forked from Yara-Rules/rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request Yara-Rules#359 from hwvs/master
Add MALW_FUDCrypt.yar and MALW_MSILStealer.yar
- Loading branch information
Showing
2 changed files
with
52 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| /* | ||
| This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. | ||
| */ | ||
|
|
||
| rule FUDCrypter | ||
| { | ||
| meta: | ||
| description = "Detects unmodified FUDCrypt samples" | ||
| reference = "https://github.com/gigajew/FudCrypt/" | ||
| author = "https://github.com/hwvs" | ||
| last_modified = "2019-11-21" | ||
|
|
||
| strings: | ||
| $ = "OcYjzPUtJkNbLOABqYvNbvhZf" wide ascii | ||
| $ = "gwiXxyIDDtoYzgMSRGMckRbJi" wide ascii | ||
| $ = "BclWgISTcaGjnwrzSCIuKruKm" wide ascii | ||
| $ = "CJyUSiUNrIVbgksjxpAMUkAJJ" wide ascii | ||
| $ = "fAMVdoPUEyHEWdxQIEJPRYbEN" wide ascii | ||
| $ = "CIGQUctdcUPqUjoucmcoffECY" wide ascii | ||
| $ = "wcZfHOgetgAExzSoWFJFQdAyO" wide ascii | ||
| $ = "DqYKDnIoLeZDWYlQWoxZnpfPR" wide ascii | ||
| $ = "MkhMoOHCbGUMqtnRDJKnBYnOj" wide ascii | ||
| $ = "sHEqLMGglkBAOIUfcSAgMvZfs" wide ascii | ||
| $ = "JtZApJhbFAIFxzHLjjyEQvtgd" wide ascii | ||
| $ = "IIQrSWZEMmoQIKGuxxwoTwXka" wide ascii | ||
| condition: | ||
| 1 of them | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| /* | ||
| This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. | ||
| */ | ||
|
|
||
| rule MSILStealer | ||
| { | ||
| meta: | ||
| description = "Detects strings from C#/VB Stealers and QuasarRat" | ||
| reference = "https://github.com/quasar/QuasarRAT" | ||
| author = "https://github.com/hwvs" | ||
| last_modified = "2019-11-21" | ||
|
|
||
| strings: | ||
| $ = "Firefox does not have any profiles, has it ever been launched?" wide ascii | ||
| $ = "Firefox is not installed, or the install path could not be located" wide ascii | ||
| $ = "No installs of firefox recorded in its key." wide ascii | ||
| $ = "{0}\\\\FileZilla\\\\recentservers.xml" wide ascii | ||
| $ = "{1}{0}Cookie Name: {2}{0}Value: {3}{0}Path" wide ascii | ||
| $ = "[PRIVATE KEY LOCATION: \\\"{0}\\\"]" wide ascii | ||
| condition: | ||
| 1 of them | ||
| } |