Domains: tarlogic.com export.name apple.com mitre.org windows.net wikipedia.org spiceworks.com github.com proofpoint.com YaraGhidraGUIScript.java paloaltonetworks.com youtube.com appveyor.com redmaple.tech time.now garykessler.net auto.html twitter.com bootstrap.sh microsoft.com securelist.com readthedocs.io github.io section.name mandiant.com osandamalith.com Sub Domains: bitsofbinary.github.io www.youtube.com attack.mitre.org unit42.paloaltonetworks.com opensource.apple.com cafebabe.auto.html community.spiceworks.com en.wikipedia.org www.tarlogic.com learn.microsoft.com help.proofpoint.com www.proofpoint.com yara.readthedocs.io ci.appveyor.com forensicitguy.github.io interoperability.blob.core.windows.net www.garykessler.net gist.github.com URLs: https://github.com/BitsOfBinary/yarabuilder-examples/tree/main/pe https://attack.mitre.org/techniques/T1204/001/! https://yara.readthedocs.io/en/stable/modules/pe.html#c.version_info https://yara.readthedocs.io/en/stable/capi.html?highlight=fast#scanning-data-1 https://interoperability.blob.core.windows.net/files/MS-ONE/%5bMS-ONE%5d.pdf" https://yara.readthedocs.io/en/stable/writingrules.html https://github.com/VirusTotal/yara/blob/2b631d0ee47650923955398921c1ceccc3e38cb1/libyara/atoms.c#L117 https://github.com/VirusTotal/yara/blob/2b631d0ee47650923955398921c1ceccc3e38cb1/libyara/atoms.c https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/090_filtersandsenderlists/Essentials_Filters%3A_File_extensions https://github.com/VirusTotal/yara/pull/1907 https://twitter.com/greglesnewich/status/1630615467776786458 https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource https://redmaple.tech/blogs/macho-files/ https://www.garykessler.net/library/file_sigs.html https://interoperability.blob.core.windows.net/files/MS-ONE/%5bMS-ONE%5d.pdf https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" https://github.com/BitsOfBinary/yara/tree/lnk-module https://yara.readthedocs.io/en/stable/writingrules.html#accessing-data-at-a-given-position https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware https://github.com/PwCUK-CTO/TheSAS2021-Red-Kelpie/blob/main/yara/ms13_098.yar https://github.com/100DaysofYARA/2023/tree/main/bitsofbinary https://forensicitguy.github.io/adventures-in-yara-hashing-entropy/#matching-on-resource-entropy https://github.com/PwCUK-CTO/TheSAS2021-Red-Kelpie/blob/main/yara/red_kelpie.yar https://twitter.com/wxs/status/1627278414926184450 https://unit42.paloaltonetworks.com/trident-ursa/" https://yara.readthedocs.io/en/stable/gettingstarted.html https://bitsofbinary.github.io/yara/2023/01/05/lnk_module_documentation.html https://github.com/100DaysofYARA/2023 https://github.com/shellcromancer/DaysOfYARA-2023/tree/main/shellcromancer https://securelist.com/the-sessionmanager-iis-backdoor/106868/" https://unit42.paloaltonetworks.com/acidbox-rare-malware/" https://gist.github.com/notareverser/4f6b9c644d4fe517889b3fbb0b4271ca https://github.com/VirusTotal/yara/issues/1863 https://github.com/VirusTotal/yara/pull/1732 https://www.youtube.com/watch?v=zPRLxNq8XbQ https://gist.github.com/wxsBSD/019740e83faa7a7206f4 https://github.com/bartblaze/Yara-rules/blob/master/rules/generic/LNK_Ruleset.yar https://community.spiceworks.com/topic/2107142-what-are-all-of-the-file-types-on-a-windows-pc-that-contain-executable-code https://unit42.paloaltonetworks.com/acidbox-rare-malware/ https://ci.appveyor.com/project/plusvic/yara/build/job/wthlb30bklmlns0a/artifacts https://opensource.apple.com/source/file/file-80.40.2/file/magic/Magdir/cafebabe.auto.html https://twitter.com/notareverser/status/1623842328044527616. https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#ms-dos-stub-image-only https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/ https://www.tarlogic.com/blog/seloaddriverprivilege-privilege-escalation/ https://github.com/Neo23x0/signature-base/blob/05ef26965be930fade49e5dcba73b9fefc04757e/yara/gen_susp_lnk_files.yar https://en.wikipedia.org/wiki/Executable_and_Linkable_Format https://mandiant.com/resources/blog/apt42-charms-cons-compromises" md5: 269af2751efee65b1ab00622816c83e6 30851d4a2b31e9699084a06e765e21b0 c0de41e45352714500771d43f0d8c4c3 4f6b9c644d4fe517889b3fbb0b4271ca 72f60d7f4ce22db4506547ad555ea0b1 f34d5f2d4577ed6d9ceec516c1f5a744 sha1: 2b631d0ee47650923955398921c1ceccc3e38cb1 05ef26965be930fade49e5dcba73b9fefc04757e sha256: 1db32411a88725b259a7f079bdebd5602f11130f71ec35bec9d18134adbd4352 eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5 b7d217f13550227bb6d80d05bde26e43cd752a870973052080a72a510c444b5a a44b35f376f6e493580c988cd697e8a2d64c82ab665dfd100115fb6f700bb82a c98ac83685cb5f7f72e832998fec753910e77d1b8eee638acb508252912f6cf6 f119cc4cb5a7972bdc80548982b2b63fac5b48d5fce1517270db67c858e9e8b0 003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9 a37a290863fe29b9812e819e4c5b047c44e7a7d7c40e33da6f5662e1957862ab ed48d56a47982c3c9b39ee8859e0b764454ab9ac6e7a7866cdef5c310521be19 76d54a57bf9521f6558b588acd0326249248f91b27ebc25fd94ebe92dc497809 2218904238dc4f8bb5bb838ed4fa779f7873814d7711a28ba59603826ae020aa 5904bc90aec64b12caa5d352199bd4ec2f5a3a9ac0a08adf954689a58eff3f2a File Names: 1.pdf gettingstarted.html lnk.h file_sigs.html msv1_1.dll capi.html rundll32.exe 5bMS-ONE%5d.pdf cafebabe.auto.html mscoree.dll YaraGhidraGUIScript.java writingrules.html cmd.exe math.max atoms.c windigest.dll bootstrap.sh pku.dll x00a.txt calc.exe console.log 1.doc pe.html lnk_module_documentation.html Bitcoin Addresses: 30851d4a2b31e9699084a06e765e21b0 Yara Rules: import"lnk" ruleHeuristic_LNK_using_Hotkey_Ctrl_C{ meta: description="DetectsLNKsusingthekeyboardhotkeyCtrl-C" condition: lnk.hotkey=="C"and lnk.hotkey_modifier_flags&lnk.HOTKEYF_CONTROL } import"lnk" ruleTridentUrsa_LNK_Droid_Values{ meta: description="RuletopickupLNKsusedbyGamaredonGroup/TridentUrsabasedonuniqueDroidGUIDs" hash="f119cc4cb5a7972bdc80548982b2b63fac5b48d5fce1517270db67c858e9e8b0" reference="https://unit42.paloaltonetworks.com/trident-ursa/" reference="https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" condition: lnk.tracker_data.droid_birth_file_identifier=="\xc6\x1f\x17\xb9\xcc\x07\xeb\x11\xb4#\x08\x00'.\x05\x1d"or lnk.tracker_data.droid_birth_volume_identifier=="By\x013NQ\xa0G\xa1\xe0v\x7fh\xb9N\xa1"or lnk.tracker_data.droid_file_identifier=="\xc6\x1f\x17\xb9\xcc\x07\xeb\x11\xb4#\x08\x00'.\x05\x1d"or lnk.tracker_data.droid_volume_identifier=="By\x013NQ\xa0G\xa1\xe0v\x7fh\xb9N\xa1" } import"math" ruleLoop_Test{ strings: $foo="foo" $bar="bar" condition: foranyiin1..math.min#foo.10: foranyjin1..math.min#bar.10: @foo[i]^@bar[j]==0xdeadbeef } import"math" ruleCPU_Eater{ meta: description="Pleasedon'tactuallyusethisrule.it'sreallllllybad" condition: foralljin0..filesize: foralliin0..j: math.entropyi.j>0 } ruleAcidBox_SSP_DLL_Loader_Crypto_Routine_A{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniquecryptographyroutine" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: //180013a710fb60432MOVZXEAX.byteptr[param_2+RSI*0x1] //180013a7533c8XORparam_1.EAX //180013a77880c3aMOVbyteptr[param_2+RDI*0x1].param_1 //180013a7a41ffc0INCparam_3 //180013a7d448944MOVdwordptr[RSP+local_14].param_3 //2404 $={0fb6043233c8880c3a41ffc04489442404} condition: anyofthem } import"pe" ruleHeuristic_PE_PDB_Self_Identifying_as_Malware{ meta: description="Detectsfilesthatidentifythemselvesasmalware" condition: pe.pdb_pathicontains"malware" } ruleHeuristic_LNK_Slash_c_In_Command_Line{ meta: description="DetectsLNKfilesthathave'/c'initscommandline" strings: $="/c"asciiwide condition: uint32be0==0x4C000000and uint32be4==0x01140200and uint32be8==0x00000000and uint32be12==0xC0000000and uint32be16==0x00000046and anyofthem } import"lnk" ruleLNK_Specific_DriveSerialNumber{ condition: lnk.link_info.volume_id.drive_serial_number==0x307A8A81 } ruleIsOneNote{ condition: uint32be0==0xE4525C7B } ruleHeuristic_OneNote_Notebook_with_Embedded_Executable_File{ meta: description="DetectsOneNotenotebookswithsuspiciousembeddedexecutablefiles" reference="https://interoperability.blob.core.windows.net/files/MS-ONE/%5bMS-ONE%5d.pdf" strings: $embedded_file_container={9B1D0020} $ext1=".ade"asciiwidenocase $ext2=".adp"asciiwidenocase $ext3=".ai"asciiwidenocase $ext4=".bat"asciiwidenocase $ext5=".chm"asciiwidenocase $ext6=".cmd"asciiwidenocase $ext7=".com"asciiwidenocase $ext8=".cpl"asciiwidenocase $ext9=".dll"asciiwidenocase $ext10=".exe"asciiwidenocase $ext11=".hlp"asciiwidenocase $ext12=".hta"asciiwidenocase $ext13=".inf"asciiwidenocase $ext14=".ins"asciiwidenocase $ext15=".isp"asciiwidenocase $ext16=".jar"asciiwidenocase $ext17=".js"asciiwidenocase $ext18=".jse"asciiwidenocase $ext19=".lib"asciiwidenocase $ext20=".lnk"asciiwidenocase $ext21=".mde"asciiwidenocase $ext22=".msc"asciiwidenocase $ext23=".msi"asciiwidenocase $ext24=".msp"asciiwidenocase $ext25=".mst"asciiwidenocase $ext26=".nsh"asciiwidenocase $ext27=".pif"asciiwidenocase $ext28=".ps"asciiwidenocase $ext29=".ps1"asciiwidenocase $ext30=".reg"asciiwidenocase $ext31=".scr"asciiwidenocase $ext32=".sct"asciiwidenocase $ext33=".shb"asciiwidenocase $ext34=".shs"asciiwidenocase $ext35=".sys"asciiwidenocase $ext36=".vb"asciiwidenocase $ext37=".vbe"asciiwidenocase $ext38=".vbs"asciiwidenocase $ext39=".vxd"asciiwidenocase $ext40=".wsc"asciiwidenocase $ext41=".wsf"asciiwidenocase $ext42=".wsh"asciiwidenocase condition: uint32be0==0xE4525C7Band foranyiin1..#embedded_file_container: anyof$ext*in@embedded_file_container[i]..@embedded_file_container[i]+0x200 } ruleJust_Str_MZ_At_0{ strings: $mz="MZ" condition: $mzat0 } import"lnk" ruleHeuristic_LNK_using_Shift_Modifier{ meta: description="DetectsLNKsusingakeyboardshortcut.withmodifiershift" condition: lnk.hotkey_modifier_flags&lnk.HOTKEYF_SHIFT } ruleHex_Chars_in_Text_String_Test{ strings: $="\xAB\xCD\xEF\x00" condition: anyofthem } import"math" import"console" ruleMonte_Carlo_Pi_Estimate{ condition: console.logmath.monte_carlo_pi0.filesize } ruleAcidBox_SSP_DLL_Loader_Crypto_Routine_C{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniquecryptographyroutine" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: //180013a710fb60432MOVZXEAX.byteptr[param_2+RSI*0x1] //180013a7533c8XORparam_1.EAX //180013a77880c3aMOVbyteptr[param_2+RDI*0x1].param_1 //180013a7a41ffc0INCparam_3 //180013a7d448944MOVdwordptr[RSP+local_14].param_3 //2404 $={0fb6043233c8880c3a4?ffc?4?89} condition: anyofthem } ruleStr_MZ_Anywhere{ strings: $mz="MZ" condition: anyofthem } import"math" import"console" import"pe" rulePE_Entropy_dottext_Section{ condition: foranysectioninpe.sections: section.name==".text"and console.logmath.entropysection.raw_data_offset.section.raw_data_size } import"pe" ruleHeuristic_Multiple_Undefined_Low_Ordinal_Exported_Functions{ meta: description="DetectsDLLswithatleast2differentexportedfunctionsthatareundefined.andwhichhavelowordinals" note="Thisreturnsalotofresults.donotuseforthreathuntingwithoutextraheuristics" condition: for2exportinpe.export_details: export.offset==0and notdefinedexport.nameand export.ordinal<=10 } ruleHeuristic_LNK_Zeroed_Header_Timestamp{ meta: description="DetectsanLNKfilewithacreation/write/accesstimestampthathasbeenzeroedout" condition: uint320==0x0000004Cand uint324==0x00021401and uint328==0x00000000and uint3212==0x000000C0and uint3216==0x46000000and //Creationtimestamp uint3228==0anduint3232==0 or //Accesstimestamp uint3236==0anduint3240==0 or //Writetimestamp uint3244==0anduint3248==0 } ruleLoop_Test{ strings: $foo="foo" $bar="bar" condition: foranyiin1..#foo: foranyjin1..#bar: @foo[i]^@bar[j]==0xdeadbeef } ruleAcidBox_SSP_DLL_Loader_Format_String_Chunk{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniquestringchunkofformatstrings" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: //%s\%s //%s\%s{%s} //s\{%s} $={25735C25730000000000000025735C25737B25737D0000000000000025735C7B25737D00} condition: anyofthem } ruleHeuristic_Stack_String_SeLoadDriverPrivilege_A{ meta: description="DetectsthestackstringSeLoadDriverPrivilegebeingloadedinacombinationof1.2.and4bytechunks.notnecessarilyinorder" strings: $one_byte_mov_S_stack={C64424??53} $one_byte_mov_e_stack={C64424??65} $one_byte_mov_L_stack={C64424??4c} $one_byte_mov_o_stack={C64424??6f} $one_byte_mov_a_stack={C64424??61} $one_byte_mov_d_stack={C64424??64} $one_byte_mov_D_stack={C64424??44} $one_byte_mov_r_stack={C64424??72} $one_byte_mov_i_stack={C64424??69} $one_byte_mov_v_stack={C64424??76} $one_byte_mov_P_stack={C64424??50} $one_byte_mov_l_stack={C64424??6c} $one_byte_mov_g_stack={C64424??67} $two_byte_mov_Se_stack={66C74424??5365} $two_byte_mov_eL_stack={66C74424??654c} $two_byte_mov_Lo_stack={66C74424??4c6f} $two_byte_mov_oa_stack={66C74424??6f61} $two_byte_mov_ad_stack={66C74424??6164} $two_byte_mov_dD_stack={66C74424??6444} $two_byte_mov_Dr_stack={66C74424??4472} $two_byte_mov_ri_stack={66C74424??7269} $two_byte_mov_iv_stack={66C74424??6976} $two_byte_mov_ve_stack={66C74424??7665} $two_byte_mov_er_stack={66C74424??6572} $two_byte_mov_rP_stack={66C74424??7250} $two_byte_mov_Pr_stack={66C74424??5072} $two_byte_mov_vi_stack={66C74424??7669} $two_byte_mov_il_stack={66C74424??696c} $two_byte_mov_le_stack={66C74424??6c65} $two_byte_mov_eg_stack={66C74424??6567} $two_byte_mov_ge_stack={66C74424??6765} $four_byte_mov_SeLo_stack={C74424??53654c6f} $four_byte_mov_eLoa_stack={C74424??654c6f61} $four_byte_mov_Load_stack={C74424??4c6f6164} $four_byte_mov_oadD_stack={C74424??6f616444} $four_byte_mov_adDr_stack={C74424??61644472} $four_byte_mov_dDri_stack={C74424??64447269} $four_byte_mov_Driv_stack={C74424??44726976} $four_byte_mov_rive_stack={C74424??72697665} $four_byte_mov_iver_stack={C74424??69766572} $four_byte_mov_verP_stack={C74424??76657250} $four_byte_mov_erPr_stack={C74424??65725072} $four_byte_mov_rPri_stack={C74424??72507269} $four_byte_mov_Priv_stack={C74424??50726976} $four_byte_mov_rivi_stack={C74424??72697669} $four_byte_mov_ivil_stack={C74424??6976696c} $four_byte_mov_vile_stack={C74424??76696c65} $four_byte_mov_ileg_stack={C74424??696c6567} $four_byte_mov_lege_stack={C74424??6c656765} condition: anyof$one_byte_*and anyof$two_byte_*and anyof$four_byte_* } import"math" import"console" ruleBad_Monte_Carlo_Pi_Estimate{ condition: console.logmath.monte_carlo_pi"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" } rulestackstring_SeLoadDriverPrivilege { strings: $smallStack={c645|4424??53c645|4424??65c645|4424??4cc645|4424??6fc645|4424??61c645|4424??64c645|4424??44c645|4424??72c645|4424??69c645|4424??76c645|4424??65c645|4424??72c645|4424??50c645|4424??72c645|4424??69c645|4424??76c645|4424??69c645|4424??6cc645|4424??65c645|4424??67c645|4424??65} $largeStack={c745|85[1-4]53000000c745|85[1-4]65000000c745|85[1-4]4c000000c745|85[1-4]6f000000c745|85[1-4]61000000c745|85[1-4]64000000c745|85[1-4]44000000c745|85[1-4]72000000c745|85[1-4]69000000c745|85[1-4]76000000c745|85[1-4]65000000c745|85[1-4]72000000c745|85[1-4]50000000c745|85[1-4]72000000c745|85[1-4]69000000c745|85[1-4]76000000c745|85[1-4]69000000c745|85[1-4]6c000000c745|85[1-4]65000000c745|85[1-4]67000000c745|85[1-4]65000000} $register={b?530000006689????b?650000006689????b?4c0000006689????b?6f0000006689????b?610000006689????b?640000006689????b?440000006689????b?720000006689????b?690000006689????b?760000006689????b?650000006689????b?720000006689????b?500000006689????b?720000006689????b?690000006689????b?760000006689????b?690000006689????b?6c0000006689????b?650000006689????b?670000006689????b?650000006689????} $dword={c745|85[1-4]6f4c6553c745|85[1-4]72446461c745|85[1-4]72657669c745|85[1-4]76697250c745|85[1-4]67656c69[0-1]c645|85[1-4]65} $pushpop={6a535?6a656689????5?6a4c6689????5?6a6f6689????5?6a616689????5?6a646689????5?6a446689????5?6a726689????5?6a696689????5?6a766689????5?6a656689????5?6a726689????5?6a506689????5?6a726689????5?6a696689????5?6a766689????5?6a696689????5?6a6c6689????5?6a656689????5?6a676689????5?} $callOverString={e81500000053654c6f616444726976657250726976696c6567655?} condition: anyofthem } ruleOne_Byte_XOR_Hex_Strings{ meta: description="Detectsallone-byteXORvaluesof{ABCDEF00}" strings: $key_01={aaccee01} $key_02={a9cfed02} //...truncatedforsize... $key_fe={553311fe} $key_ff={543210ff} condition: anyofthem } ruleEmotet_LNK_Drive_Serial_May_2022{ meta: description="DetectsanLNKfromMay2022taggedasdroppingEmotetbasedonauniquedriveserial" hash="b7d217f13550227bb6d80d05bde26e43cd752a870973052080a72a510c444b5a" strings: $drive_serial={1138851c} condition: uint320==0x0000004candanyofthem } ruleHeuristic_LNK_Hidden_Link_Target{ meta: description="DetectsLNKfileswithlinktargetsthatarehidden" condition: uint320==0x0000004Cand uint324==0x00021401and uint328==0x00000000and uint3212==0x000000C0and uint3216==0x46000000and uint3224&0x00000002 } import"lnk" ruleHeuristic_LNK_Icon_Location_Masquerading_as_Doc_or_PDF{ condition: lnk.icon_locationcontains".\\x00\\\\x001\\x00.\\x00p\\x00d\\x00f"or lnk.icon_locationcontains".\\x00\\\\x001\\x00.\\x00d\\x00o\\x00c" } import"pe" ruleAcidBox_SSP_DLL_Loader_windigest_Version_Info{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniqueversioninformationof'windigest'andadescription" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" condition: pe.version_info["InternalName"]=="windigest.dll"or pe.version_info["FileDescription"]=="WindowsDigestAccess" } import"lnk" ruleHeuristic_LNK_Negative_Window_Origin{ meta: description="DetectsLNKsthathaveanegativevaluewindoworiginlocation" condition: lnk.console_data.window_origin_x<0and lnk.console_data.window_origin_y<0 } import"lnk" ruleHeuristic_LNK_Created_After_Access_or_Write{ meta: description="DetectsanLNKfilewithacreationtimestamplaterthanthatofitsaccess/writetimestamp" condition: lnk.creation_time>lnk.access_timeor lnk.creation_time>lnk.write_time } import"lnk" ruleHeuristic_LNK_with_PE_Appended{ meta: description="DetectsanLNKfilethathashadaPEfileappendedtoit" condition: uint16lnk.overlay_offset==0x5A4D } import"pe" ruleAcidBox_SSP_DLL_Loader_msv1_1_Version_Info{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniqueversioninformationof'msv1_1.dll'" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" condition: pe.version_info["InternalName"]=="msv1_1.dll" } ruleHeuristic_OneNote_Notebook_with_Embedded_Executable_File{ meta: description="DetectsOneNotenotebookswithsuspiciousembeddedexecutablefiles" reference="https://interoperability.blob.core.windows.net/files/MS-ONE/%5bMS-ONE%5d.pdf" strings: $embedded_file_container={9B1D0020} $embedded_file_name={9C1D001C} $ext1=".ade"asciiwidenocase $ext2=".adp"asciiwidenocase $ext3=".ai"asciiwidenocase $ext4=".bat"asciiwidenocase $ext5=".chm"asciiwidenocase $ext6=".cmd"asciiwidenocase $ext7=".com"asciiwidenocase $ext8=".cpl"asciiwidenocase $ext9=".dll"asciiwidenocase $ext10=".exe"asciiwidenocase $ext11=".hlp"asciiwidenocase $ext12=".hta"asciiwidenocase $ext13=".inf"asciiwidenocase $ext14=".ins"asciiwidenocase $ext15=".isp"asciiwidenocase $ext16=".jar"asciiwidenocase $ext17=".js"asciiwidenocase $ext18=".jse"asciiwidenocase $ext19=".lib"asciiwidenocase $ext20=".lnk"asciiwidenocase $ext21=".mde"asciiwidenocase $ext22=".msc"asciiwidenocase $ext23=".msi"asciiwidenocase $ext24=".msp"asciiwidenocase $ext25=".mst"asciiwidenocase $ext26=".nsh"asciiwidenocase $ext27=".pif"asciiwidenocase $ext28=".ps"asciiwidenocase $ext29=".ps1"asciiwidenocase $ext30=".reg"asciiwidenocase $ext31=".scr"asciiwidenocase $ext32=".sct"asciiwidenocase $ext33=".shb"asciiwidenocase $ext34=".shs"asciiwidenocase $ext35=".sys"asciiwidenocase $ext36=".vb"asciiwidenocase $ext37=".vbe"asciiwidenocase $ext38=".vbs"asciiwidenocase $ext39=".vxd"asciiwidenocase $ext40=".wsc"asciiwidenocase $ext41=".wsf"asciiwidenocase $ext42=".wsh"asciiwidenocase condition: uint32be0==0xE4525C7Band $embedded_file_containerand foranyiin1..#embedded_file_container: $embedded_file_namein@embedded_file_container[i]..@embedded_file_container[i]+0x30and anyof$ext*in@embedded_file_container[i]..@embedded_file_container[i]+0x100 } ruleOne_Byte_XOR_Hex_Strings{ meta: description="Detectsallone-byteXORvaluesof{ABCDEF00}" strings: $="\xAB\xCD\xEF\x00"xor0x01-0xff condition: anyofthem } import"pe" ruleAcidBox_SSP_DLL_Loader_Unique_Exports{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonhavinguniqueexportedfunctions" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" condition: pe.exports"InitPhysicalInterfaceA"or pe.exports"UpdateSecurityContext" } import"math" import"console" ruleSerial_Correlation{ condition: console.logmath.serial_correlation0.filesize } ruleTridentUrsa_LNK_Machine_ID{ meta: description="RuletopickupLNKsusedbyGamaredonGroup/TridentUrsabasedonauniqueMachineID" hash="f119cc4cb5a7972bdc80548982b2b63fac5b48d5fce1517270db67c858e9e8b0" reference="https://unit42.paloaltonetworks.com/trident-ursa/" reference="https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" strings: $="desktop-farl139" condition: anyofthem } import"lnk" ruleLNK_LocalBasePath_Example{ condition: lnk.link_info.local_base_path=="C:\\test\\a.txt" } ruleAcidBox_SSP_DLL_Loader_Format_String_Combos_Loose{ meta: description="DetectsAcidBoxSSPDLLloaders.basedoncombinationsofformatstringsseeninsamples.Thisruleusesaloosersetofstrings.somaybemorefalsepositive-prone." author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: //Combinationsofthefollowingwithalignmentbytes: //%s\%s //%s\%s{%s} //s\{%s} $={25735C257300[0-16]25735C25737B25737D00} $={25735C257300[0-16]25735C7B25737D00} $={25735C25737B25737D00[0-16]25735C257300} $={25735C25737B25737D00[0-16]25735C7B25737D00} $={25735C7B25737D00[0-16]25735C257300} $={25735C7B25737D00[0-16]25735C25737B25737D00} condition: anyofthem } ruleReflective_Loader_Shellcode_Base64_Encoded{ meta: description="DetectsBase64encodedreflectiveloadershellcodestub.seenforexampleinMeterpretersamples" hash="ed48d56a47982c3c9b39ee8859e0b764454ab9ac6e7a7866cdef5c310521be19" hash="76d54a57bf9521f6558b588acd0326249248f91b27ebc25fd94ebe92dc497809" hash="1db32411a88725b259a7f079bdebd5602f11130f71ec35bec9d18134adbd4352" strings: //popr10 //pushr10 //pushrbp //movrbp.rsp //subrsp.20h //andrsp.0FFFFFFFFFFFFFFF0h //call$+5 //poprbx $="\x4D\x5A\x41\x52\x55\x48\x89\xE5\x48\x83\xEC\x20\x48\x83\xE4\xF0\xE8\x00\x00\x00\x00\x5B"base64base64wide condition: anyofthem } import"lnk" ruleHeuristic_LNK_LocalBasePath_in_TEMP{ meta: description="DetectsLNKfileswithalocalbasepathpointingatthe%TEMP%folder" condition: lnk.link_info.local_base_pathicontains"TEMP" } import"lnk" import"math" ruleHeuristic_LNK_with_High_Entropy_Data_Appended{ meta: description="DetectsLNKfilesappendedwithhighentropydatai.e.likelyencrypteddata" condition: math.entropylnk.overlay_offset.filesize-lnk.overlay_offset>7.9 } import"pe" ruleAcidBox_SSP_DLL_Loader_pku_Version_Info{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniqueversioninformationof'pku.dll'" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" condition: pe.version_info["InternalName"]=="pku.dll" } import"lnk" ruleHeuristic_LNK_MachineID_Not_Starting_with_desktop{ meta: description="DetectsLNKfilesthathaveaMachineIDthatdoesn'tstartwith'desktop-'" condition: notlnk.tracker_data.machine_idstartswith"desktop-" } ruletest{ strings: $foo="foo" condition: anyofthem } ruleIsMacho{ condition: uint320==0xfeedfaceor//themachmagicnumber uint320==0xcefaedfeor//NXSwapIntMH_MAGIC uint320==0xfeedfacfor//the64-bitmachmagicnumber uint320==0xcffaedfeor//NXSwapIntMH_MAGIC_64 uint320==0xcafebabeand//Mach-OFATbinaries uint164<0x30//AvoidJavaclasses } ruleAPT41_Icon_Location_LNK:Red_Kelpie { meta: description="DetectsLNKfilesmasqueradingasPDFslikelyusedbyAPT41" TLP="WHITE" author="PwCCyberThreatOperations::BitsOfBinary" copyright="CopyrightPwCUK2021C" license="ApacheLicense.Version2.0" created_date="2021-08-26" modified_date="2021-08-26" revision="0" hash="2218904238dc4f8bb5bb838ed4fa779f7873814d7711a28ba59603826ae020aa" hash="5904bc90aec64b12caa5d352199bd4ec2f5a3a9ac0a08adf954689a58eff3f2a" hash="c98ac83685cb5f7f72e832998fec753910e77d1b8eee638acb508252912f6cf6" hash="a44b35f376f6e493580c988cd697e8a2d64c82ab665dfd100115fb6f700bb82a" strings: $pdf=".\\1.pdf"asciiwide $doc=".\\1.doc"asciiwide condition: uint32be0==0x4C000000and uint32be4==0x01140200and uint32be8==0x00000000and uint32be12==0xC0000000and uint32be16==0x00000046and anyofthem } import"lnk" ruleHeuristic_Malformed_LNK{ meta: description="DetectsamalformedLNK" condition: lnk.is_malformed } ruleIsELF_64bit{ condition: //CheckforELFheader uint32be0==0x7f454c46and //Byteatoffset0x4is1for32-bit.2for64-bit uint84==2 } import"lnk" ruleHeuristic_LNK_Empty_Timestamp{ meta: description="DetectsanLNKfilewithacreation/write/accesstimestampthathasbeenzero'edout" condition: lnk.creation_time==0or lnk.write_time==0or lnk.access_time==0 } import"lnk" ruleHeuristic_LNK_Pointing_to_Network_Share{ meta: description="DetectsanLNKpointingtothenetworkshare'\\\\server\\share'" condition: lnk.link_info.common_network_relative_link.net_name=="\\\\server\\share" } import"math" import"console" import"pe" rulePE_Entropy_dottext_Section{ condition: foranysectioninpe.sections: section.name==".text"and console.logmath.entropysection.raw_data_offset.math.min2048.section.raw_data_size } import"lnk" ruleLNK_With_WinRAR_Description{ meta: description="DetectsLNKfileswithadescriptionmatchingthatoftheWinRAR" condition: //ProcessRAR.ZIPandotherarchiveformats lnk.name_string=="P\x00r\x00o\x00c\x00e\x00s\x00s\x00\x00R\x00A\x00R\x00.\x00\x00Z\x00I\x00P\x00\x00a\x00n\x00d\x00\x00o\x00t\x00h\x00e\x00r\x00\x00a\x00r\x00c\x00h\x00i\x00v\x00e\x00\x00f\x00o\x00r\x00m\x00a\x00t\x00s\x00" } ruleHeuristic_ELF_with_One_Section{ condition: uint32be0==0x7f454c46and //32-bit uint84==1and uint160x30==1 or //64-bit uint84==2and uint160x3c==1 } import"pe" ruleSessionManager_IIS_Backdoor_PDB_Path_Segments{ meta: description="DetectstheSessionManagerIISbackdoorbasedonsomeuniquePDBpathsegments" reference="https://securelist.com/the-sessionmanager-iis-backdoor/106868/" condition: pe.pdb_pathcontains"\\GodLike\\"or pe.pdb_pathmatches/\\t\\t[0-9]\\/or pe.pdb_pathendswith"\\sessionmanagermodule.pdb" } import"lnk" ruleHeuristic_LNK_using_Shortcut_F5{ meta: description="DetectsLNKsusingthekeyboardshortcut'F5'" condition: lnk.hotkey=="F5" } ruletest{ strings: $foo="foo" condition: #foo==2 } import"lnk" ruleHeuristic_LNK_LocalBasePath_mshta{ meta: description="DetectsLNKfilespointingatmshta" condition: lnk.link_info.local_base_pathicontains"mshta" } ruleAcidBox_SSP_DLL_Loader_Format_Strings{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonacombinationofformatstrings" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: $="%s\\%s" $="%s\\%s{%s}" $="s\\{%s}" condition: allofthem } import"lnk" ruleHeuristic_LNK_Hidden_Link_Target{ meta: description="DetectsLNKfileswithlinktargetsthatarehidden" condition: lnk.file_attributes_flags&lnk.FILE_ATTRIBUTE_HIDDEN } ruleHeuristic_OneNote_Notebook_with_Embedded_File{ meta: description="DetectsOneNotenotebookswithanembeddedfile" reference="https://interoperability.blob.core.windows.net/files/MS-ONE/%5bMS-ONE%5d.pdf" strings: $embedded_file_container_property_id={9B1D0020} condition: uint32be0==0xE4525C7Bandanyofthem } ruleAcidBox_SSP_DLL_Loader_Crypto_Routine_B{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniquecryptographyroutine" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: //180013a710fb60432MOVZXEAX.byteptr[param_2+RSI*0x1] //180013a7533c8XORparam_1.EAX //180013a77880c3aMOVbyteptr[param_2+RDI*0x1].param_1 //180013a7a41ffc0INCparam_3 //180013a7d448944MOVdwordptr[RSP+local_14].param_3 //2404 $={0fb6043233c8880c3a4?ffc04?8944?404} condition: anyofthem } ruleOffset_MZ_At_0_And_Extra_String{ strings: $foobar="foobar" condition: uint160==0x5A4Dand$foobar } import"lnk" ruleis_lnk{ condition: lnk.is_lnk } ruleIsISO{ condition: uint32be0x8001==0x43443030anduint80x8005==0x31or uint32be0x8801==0x43443030anduint80x8805==0x31or uint32be0x9001==0x43443030anduint80x9005==0x31 } import"lnk" import"time" ruleHeuristic_LNK_Created_in_Future{ meta: description="DetectsLNKfileswithacreationtimestampinthefuture" condition: lnk.creation_time>time.now } ruleTridentUrsa_LNK_Droid_Values{ meta: description="RuletopickupLNKsusedbyGamaredonGroup/TridentUrsabasedonuniqueDroidGUIDs" hash="f119cc4cb5a7972bdc80548982b2b63fac5b48d5fce1517270db67c858e9e8b0" reference="https://unit42.paloaltonetworks.com/trident-ursa/" reference="https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" strings: $file_identifier={c61f17b9cc07eb11b4230800272e051d} $volume_identifier={427901334e51a047a1e0767f68b94ea1} condition: anyofthem } import"pe" import"hash" ruleAPT42_CHAIRSMACK_PE_Metadata{ meta: description="DetectssamplesofCHAIRSMACKbasedonuniquePEmetadatai.e.imphashandrichPEheaderhash" reference="https://mandiant.com/resources/blog/apt42-charms-cons-compromises" hash="a37a290863fe29b9812e819e4c5b047c44e7a7d7c40e33da6f5662e1957862ab" condition: pe.imphash=="72f60d7f4ce22db4506547ad555ea0b1"or hash.md5pe.rich_signature.clear_data=="c0de41e45352714500771d43f0d8c4c3" } ruleas: ruleIsPE { condition: //MZsignatureatoffset0and... uint16be0==0x4D5Aand //...PEsignatureatoffsetstoredinMZheaderat0x3C uint32beuint320x3C==0x50450000 } ruleHeuristic_OneNote_Notebook_with_Embedded_File_with_Filename{ meta: reference="https://interoperability.blob.core.windows.net/files/MS-ONE/%5bMS-ONE%5d.pdf" strings: $embedded_file_container={9B1D0020} $embedded_file_name={9C1D001C} condition: uint32be0==0xE4525C7Band $embedded_file_containerand foranyiin1..#embedded_file_container: $embedded_file_namein@embedded_file_container[i]..@embedded_file_container[i]+0x30 } ruleJust_Offset_MZ_At_0{ condition: uint160==0x5A4D } ruleHex_String_Test{ strings: $={ABCDEF00} condition: anyofthem } import"lnk" ruletest{ condition: filesize>0 } ruleIsPE{ condition: uint32be0x40==0x0E1FBA0E } ruleIsPE { condition: uint160==0x5A4D } ruleSUSP_LNK_SmallScreenSize { meta: author="GregLesnewich" description="checkforLNKsthathaveascreenbuffersizeandWindowSizedimensionsof1x1" date="2023-01-01" version="1.0" DaysofYARA="1/100" strings: $dimensions={020000A0??00????0100010001} //structConsoleDataBlocksConsoleDataBlock //uint32Size //uint32Signature //enumFillAttributes //enumPopupFillAttributes //uint16ScreenBufferSizeX //uint16ScreenBufferSizeY //uint16WindowSizeX //uint16WindowSizeY condition: uint32be0x0==0x4c000000andallofthem } ruleAcidBox_SSP_DLL_Loader_Unique_Return_Codes_C{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonuniquereturncodesseeninfunctions" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: $={b8|bb060400a0} $={b8|bb010400a0} $={b8|bb020400a0} $={b8|bb0c0c00a0} $={b8|bb020c00a0} $={b8|bb010700a0} $={b8|bb070800a0} $={b8|bb020700a0} $={b8|bb040600a0} $={b8|bb080600a0} $={b8|bb020600a0} $={b8|bb0c0800a0} $={b8|bb060800a0} $={b8|bb040800a0} $={b8|bb071003a0} $={b8|bb091003a0} $={b8|bb111003a0} $={b8|bb021003a0} $={b8|bb040408a0} $={b8|bb070408a0} $={b8|bb020300a0} $={b8|bb020408a0} $={b8|bb040108a0} $={b8|bb060108a0} $={b8|bb0e0108a0} $={b8|bb010208a0} $={b8|bb020208a0} $={b8|bb040208a0} $={b8|bb060208a0} $={b8|bb010000c0} $={b8|bb020a08a0} $={b8|bb020603a0} $={b8|bb040603a0} $={b8|bb100603a0} $={b8|bb0e0603a0} $={b8|bb02080280} $={b8|bb06080280} $={b8|bb01080280} $={b8|bb04080280} $={b8|bb07080280} $={b8|bb71800780} $={b8|bb06010380} $={b8|bb02010380} $={b8|bb02060380} $={b8|bb01060380} $={b8|bb02070380} $={b8|bb06070380} $={b8|bb07060480} $={b8|bb04060480} $={b8|bb05060480} $={b8|bb02060480} $={b8|bb07160480} $={b8|bb04160480} $={b8|bb06160480} $={b8|bb02160480} $={b8|bb02280480} $={b8|bb07280480} $={b8|bb060b0480} $={b8|bb020b0480} $={b8|bb020c0480} $={b8|bb020d0480} $={b8|bb060d0480} $={b8|bb021c0480} $={b8|bb041c0480} $={b8|bb071c0480} $={b8|bb061c0480} $={b8|bb0c1c0480} $={b8|bb061d0480} $={b8|bb09220480} $={b8|bb09080480} $={b8|bb09090480} $={b8|bb09070480} $={b8|bb02220480} $={b8|bb0c010480} $={b8|bb02010480} $={b8|bb02100480} $={b8|bb02110480} $={b8|bb07110480} $={b8|bb0a110480} $={b8|bb02120480} $={b8|bb0a120480} $={b8|bb07120480} $={b8|bb010f0480} $={b8|bb070f0480} $={b8|bb020f0480} $={b8|bb0a0f0480} $={b8|bb0b0f0480} $={b8|bb02020480} $={b8|bb07040480} $={b8|bb0c040480} $={b8|bb02040480} $={b8|bb02140480} $={b8|bb02150480} $={b8|bb0a140480} $={b8|bb07150480} $={b8|bb0c150480} $={b8|bb09250480} $={b8|bb02250480} $={b8|bb02260480} $={b8|bb06270480} $={b8|bb07270480} $={b8|bb09270480} $={b8|bb0c270480} $={b8|bb0a270480} $={b8|bb04270480} $={b8|bb02270480} $={b8|bb04130480} $={b8|bb0c130480} $={b8|bb06130480} $={b8|bb01130480} $={b8|bb02130480} $={b8|bb0c210480} $={b8|bb06210480} $={b8|bb05210480} $={b8|bb02210480} $={b8|bb06170480} $={b8|bb0c170480} $={b8|bb02170480} $={b8|bb02050580} $={b8|bb06050580} $={b8|bb06070580} $={b8|bb04070580} $={b8|bb02070580} $={b8|bb02090580} $={b8|bb06090580} $={b8|bb010b0780} $={b8|bb060b0780} $={b8|bb020b0780} $={b8|bb060c0780} $={b8|bb020c0780} $={b8|bb05030180} $={b8|bb02030180} condition: uint160==0x5A4Dand10ofthem } import"lnk" ruleEmotet_LNK_Drive_Serial_May_2022{ meta: description="DetectsanLNKfromMay2022taggedasdroppingEmotetbasedonauniquedriveserial" hash="b7d217f13550227bb6d80d05bde26e43cd752a870973052080a72a510c444b5a" condition: lnk.link_info.volume_id.drive_serial_number==0x1c853811 } ruleIsPE{ strings: $mz={4d5a} //equallyyoucoulduse$mz={4d5a} $foobar="foobar" condition: $mzat0andanyofthem } ruleStr_MZ_At_0_And_Extra_String{ strings: $mz="MZ" $foobar="foobar" condition: $mzat0and$foobar } ruleAcidBox_SSP_DLL_Loader_Format_String_Combos{ meta: description="DetectsAcidBoxSSPDLLloaders.basedoncombinationsofformatstringsseeninsamples" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: //Combinationsofthefollowingwithalignmentbytes: //%s\%s //%s\%s{%s} //s\{%s} $={25735C25730000000000000025735C25737B25737D00} $={25735C25730000000000000025735C7B25737D00} $={25735C25737B25737D0000000000000025735C257300} $={25735C25737B25737D0000000000000025735C7B25737D00} $={25735C7B25737D0000000000000025735C257300} $={25735C7B25737D0000000000000025735C25737B25737D00} condition: anyofthem } ruleAcidBox{ condition: anyofAcidBox* } ruleIsPE{ strings: $mz="MZ" //equallyyoucoulduse$mz={4d5a} condition: $mzat0 } import"lnk" ruleHeuristic_LNK_With_ConsoleFEData{ meta: description="DetectsLNKwithConsoleFEDatastructure" condition: lnk.has_console_fe_data } ruleHeuristic_ELF_with_One_Section{ condition: uint32be0==0x7f454c46and //32-bitcheck uint84==1and uint160x30==1 or //Assume64-bitif32-bitcheckfails uint160x3c==1 } ruleHeuristic_Stack_String_SeLoadDriverPrivilege_C{ meta: description="DetectsthestackstringSeLoadDriverPrivilegebeingloadedinacombinationof1.2.and4bytechunks.notnecessarilyinorder" strings: $one_byte_mov_S_stack={C64424??53} $one_byte_mov_e_stack={C64424??65} $one_byte_mov_L_stack={C64424??4c} $one_byte_mov_o_stack={C64424??6f} $one_byte_mov_a_stack={C64424??61} $one_byte_mov_d_stack={C64424??64} $one_byte_mov_D_stack={C64424??44} $one_byte_mov_r_stack={C64424??72} $one_byte_mov_i_stack={C64424??69} $one_byte_mov_v_stack={C64424??76} $one_byte_mov_P_stack={C64424??50} $one_byte_mov_l_stack={C64424??6c} $one_byte_mov_g_stack={C64424??67} $two_byte_mov_Se_stack={66C74424??5365} $two_byte_mov_eL_stack={66C74424??654c} $two_byte_mov_Lo_stack={66C74424??4c6f} $two_byte_mov_oa_stack={66C74424??6f61} $two_byte_mov_ad_stack={66C74424??6164} $two_byte_mov_dD_stack={66C74424??6444} $two_byte_mov_Dr_stack={66C74424??4472} $two_byte_mov_ri_stack={66C74424??7269} $two_byte_mov_iv_stack={66C74424??6976} $two_byte_mov_ve_stack={66C74424??7665} $two_byte_mov_er_stack={66C74424??6572} $two_byte_mov_rP_stack={66C74424??7250} $two_byte_mov_Pr_stack={66C74424??5072} $two_byte_mov_vi_stack={66C74424??7669} $two_byte_mov_il_stack={66C74424??696c} $two_byte_mov_le_stack={66C74424??6c65} $two_byte_mov_eg_stack={66C74424??6567} $two_byte_mov_ge_stack={66C74424??6765} $four_byte_mov_SeLo_stack={C74424??53654c6f} $four_byte_mov_eLoa_stack={C74424??654c6f61} $four_byte_mov_Load_stack={C74424??4c6f6164} $four_byte_mov_oadD_stack={C74424??6f616444} $four_byte_mov_adDr_stack={C74424??61644472} $four_byte_mov_dDri_stack={C74424??64447269} $four_byte_mov_Driv_stack={C74424??44726976} $four_byte_mov_rive_stack={C74424??72697665} $four_byte_mov_iver_stack={C74424??69766572} $four_byte_mov_verP_stack={C74424??76657250} $four_byte_mov_erPr_stack={C74424??65725072} $four_byte_mov_rPri_stack={C74424??72507269} $four_byte_mov_Priv_stack={C74424??50726976} $four_byte_mov_rivi_stack={C74424??72697669} $four_byte_mov_ivil_stack={C74424??6976696c} $four_byte_mov_vile_stack={C74424??76696c65} $four_byte_mov_ileg_stack={C74424??696c6567} $four_byte_mov_lege_stack={C74424??6c656765} condition: foranyof$four_byte_*: anyof$one_byte_*.$two_byte_*at@+8 } import"elf" ruleHeuristic_ELF_with_One_Section{ condition: elf.number_of_sections==1 } import"pe" import"hash" ruleAcidBox_SSP_DLL_Loader_Imphash{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniqueimporthash" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" condition: pe.imphash=="30851d4a2b31e9699084a06e765e21b0" } import"lnk" ruleTridentUrsa_LNK_Machine_ID{ meta: description="RuletopickupLNKsusedbyGamaredonGroup/TridentUrsabasedonauniqueMachineID" hash="f119cc4cb5a7972bdc80548982b2b63fac5b48d5fce1517270db67c858e9e8b0" reference="https://unit42.paloaltonetworks.com/trident-ursa/" reference="https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" condition: lnk.tracker_data.machine_id=="desktop-farl139" } import"lnk" ruleHeuristic_LNK_Targeting_File_On_Removable_Media{ condition: lnk.link_info.volume_id.drive_type&lnk.DRIVE_REMOVABLE } import"pe" ruleAcidBox_SSP_DLL_Loader_Unique_Return_Codes_B{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonuniquereturncodesseeninfunctions" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: $={060400a0} $={010400a0} $={020400a0} $={0c0c00a0} $={020c00a0} $={010700a0} $={070800a0} $={020700a0} $={040600a0} $={080600a0} $={020600a0} $={0c0800a0} $={060800a0} $={040800a0} $={071003a0} $={091003a0} $={111003a0} $={021003a0} $={040408a0} $={070408a0} $={020300a0} $={020408a0} $={040108a0} $={060108a0} $={0e0108a0} $={010208a0} $={020208a0} $={040208a0} $={060208a0} $={010000c0} $={020a08a0} $={020603a0} $={040603a0} $={100603a0} $={0e0603a0} $={02080280} $={06080280} $={01080280} $={04080280} $={07080280} $={71800780} $={06010380} $={02010380} $={02060380} $={01060380} $={02070380} $={06070380} $={07060480} $={04060480} $={05060480} $={02060480} $={07160480} $={04160480} $={06160480} $={02160480} $={02280480} $={07280480} $={060b0480} $={020b0480} $={020c0480} $={020d0480} $={060d0480} $={021c0480} $={041c0480} $={071c0480} $={061c0480} $={0c1c0480} $={061d0480} $={09220480} $={09080480} $={09090480} $={09070480} $={02220480} $={0c010480} $={02010480} $={02100480} $={02110480} $={07110480} $={0a110480} $={02120480} $={0a120480} $={07120480} $={010f0480} $={070f0480} $={020f0480} $={0a0f0480} $={0b0f0480} $={02020480} $={07040480} $={0c040480} $={02040480} $={02140480} $={02150480} $={0a140480} $={07150480} $={0c150480} $={09250480} $={02250480} $={02260480} $={06270480} $={07270480} $={09270480} $={0c270480} $={0a270480} $={04270480} $={02270480} $={04130480} $={0c130480} $={06130480} $={01130480} $={02130480} $={0c210480} $={06210480} $={05210480} $={02210480} $={06170480} $={0c170480} $={02170480} $={02050580} $={06050580} $={06070580} $={04070580} $={02070580} $={02090580} $={06090580} $={010b0780} $={060b0780} $={020b0780} $={060c0780} $={020c0780} $={05030180} $={02030180} condition: uint160==0x5A4Dandfilesize<500KBand30ofthemandnotforanyofthem: not$inpe.sections[0].raw_data_offset..pe.sections[0].raw_data_offset+pe.sections[0].raw_data_sizeand #>3 } ruleis_lnk{ condition: uint320==0x0000004Cand uint324==0x00021401and uint328==0x00000000and uint3212==0x000000C0and uint3216==0x46000000 } import"lnk" import"console" ruleLNK_MachineID{ condition: lnk.is_lnkand console.log"MachineID:".lnk.tracker_data.machine_id } ruleIsISO{ strings: $iso_sig="CD001" condition: $iso_sigat0x8001or $iso_sigat0x8801or $iso_sigat0x9001 } ruleAcidBox_SSP_DLL_Loader_Unique_Return_Codes_A{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonuniquereturncodesseeninfunctions" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: $={060400a0} $={010400a0} $={020400a0} $={0c0c00a0} $={020c00a0} $={010700a0} $={070800a0} $={020700a0} $={040600a0} $={080600a0} $={020600a0} $={0c0800a0} $={060800a0} $={040800a0} $={071003a0} $={091003a0} $={111003a0} $={021003a0} $={040408a0} $={070408a0} $={020300a0} $={020408a0} $={040108a0} $={060108a0} $={0e0108a0} $={010208a0} $={020208a0} $={040208a0} $={060208a0} $={010000c0} $={020a08a0} $={020603a0} $={040603a0} $={100603a0} $={0e0603a0} $={02080280} $={06080280} $={01080280} $={04080280} $={07080280} $={71800780} $={06010380} $={02010380} $={02060380} $={01060380} $={02070380} $={06070380} $={07060480} $={04060480} $={05060480} $={02060480} $={07160480} $={04160480} $={06160480} $={02160480} $={02280480} $={07280480} $={060b0480} $={020b0480} $={020c0480} $={020d0480} $={060d0480} $={021c0480} $={041c0480} $={071c0480} $={061c0480} $={0c1c0480} $={061d0480} $={09220480} $={09080480} $={09090480} $={09070480} $={02220480} $={0c010480} $={02010480} $={02100480} $={02110480} $={07110480} $={0a110480} $={02120480} $={0a120480} $={07120480} $={010f0480} $={070f0480} $={020f0480} $={0a0f0480} $={0b0f0480} $={02020480} $={07040480} $={0c040480} $={02040480} $={02140480} $={02150480} $={0a140480} $={07150480} $={0c150480} $={09250480} $={02250480} $={02260480} $={06270480} $={07270480} $={09270480} $={0c270480} $={0a270480} $={04270480} $={02270480} $={04130480} $={0c130480} $={06130480} $={01130480} $={02130480} $={0c210480} $={06210480} $={05210480} $={02210480} $={06170480} $={0c170480} $={02170480} $={02050580} $={06050580} $={06070580} $={04070580} $={02070580} $={02090580} $={06090580} $={010b0780} $={060b0780} $={020b0780} $={060c0780} $={020c0780} $={05030180} $={02030180} condition: uint160==0x5A4Dandfilesize<500KBand80ofthem } ruleHeuristic_ELF_with_One_Section{ condition: uint32be0==0x7f454c46and uint160x30+uint84-1*0xc==1 } import"math" import"console" ruleBad_Monte_Carlo_Pi_Estimate{ condition: console.logmath.monte_carlo_pi"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" } ruleIsELF{ condition: uint32be0==0x7f454c46 } import"lnk" ruleHeuristic_LNK_SmallScreenSize{ meta: description="Adaptationof@greglesnewich'sruletofindLNKswitha1x1consolesize" condition: lnk.console_data.window_size_x==1and lnk.console_data.window_size_y==1and lnk.console_data.screen_buffer_size_x==1and lnk.console_data.screen_buffer_size_y==1 } ruleIsPE { condition: //MZsignatureatoffset0and... uint160==0x5A4Dand //...PEsignatureatoffsetstoredinMZheaderat0x3C uint32uint320x3C==0x00004550 } ruleHeuristic_Stack_String_SeLoadDriverPrivilege_B{ meta: description="DetectsthestackstringSeLoadDriverPrivilegebeingloadedinacombinationof1.2.and4bytechunks.notnecessarilyinorder" strings: $one_byte_mov_S_stack={C64424??53} $one_byte_mov_e_stack={C64424??65} $one_byte_mov_L_stack={C64424??4c} $one_byte_mov_o_stack={C64424??6f} $one_byte_mov_a_stack={C64424??61} $one_byte_mov_d_stack={C64424??64} $one_byte_mov_D_stack={C64424??44} $one_byte_mov_r_stack={C64424??72} $one_byte_mov_i_stack={C64424??69} $one_byte_mov_v_stack={C64424??76} $one_byte_mov_P_stack={C64424??50} $one_byte_mov_l_stack={C64424??6c} $one_byte_mov_g_stack={C64424??67} $two_byte_mov_Se_stack={66C74424??5365} $two_byte_mov_eL_stack={66C74424??654c} $two_byte_mov_Lo_stack={66C74424??4c6f} $two_byte_mov_oa_stack={66C74424??6f61} $two_byte_mov_ad_stack={66C74424??6164} $two_byte_mov_dD_stack={66C74424??6444} $two_byte_mov_Dr_stack={66C74424??4472} $two_byte_mov_ri_stack={66C74424??7269} $two_byte_mov_iv_stack={66C74424??6976} $two_byte_mov_ve_stack={66C74424??7665} $two_byte_mov_er_stack={66C74424??6572} $two_byte_mov_rP_stack={66C74424??7250} $two_byte_mov_Pr_stack={66C74424??5072} $two_byte_mov_vi_stack={66C74424??7669} $two_byte_mov_il_stack={66C74424??696c} $two_byte_mov_le_stack={66C74424??6c65} $two_byte_mov_eg_stack={66C74424??6567} $two_byte_mov_ge_stack={66C74424??6765} $four_byte_mov_SeLo_stack={C74424??53654c6f} $four_byte_mov_eLoa_stack={C74424??654c6f61} $four_byte_mov_Load_stack={C74424??4c6f6164} $four_byte_mov_oadD_stack={C74424??6f616444} $four_byte_mov_adDr_stack={C74424??61644472} $four_byte_mov_dDri_stack={C74424??64447269} $four_byte_mov_Driv_stack={C74424??44726976} $four_byte_mov_rive_stack={C74424??72697665} $four_byte_mov_iver_stack={C74424??69766572} $four_byte_mov_verP_stack={C74424??76657250} $four_byte_mov_erPr_stack={C74424??65725072} $four_byte_mov_rPri_stack={C74424??72507269} $four_byte_mov_Priv_stack={C74424??50726976} $four_byte_mov_rivi_stack={C74424??72697669} $four_byte_mov_ivil_stack={C74424??6976696c} $four_byte_mov_vile_stack={C74424??76696c65} $four_byte_mov_ileg_stack={C74424??696c6567} $four_byte_mov_lege_stack={C74424??6c656765} condition: foranyofthem: anyof$one_byte*in@-100..@+100and anyof$two_byte*in@-100..@+100and anyof$four_byte*in@-100..@+100 } import"pe" import"hash" ruleAcidBox_SSP_DLL_Loader_Rich_Header_Hash{ meta: description="DetectsAcidBoxSSPDLLloaders.basedonauniquerichheaderhash" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" condition: hash.md5pe.rich_signature.clear_data=="269af2751efee65b1ab00622816c83e6" } import"lnk" ruleHeuristic_LNK_Slash_c_In_Command_Line{ meta: description="DetectsLNKfilesthathave'/c'initscommandline" condition: lnk.command_line_argumentscontains"/\\x00c" } ruleAcidBox_SSP_DLL_Loader_Unique_Exports_Strings{ meta: description="DetectsthestringsofuniqueexportedfunctionsofAcidBoxSSPDLLloaders" author="BitsOfBinary" reference="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" hash="003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9" strings: $="InitPhysicalInterfaceA" $="UpdateSecurityContext" condition: anyofthem } Email Addresses: vmalvarez@virustotal.com. vmalvarez@virustotal.com