" + - "uFileTransfer" + - "TTDownload" + - "SETTINGS" + - "Unknown" + - "#@#@#" + - "PluginData" + - "OnPluginMessage" + condition: and diff --git a/file/malware/malware_qrat.yaml b/file/malware/malware_qrat.yaml new file mode 100644 index 0000000000..f81b270bf8 --- /dev/null +++ b/file/malware/malware_qrat.yaml @@ -0,0 +1,46 @@ +id: malware_qrat + +info: + name: QRat Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + words: + - "quaverse/crypter" + - "Qrypt.class" + - "Jarizer.class" + - "URLConnection.class" + condition: and + + - type: word + words: + - "e-data" + - "Qrypt.class" + - "Jarizer.class" + - "URLConnection.class" + condition: and + + - type: word + words: + - "e-data" + - "quaverse/crypter" + - "Jarizer.class" + - "URLConnection.class" + condition: and + + - type: word + words: + - "e-data" + - "quaverse/crypter" + - "Qrypt.class" + - "URLConnection.class" + condition: and diff --git a/file/malware/malware_satana.yaml b/file/malware/malware_satana.yaml new file mode 100644 index 0000000000..cbb6f4ee8a --- /dev/null +++ b/file/malware/malware_satana.yaml @@ -0,0 +1,28 @@ +id: malware_satana + +info: + name: Satana Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: binary + binary: + - "210073006100740061006E00610021002E0074007800740000" + - "456E756D4C6F63616C526573" + - "574E65744F70656E456E756D5700" + - "21534154414E4121" + condition: and + + - type: binary + binary: + - "7467777975677771" + - "537776776E6775" + condition: or \ No newline at end of file diff --git a/file/malware/malware_satana_dropper.yaml b/file/malware/malware_satana_dropper.yaml new file mode 100644 index 0000000000..eeded75d78 --- /dev/null +++ b/file/malware/malware_satana_dropper.yaml @@ -0,0 +1,21 @@ +id: malware_satana_dropper + +info: + name: Satana Dropper Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: binary #Dropper + binary: + - "25732D547279457863657074" + - "643A5C6C626574776D77795C75696A657571706C667775622E706462" + - "71666E7476746862" + condition: and \ No newline at end of file diff --git a/file/malware/malware_shimrat.yaml b/file/malware/malware_shimrat.yaml new file mode 100644 index 0000000000..6e42a707f9 --- /dev/null +++ b/file/malware/malware_shimrat.yaml @@ -0,0 +1,39 @@ +id: malware_shimrat + +info: + name: ShimRat Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + words: + - ".dll" + - ".dat" + - "QWERTYUIOPLKJHG" + - "MNBVCXZLKJHGFDS" + condition: and + + - type: word + words: + - "Data$$00" + - "Data$$01%c%sData" + condition: and + + - type: word + words: + - "ping localhost -n 9 /c %s > nul" + - "Demo" + - "Win32App" + - "COMSPEC" + - "ShimMain" + - "NotifyShims" + - "GetHookAPIs" + condition: and \ No newline at end of file diff --git a/file/malware/malware_shimratreporter.yaml b/file/malware/malware_shimratreporter.yaml new file mode 100644 index 0000000000..1c9235e601 --- /dev/null +++ b/file/malware/malware_shimratreporter.yaml @@ -0,0 +1,30 @@ +id: malware_shimratreporter + +info: + name: ShimRatReporter Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "IP-INFO" + - "Network-INFO" + - "OS-INFO" + - "Process-INFO" + - "Browser-INFO" + - "QueryUser-INFO" + - "Users-INFO" + - "Software-INFO" + - "%02X-%02X-%02X-%02X-%02X-%02X" + - "(from environment) = %s" + - "NetUserEnum" + - "GetNetworkParams" + condition: and diff --git a/file/malware/malware_sigma.yaml b/file/malware/malware_sigma.yaml new file mode 100644 index 0000000000..44753f3973 --- /dev/null +++ b/file/malware/malware_sigma.yaml @@ -0,0 +1,27 @@ +id: malware_sigma + +info: + name: Sigma Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - ".php?" + - "uid=" + - "&uname=" + - "&os=" + - "&pcname=" + - "&total=" + - "&country=" + - "&network=" + - "&subid=" + condition: and \ No newline at end of file diff --git a/file/malware/malware_smallnet.yaml b/file/malware/malware_smallnet.yaml new file mode 100644 index 0000000000..b432b6dbd5 --- /dev/null +++ b/file/malware/malware_smallnet.yaml @@ -0,0 +1,28 @@ +id: malware_smallnet + +info: + name: SmallNet Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "!!<3SAFIA<3!!" + - "!!ElMattadorDz!!" + condition: or + + - type: word + words: + - "stub_2.Properties" + - "stub.exe" + - "get_CurrentDomain" + condition: and + diff --git a/file/malware/malware_snake.yaml b/file/malware/malware_snake.yaml new file mode 100644 index 0000000000..f060c56896 --- /dev/null +++ b/file/malware/malware_snake.yaml @@ -0,0 +1,24 @@ +id: malware_snake + +info: + name: Snake Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\"" + + - type: binary + binary: + - "89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF" + - "648B0D140000008B89000000003B61080F863801000083EC3CE8321AF3FF8D7C242889E6E825EAF0FF8B44242C8B4C242889C2C1E81FC1E01F85C00F84FC000000D1E289CBC1E91F09D189DAD1E3C1EB1F89CDD1E109D989CB81C1807FB1D7C1ED1F81C3807FB1D783D50D89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF31C0EB79894424208B4C24408D14C18B1A895C24248B52048954241CC7042405000000E848FEFFFF8B4424088B4C2404C70424000000008B542424895424048B5C241C895C2408894C240C89442410E8ECDDEFFF8B4424188B4C2414894C24088944240C8B4424248904248B44241C89442404E868BBF3FF8B44242040" + condition: and \ No newline at end of file diff --git a/file/malware/malware_sub7nation.yaml b/file/malware/malware_sub7nation.yaml new file mode 100644 index 0000000000..39b832ccb0 --- /dev/null +++ b/file/malware/malware_sub7nation.yaml @@ -0,0 +1,31 @@ +id: malware_sub7nation + +info: + name: Sub7Nation Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "EnableLUA /t REG_DWORD /d 0 /f" + - "*A01*" + - "*A02*" + - "*A03*" + - "*A04*" + - "*A05*" + - "*A06*" + - "#@#@#" + - "HostSettings" + - "sevane.tmp" + - "cmd_.bat" + - "a2b7c3d7e4" + - "cmd.dll" + condition: and diff --git a/file/malware/malware_terminator.yaml b/file/malware/malware_terminator.yaml new file mode 100644 index 0000000000..9908e3d7eb --- /dev/null +++ b/file/malware/malware_terminator.yaml @@ -0,0 +1,20 @@ +id: malware_terminator + +info: + name: Terminator Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "Accelorator" + - "12356" + condition: and diff --git a/file/malware/malware_teslacrypt.yaml b/file/malware/malware_teslacrypt.yaml new file mode 100644 index 0000000000..45d8ed64d2 --- /dev/null +++ b/file/malware/malware_teslacrypt.yaml @@ -0,0 +1,17 @@ +id: malware_teslacrypt + +info: + name: TeslaCrypt Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "4E6F7720697427732025493A254D25702E00000076616C2069732025640A0000" diff --git a/file/malware/malware_tox.yaml b/file/malware/malware_tox.yaml new file mode 100644 index 0000000000..2a4d3f0fe9 --- /dev/null +++ b/file/malware/malware_tox.yaml @@ -0,0 +1,32 @@ +id: malware_tox + +info: + name: Tox Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Tox.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + words: + - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<" + condition: and + + - type: word + words: + - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<" + condition: and \ No newline at end of file diff --git a/file/malware/malware_unrecom.yaml b/file/malware/malware_unrecom.yaml new file mode 100644 index 0000000000..7c7ec547d3 --- /dev/null +++ b/file/malware/malware_unrecom.yaml @@ -0,0 +1,23 @@ +id: malware_unrecom + +info: + name: Unrecom Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "META-INF" + - "load/ID" + - "load/JarMain.class" + - "load/MANIFEST.MF" + - "plugins/UnrecomServer.class" + condition: and diff --git a/file/malware/malware_vertex.yaml b/file/malware/malware_vertex.yaml new file mode 100644 index 0000000000..34870fa47f --- /dev/null +++ b/file/malware/malware_vertex.yaml @@ -0,0 +1,26 @@ +id: malware_vertex + +info: + name: Vertex Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "DEFPATH" + - "HKNAME" + - "HPORT" + - "INSTALL" + - "IPATH" + - "MUTEX" + - "PANELPATH" + - "ROOTURL" + condition: and diff --git a/file/malware/malware_virusrat.yaml b/file/malware/malware_virusrat.yaml new file mode 100644 index 0000000000..ed1643ae04 --- /dev/null +++ b/file/malware/malware_virusrat.yaml @@ -0,0 +1,30 @@ +id: malware_virusrat + +info: + name: VirusRat Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + words: + - "virustotal" + - "virusscan" + - "abccba" + - "pronoip" + - "streamWebcam" + - "DOMAIN_PASSWORD" + - "Stub.Form1.resources" + - "ftp://{0}@{1}" + - "SELECT * FROM moz_logins" + - "SELECT * FROM moz_disabledHosts" + - "DynDNS\\Updater\\config.dyndns" + - "|BawaneH|" + condition: and diff --git a/file/malware/malware_zoxpng.yaml b/file/malware/malware_zoxpng.yaml new file mode 100644 index 0000000000..6fda61c81b --- /dev/null +++ b/file/malware/malware_zoxpng.yaml @@ -0,0 +1,17 @@ +id: malware_zoxpng + +info: + name: ZoxPNG Malware Detector + author: daffainfo + severity: critical + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_ZoxPNG.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"